DSG Retail v ICO Broadens the Security Duty: Serious DLP Required

Excerpt. On 19 February 2026, the Court of Appeal of England and Wales (DSG Retail v ICO, [2026] EWCA Civ 140) confirmed a broad reading of the security duty: controllers must protect against “jigsaw identification.” Here is how ISO 27001‑aligned DLP delivers on GDPR Article 32. Source; coverage. ([judiciary.uk](https://www.judiciary.uk/wp-content/uploads/2026/02/ICO-v-DSG-2026-EWCA-Civ-140-FINAL-for-hand-down.pdf?utm_source=openai))([computerweekly.com](https://www.computerweekly.com/news/366639299/ICO-wins-appeal-over-data-protection-obligations-in-Currys-cyber-attack?utm_source=openai))

The facts

Who, what, when. On 19 February 2026, the UK Court of Appeal sided with the regulator (ICO) against DSG Retail (parent of several electronics brands) regarding a 2018 cyberattack. Judgment [2026] EWCA Civ 140 restores a stringent view of the security duty: even if attackers cannot immediately identify individuals, controllers must anticipate the risk of jigsaw identification by cross‑referencing other sources. The Court also noted commonplace technical failings cited by the ICO (segmentation, patching, firewalls, regular testing). Official notice and specialist press. ([judiciary.uk](https://www.judiciary.uk/judgments/dsg-retail-limited-v-the-information-commissioner/?utm_source=openai))([computerweekly.com](https://www.computerweekly.com/news/366639299/ICO-wins-appeal-over-data-protection-obligations-in-Currys-cyber-attack?utm_source=openai))

Why this matters. Although a UK case, it aligns with EU logic: security stems from the controller–data subject relationship, not from what level of identification a third party may achieve. For leadership in Luxembourg, Belgium, France and Germany, the operational message is clear: preventing exfiltration and monitoring data egress is now a measurable compliance expectation, not a nice‑to‑have. Analysis. ([thelawyer.com](https://www.thelawyer.com/briefing/court-confirms-broad-data-security-duty-controllers-must-protect-against-third-party-jigsaw-identification/?utm_source=openai)) To align your controls with Article 32 GDPR, DLP is a key lever.

The applicable legal framework

GDPR — Article 32 (security of processing). Controllers and processors must implement appropriate technical and organisational measures, considering the state of the art, cost and risk, including — as appropriate — encryption, availability/resilience, restoration, and regular testing. Official text: EUR‑Lex. ([eur-lex.europa.eu](https://eur-lex.europa.eu/eli/reg/2016/679/oj?locale=EN&utm_source=openai))

Implication of DSG Retail for interpretation: in risk assessment (Art. 32(2)), include the scenario of indirect re‑identification through aggregation (leaked fragments, metadata, access logs, exported files), and evidence effective egress controls. In practice: explicit policies, traceability, and exfiltration prevention capabilities (block/alert) consistent with the “state of the art” and audited. Judgment. ([judiciary.uk](https://www.judiciary.uk/wp-content/uploads/2026/02/ICO-v-DSG-2026-EWCA-Civ-140-FINAL-for-hand-down.pdf?utm_source=openai))

The technical solution to deploy

End‑to‑end DLP (Data Loss/Leak Prevention). DLP aims to prevent, detect, and justify unauthorised data movement across endpoints, network, cloud, and email. Concretely:

• Data discovery and classification (templates, dictionaries, EDM/fingerprinting) to know what to protect.
• Content‑ and context‑aware policies (rules per data type and channel: email, web, SaaS, USB, print), with quarantine, automatic encryption, or blocking.
• Outbound channel monitoring (endpoint, email/web gateways, CASB APIs) and transfer controls to public clouds, link sharing, Git repositories, messengers.
• Telemetry and forensics to prove “who tried what, when, with which data,” and to feed SIEM/XDR.

