Blog
Court of Appeal confirms scope of data controllers’ security obligations
Christopher Perrin
In a recent decision, the Court of Appeal allowed the UK Information Commissioner's appeal against the decision of the Upper Tribunal in proceedings involving DSG Retail Limited ("DSG"). The case arose from a nine-month cyber-attack in 2017-2018 on DSG’s systems, during which the attackers scraped transaction data from point-of-sale terminals from over 5.6 million payment cards. The compromised data included card numbers and expiry dates, but not cardholders' names, meaning the attackers could not directly identify individuals from the data alone.
The central issue was whether a data controller's obligation to implement appropriate technical and organisational measures ("ATOMs") under the Data Protection Act 1998 applied by reference to whether data is personal in the hands of the controller, even where that same data might not constitute personal data, in isolation, once obtained by a third-party attacker.
The Court of Appeal rejected the Upper Tribunal's narrow interpretation. It held that the security duty applies based on whether the data is personal from the perspective of the data controller, not on whether it would remain personal data after being acquired by third parties.
Why this matters
This judgment provides an important reaffirmation of data security obligations for organisations processing personal data. It confirms that all personal data held by a controller is subject to the ATOMs requirement, irrespective of whether a particular dataset might appear to be non-identifiable.
Crucially, the court acknowledges modern realities. With vast amounts of publicly accessible information, sophisticated technology, and the enhanced ability to combine disparate data sets, "jigsaw" identification is far more feasible than in the past.
The ruling clarifies that security duties are assessed from the data controller's perspective and that risk is allocated firmly to organisations holding personal data. Robust security measures must therefore be implemented and maintained without relying on assumptions about the practical utility of stolen data once it leaves a data controller’s systems.
Key takeaways
- Organisations must assess their security obligations by reference to whether data is personal in their hands, not by whether it would remain personal data if obtained by third parties.
- Controllers cannot avoid security obligations by arguing that breached data fragments would be meaningless or anonymous to attackers lacking additional identifying information.
- Courts recognise that modern technology and widely available data increase the risk of re-identification, requiring thorough and realistic risk assessments.
- The case involved an original £500,000 monetary penalty, issued by the UK Information Commissioner’s Office under the Data Protection Act 1998, which was reduced by the First-tier Tribunal to £250,000. Following the Court of Appeal’s judgment on the scope of the security duty, the case has been remitted back to the First-tier Tribunal to reconsider liability and penalty under the correct legal framework. Its outcome may provide further guidance on what constitutes "appropriate" technical and organisational measures in practice.
Although the underlying breach pre-dated the GDPR and was assessed under the Data Protection Act 1998, the Court of Appeal’s reasoning has clear relevance under the current regime. The obligation to implement ATOMs under Article 32 of the GDPR closely mirrors the former seventh data protection principle. The judgment therefore provides authoritative guidance on how courts are likely to assess security obligations, identifiability and re-identification risk under the GDPR going forward.
Further information
If you have any questions regarding this blog, please contact our Corporate, Commercial & Finance team.
About the author
Christopher Perrin is a highly experienced solicitor who leads the Corporate, Commercial and Finance team’s general Commercial & Technology Contracts, Outsourcing & Data legal advisory services.
Bethany is a trainee solicitor currently in her fourth seat with the Corporate, Commercial and Finance team.
Latest blogs & news
Court of Appeal confirms scope of data controllers’ security obligations
In a recent decision, the Court of Appeal allowed the UK Information Commissioner's appeal against the decision of the Upper Tribunal in proceedings involving DSG Retail Limited ("DSG"). The case arose from a nine-month cyber-attack in 2017-2018 on DSG’s systems, during which the attackers scraped transaction data from point-of-sale terminals from over 5.6 million payment cards. The compromised data included card numbers and expiry dates but not cardholders' names, meaning the attackers could not directly identify individuals from the data alone.
Copyright & artificial intelligence: Progress, pause and persistent uncertainty
The UK Government has now published its March 2026 Report on Copyright and Artificial Intelligence, following its 2024–25 consultation on the use of copyright protected works in AI training. The outcome is significant - not for what it introduces but for what it postpones.
Government announces tough new late payment laws – what happens next?
