When “Non-Identifying” data is personal data

When “Non-Identifying” data is personal data:
Why the DSG Court of Appeal ruling matters for SMEs and creative agencies 

On 19 February 2026, the Court of Appeal handed the Information Commissioner’s Office (ICO) a significant victory in DSG Retail Ltd v Information Commissioner by casting a wide net on what counts as “personal data” under UK data protection law. The judgment reaffirms that data does not need to identify a person by itself to be treated as personal data. 

For SMEs and creative agencies, often operating lean teams and handling mixed datasets (client lists, analytics, payment details, campaign data), this case quietly turns up the dial on risk. 

What happened to DSG Retail? 

Let us take you back to 2017/2018 when a cyberattack on DSG Retail (the group behind Currys and PC World) resulted in a large quantity of payment-related data falling into the hackers’ virtual hands. The ICO fined DSG £500,000 for failing to take appropriate security measures to protect personal data. DSG pushed back claiming that the compromised data was made up of card numbers and expiry dates but not cardholder names. In DSG’s opinion the hackers couldn’t identify individuals from that data alone so the stolen data did not count as “personal data” in that context. 

The Court of Appeal disagreed. It confirmed that: 

• It is question of whether the controller, not the hacker, could identify the person from the data subset;  

• If the controller can identify the individuals from the data it holds, then the dataset is personal data no matter whose hands it ultimately falls into;  

• Controllers must implement appropriate technical and organisational measures (ATOMs) to protect such data even if a third party couldn’t identify the individual directly from the compromised subset alone.  

Additional lessons learnt from a careful analysis of this case are: 

• Pseudonymised or partial data is still personal data. Pseudonymisation is a security measure that can be used to protect personal data but it doesn’t change personal data to non-personal data.  

• The test is “capable of identifying” — not “actually identified”. The question is not has the individual been identified from the data but could the individual be identified, even indirectly, from the data? 

Why does this matter to my business? 

1. More of your data Is likely “Personal Data” than you think 

Think about data you frequently use, such as: 

• lastfourdigit card data 

• cookie IDs 

• device identifiers 

• truncated emails/usernames 

• hashed customer references 

• analytics IDs on platforms like Meta, TikTok, Google 

Even if you treat these internally as “nonpersonal”, you may be able to link them back to a customer, user, or client – which means they are personal data, and the higher compliance threshold applies. 

This expands your GDPR footprint and may catch teams offguard. 

2. “We don’t store names with the data” is no longer a safe position 

Many SMEs and agencies use partial or tokenised IDs to reduce perceived risk. The Court is clear: risk is judged from your perspective, not a hacker’s. If you can reidentify the dataset by crossreferencing it with your CRM, finance system, or analytics platform, then the ICO expects you to treat it as personal data. 

3. Your security obligations might be greater than you thought 

Marketing, campaign insights, and behavioural analytics often involve identifiers that can be linked back to real individuals. With a broader definition of personal data, such data may require: 

• stronger access controls 

• encryption 

• audit trails 

• updated retention policies 

• clearer internal data flows 

SMEs should expect heightened scrutiny in the event of a breach — and so should agencies handling client data as processors. 

4. Dataprocessing contracts and DPAs should be reviewed and may need updating 

A broader definition of personal data means: 

• more categories of data must be included in DPAs 

• risk allocation may need revisiting 

• indemnities and security obligations may need tightening 

• subcontractor arrangements and MarTech tools must be reassessed 

Creative agencies, in particular, often handle clientowned datasets. Clients may now expect more robust assurances, security measures, and evidence of compliance. 

6. Internal training needs updating — especially for small teams 

Staff in small agencies often wear multiple hats, which increases the risk of underestimating which data counts as personal. This case is a good reason to run updated internal GDPR refreshers. 

Final thoughts: A quiet but significant shift 

The Court of Appeal has confirmed a principle that many assumed but not all applied consistently: personal data must be interpreted broadly, and controllers cannot downplay the identifiability of data simply because a third  party might not know who it relates to. 

This court ruling is a prompt to revisit: 

• what data you classify as personal 

• how you secure it 

• and how you structure your commercial contracts around it 

The risk profile of everyday data handling has edged upward. Now is the moment to recalibrate. 

If this ruling has made you pause and rethink what sits inside your “personal data” bucket, now is the time to sense-check it. A short data audit or contract review today is far easier than defending an ICO investigation tomorrow. Please get in touch and our experts at Hybrid Legal can help.