Reference alignments: ISO/IEC 27001:2022 Annex A.8.12 — Data leakage prevention; ISO/IEC 27002:2022 8.12 (guidance); NIST CSF 2.0 (PR.DS); CIS Controls v8 (Control 3 “Data Protection”). Refs: ISO 27002 8.12, 2017→2022 mapping. ([isms.online](https://www.isms.online/iso-27002/control-8-12-data-leakage-prevention/?utm_source=openai))([nqa.com](https://www.nqa.com/medialibraries/NQA/NQA-Media-Library/PDFs/NQA-ISO-27002-Mapping.pdf?utm_source=openai))

Why DLP addresses DSG Retail + Art. 32. The judgment entrenches the obligation to guard against the assembly of leaked fragments. Well‑tuned DLP reduces the exfiltration surface (CSV files, CRM exports, screenshots, attachments) and documents blocked attempts — key elements to demonstrate “appropriate measures” relative to risk. Judgment. ([judiciary.uk](https://www.judiciary.uk/wp-content/uploads/2026/02/ICO-v-DSG-2026-EWCA-Civ-140-FINAL-for-hand-down.pdf?utm_source=openai))

How Luxgap deploys this

• Our ISO 27001 governance. We frame with “Data Protection” and “Data Egress” policies, risk analysis (processes, channels, data types), control selection (A.8.12, A.8.24 encryption) and “effectiveness” criteria (justified block rate, false positives, channel coverage). Internal audit and quarterly reviews. To accelerate compliance, our team supports ISO 27001 certification.
• Our 24/7 managed SOC. DLP events (endpoint, gateways, CASB) are integrated into the SIEM, correlated with IAM/EDR, alerting on mass sends, suspicious encrypted exfil, and public shares. Response playbooks: host quarantine, SaaS token revocation, and GDPR notification support if needed. Learn more about our managed SOC.
• Our outsourced DPO and CISO consultants. Legal‑technical alignment: flow registers, transfer legal bases, contractual clauses, and evidence of Art. 32 proportionality (efficacy reports, justified exceptions, regular testing).

Concrete EU/Luxembourg case

A financial‑services firm subject to NIS 2 and the CSSF deployed a “hybrid” DLP stack in six weeks: endpoint agent (Windows/macOS), email gateway with DLP inspection, and CASB API for M365/SharePoint. Results reported to the board: 72% reduction in external sends containing unencrypted IBANs; automatic blocking of bulk CRM exports; correlated logging in the SIEM. Management could evidence its Article 32 security posture, explicitly covering jigsaw re‑identification risk (local copies, exports, public links).

First concrete steps

1. Map five sensitive data types (customers, health, HR, payments, IP) and real egress channels (email, SaaS, USB, web, Git repos, messengers).
2. Set 10 “minimum” DLP rules (e.g., IBAN + name → encrypt or block externally; exports > 1,000 rows → alert + approval).
3. Enable logging and SIEM export of DLP events and SaaS logs to prove effectiveness (Art. 32(1)(d)).
4. Run monthly “jigsaw” tests: attempt re‑identification from partial exports and metadata; tune rules.
5. Train business teams (sales, HR, finance) on DLP indicators, documented exceptions, and secure alternatives (vault, encryption, restricted links).

Official sources

• Court of Appeal (UK), DSG Retail v ICO, [2026] EWCA Civ 140 (19/02/2026). ([judiciary.uk](https://www.judiciary.uk/wp-content/uploads/2026/02/ICO-v-DSG-2026-EWCA-Civ-140-FINAL-for-hand-down.pdf?utm_source=openai))
• Computer Weekly — ICO wins appeal over data protection obligations in Currys cyber attack. ([computerweekly.com](https://www.computerweekly.com/news/366639299/ICO-wins-appeal-over-data-protection-obligations-in-Currys-cyber-attack?utm_source=openai))
• GDPR — Article 32 (EUR‑Lex, official text). ([eur-lex.europa.eu](https://eur-lex.europa.eu/eli/reg/2016/679/oj?locale=EN&utm_source=openai))
• ISO/IEC 27002:2022 — Control 8.12 “Data leakage prevention” (summary). ([isms.online](https://www.isms.online/iso-27002/control-8-12-data-leakage-prevention/?utm_source=openai))
• NQA — Mapping ISO 27002:2017 → 2022 (creation of control 8.12). ([nqa.com](https://www.nqa.com/medialibraries/NQA/NQA-Media-Library/PDFs/NQA-ISO-27002-Mapping.pdf?utm_source=openai))