UK Court of Appeal ruled in DSG Retail v. Information Commissioner that GDPR security obligations remain for controllers even if data is anonymous to attackers. The decision emphasizes the broad nature of “personal data” and the need for controllers to protect against unauthorized access, regardless of how data may appear to a third party. This ruling challenges prior interpretations that could diminish data protection responsibilities. It suggests that GDPR accountability may extend beyond the direct data handling by the controller.
