The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

DSG does not stand for Data Security Good

29 July 2022

Loyal readers will recall Warren v DSG Retail Ltd [2021] EWHC 2168 (QB), in which a broadly pleaded damages claim arising from third party hacking of DSG’s systems to obtain financial data was thoroughly filleted by Saini J. The only surviving cause of action was under the Data Protection Act 1998, in relation to the requirement under the seventh data protection principle (DPP7) to have appropriate technical and organisational measures in place to protect personal data. That element of the claim was stayed pending DSG’s appeal against the Information Commissioner’s finding of breach and imposition of a monetary penalty notice in the (then) maximum sum of £500,000.

In DSG Retail Ltd v IC (EA/2020/0048, 6 July 2022), the First-tier Tribunal has now ruled on that appeal, overturning the IC’s MPN as ‘wrong in law’ but imposing a penalty of £250,000 instead. There is nothing particularly legally novel in the decision although it helpfully summarises the case law and approach to DPP7 breaches and challenges to MPNs. The FTT applied a ‘holistic approach […] to DPP7 compliance’, allowing ‘a degree of permissiveness in the exercise of judgement’ and declined to treat post-attack remedial actions as indicative of earlier breach of DPP7. On the facts, out of the ten breaches relied on by the ICO initially, the FTT found just two proved, in relation to a failure to maintain up to date security patches and issues with DSG’s password policy. Those issues had been flagged to DSG’s senior management but not rectified.

Given the nature and volume of personal data put at risk, the FTT imposed a substantial albeit significantly reduced penalty. But since the number of affected individuals runs into at least tens of thousands, this finding of breach is probably worse for DSG’s finances than it looks: even a fairly small number of low-value data breach claims could mean at least as much again payable in damages and costs. While DSG won round 1 against Mr Warren at this time last year, he may yet have the last laugh.

Further reading:

DSG Retail Ltd v Information Commissioner: https://www.bailii.org/uk/cases/UKFTT/GRC/2022/2020_0048.pdf


Authors

Aaron Moss

Call 2013

John Goss

Call 2015

The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.

Visit the Information Law, Data Protection and AI area

Search The Data Brief

Portfolio Builder

Select the practice areas that you would like to download or add to the portfolio

Download    Add to portfolio   
Portfolio
Title Type CV Email

Remove All

Download


Click here to share this shortlist.
(It will expire after 30 days.)