Security obligations under GDPR still apply, even if data is anonymous in the hands of an attacker

On 19 Feb, the U.K. Court of Appeal handed down its decision in DSG Retail Limited v. The Information Commissioner.

The court held that where a controller processes personal data, the controller can't use the fact that data is anonymous in the hands of a third party, which — unlawfully — accessed the data, to argue that the controller had no obligation to take appropriate measures to keep the data secure in the first place. If the data is personal from the perspective of the controller, then the security principle applies to the controller. The court did not make any finding as to the actual security measures that would be necessary in such a situation. 

The Court of Appeal canvassed relevant U.K. and EU case law in the area, noting that the concept of "personal data" is inherently broad and that cases must shape and mold it to suit particular contexts. This is a useful reminder. Decisions on the meaning of personal data respond to the particular set of facts. It can sometimes be difficult to apply conclusions to other scenarios, and more cases in this area seem inevitable.

The full length article was featured on IAPP and written by Ruth Boardman. You can read it here and get in touch with Ruth if you have any queries.