ICO wins Court of Appeal case in DSG Retail ruling | ICO

https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/02/ico-wins-court-of-appeal-case-in-dsg-retail-ruling/
Success
Service Payment Processors 25% Acquiring 15%
Specialism Data Protection 92% Cybersecurity 75%
2026-02-20 10:47:50 · csoo@vixio.com
ID
2889844
GUID
63fce549d7d439375e98b65f47654744

Classification

Service
Payment Processors (25%)

This is a data protection and cybersecurity enforcement case unrelated to payment services, products, or infrastructure.

Acquiring (15%)

While DSG Retail may process payments as a retailer, this update concerns general data security obligations under data protection law, not payment-specific processing rules or oversight.

Specialism
Data Protection (92%)

The Court of Appeal judgment directly addresses organisations' legal obligations to implement appropriate security measures to protect personal data under data protection law, which is core Data Protection regulation.

Cybersecurity (75%)

The case involves a cyber attack and security breach affecting 14 million people's personal data, making cybersecurity a relevant secondary consideration, though the primary focus is data protection obligations.

Pipeline Progress

🔄 Pipeline Journey

Queued 10:47:46
+0s
Metadata 10:47:46
+0s
S3 Content 10:47:46
+0s
Extracted 10:47:46
+4s
LLM Gen 10:47:50
+0s
Stored 10:47:50
TITLE: United Kingdom's Information Commissioner's Office Wins Court of Appeal Case Against DSG Retail on Data Security Obligations BODY: On February 19, 2026, the Information Commissioner's Office (ICO), the United Kingdom's independent regulator for information rights, welcomed the Court of Appeal's (CoA) ruling in its appeal against DSG Retail Limited (DSG). The CoA judgment reinstated the ICO's interpretation of organisations' legal responsibility to keep personal data secure. In 2020, the ICO fined DSG £500,000 following a cyber attack that affected the personal data of at least 14 million people. DSG subsequently appealed the decision to the First-tier Tribunal (FTT) and Upper Tribunal (UT). The ICO appealed to the CoA in 2024 to seek clarification on a critical point of data protection law. The CoA judgment confirms that DSG was required to implement appropriate security measures to protect personal data from unauthorised access, regardless of whether individuals could be identified from the data exfiltrated by hackers. This ruling clarifies that organisations must protect all personal data they process, even if hackers cannot identify people individually from stolen datasets, as cyber attacks can still cause real harm. Binnie Goh, ICO General Counsel, stated the judgment strengthens the ICO's ability to take robust enforcement action and sends a clear message to organisations about their protective duty to safeguard personal data. Although rooted in the Data Protection Act 1998, the legal interpretation of the security duty by the CoA provides important guidance for similar requirements under the current data protection regime, including the United Kingdom General Data Protection Regulation (UK GDPR). The case will return to the FTT at a later date to apply this interpretation to the specific facts of the DSG cyber attack.
  • Scraped:2026-02-20 10:47:50
  • Created:2026-02-20 10:47:50
  • By:csoo@vixio.com (59)