The UK Government has confirmed a major package of reforms to tackle late payments, a persistent pressure point for small businesses, costing the economy £11 billion a year and contributing to 38 business closures every day.
Business Development: Playing The Right CARD
The professional services industry faces rapid change
Companies House security issue: What your business should do now
A serious security vulnerability affecting the five million registered companies on Companies House was recently discovered. More on this below, but we would urge all companies to check their records carefully and ensure there is nothing unexpected in their Companies House filings and dashboard.
What tech businesses need to know in 2026
At our recent Tech Briefing, 'What tech businesses need to know in 2026', we explored how the EU’s Digital Omnibus package and the UK’s Employment Rights Act will reshape compliance for UK tech SMEs.
Five common contract weaknesses – and how to fix them
Most commercial disputes don’t come from exotic legal issues - they come from everyday contract weaknesses that could have been avoided with a few smart tweaks
2026 marks a turning point for data governance in the UK
2026 is shaping up to be the most consequential year for UK data protection enforcement since the introduction of the EU/UK GDPR regime. With record fines issued in late 2025, a new enforcement playbook on the horizon, and shifting legislative and regulatory expectations, the Information Commissioner’s Office (“ICO”) is signalling a marked transformation in how it supervises, and sanctions, organisations.
Why limitation of liability clauses deserve more attention than they get
Too often, limitation of liability clauses are treated as standard boilerplate - something to tidy up at the end of a negotiation once the “real” commercial points are agreed.
2026 brand threats that could be opportunities: Polarisation, AI, NextGen, and Saturation
What are these megatrends that could pose a threat to brands in 2026?
From Seed to Series A and Beyond: 7 Key Insights for Tech Founders
In this article, we share 7 key considerations to help tech founders navigate the journey from seed funding to Series A and beyond.
Biggest EU Digital Shake-Up Since GDPR? What Businesses Need To Know
In November 2025, the European Commission unveiled its Digital Omnibus package – a set of proposals aimed at simplifying (not deregulating) EU rules on data protection, cybersecurity and AI.
Clearview AI ruling confirms UK GDPR applies beyond borders
In a recent decision on the UK GDPR’s global scope, the Upper Tribunal in The Information Commissioner v Clearview AI Incorporated and Privacy International [2025] UKUT 319 (AAC) confirmed that the UK’s data protection regime can extend well beyond its borders.
UK Tech SMEs & the November Budget
Founders and teams across the country are looking for signals that the UK still backs its innovators. Here’s what’s top of the wish-list:
Why does software ownership matter? Six key legal takeaways for tech businesses
For founders, investors and anyone involved in the tech sector, understanding who owns your software and how to prove it is critical. Whether you’re seeking investment, planning an exit or simply aiming to protect your IP, clarity on ownership can make or break a deal
Court of Appeal clarifies data protection claims for non-material damage: A win for claimants - But what are the implications for controllers and processors?
The Court of Appeal has recently handed down an important decision in respect of data protection law considerations in Farley & Others v Paymaster (trading as Equiniti) [2025] EWCA Civ 1117, providing clarity on the scope of infringement and compensation data protection claims under the UK GDPR and Data Protection Act 2018 (“DPA”). The judgment will be of particular interest to any service provider dealing with and processing large volumes of customer personal data.
5 Reasons Why Fundraising can Go Wrong
At some point in their history, businesses commonly have need for external funding to help their growth trajectory.
Three Cautionary Tales for UK Tech Companies
In tech, the law often arrives after something has gone wrong. Here are three cautionary tales* and the lessons every founder, CTO and in-house counsel should take away.
Top five takeaways from the Data (Use and Access) Act 2025
The Data (Use and Access) Act 2025 (the “DUAA”), which received Royal Assent on 19 June 2025, introduces targeted reforms to the UK data protection legal framework — particularly the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (“PECR”).
Modern industrial strategy: updates to National Security and Investment Act under review
Many of you will know that the Government published, on 23 June, its Modern Industrial Strategy paper and, with it, committed to creating a “predictable, proportionate, and transparent investment screening framework” and launching a 12-week consultation on updating the definitions of the 17 sensitive sectors of the economy as set out in the National Security and Investment Act 2021 (NSIA).
Share insightLinkedIn X Facebook Email to a friend Print