Your Four-Control Playbook: The Basic Security Measures Currys’ Was Missing (And How to Implement Them This Afternoon)

The ICO's investigation into the DSG Retail breach did not conclude that Currys was the victim of a fiendishly sophisticated attack. It concluded that a large retailer had failed to implement "basic, commonplace security measures" on systems that processed millions of payment card transactions every year.

Nine months. Five thousand three hundred and ninety tills. Five point six million card records. All of it running quietly because the fundamentals were not in place.

If you run a small or medium-sized business and handle customer data, staff data, or payment information, those same fundamentals apply to you. The ICO does not grade on a curve for smaller organisations. UK GDPR's requirement for "appropriate technical and organisational measures" applies to every controller regardless of size.

The good news is that the controls that would have stopped the DSG breach are not exotic. They are not expensive. And with this guide, you can make meaningful progress on all four of them today.

Before You Start: The Ten-Minute Data Scope Exercise

Before implementing any controls, you need to know what you are protecting.

Grab a notepad or open a blank spreadsheet. List your main systems in a single column. Common ones for a UK SMB include: accounting software (Xero, Sage, QuickBooks), payroll system, CRM or customer database, email (Microsoft 365 or Google Workspace), HR records or personnel files, point-of-sale system, website contact or booking forms, cloud storage (OneDrive, Google Drive, SharePoint, Dropbox), and any specialist software for your sector.

For each system, write one answer to this question: does this system hold information I could use to identify a specific person, either directly or by combining it with something else I hold?

If yes, put a tick against it. Everything ticked is personal data in scope for UK GDPR under the controller's perspective test confirmed by the Court of Appeal in February 2026.

That ticked list is the scope of your controls work. Do not make it more complicated than that.

Control One: Monitoring — Who Is Watching for Weird Things?

This is where the Currys breach created its most visible failure. Malware ran on payment terminals for nine months before anyone at DSG detected it.

The key question for your business is this: who, specifically, is responsible for noticing unusual activity on systems that hold personal data? Not in general. By name.

If you manage your own IT, this is probably you or a named team member. If you outsource IT to a managed service provider, it is a named person or team at that provider. The answer cannot be "our IT company takes care of it" in a vague, unverifiable way. You need a name and you need to understand what they are actually looking at.

What good monitoring looks like for an SMB:

For each ticked system on your data scope list, there should be an answer to these three questions. Who looks at the access logs or alerts for this system? How often? What would prompt them to escalate?

For a CRM system, this means: someone is reviewing login attempts and checking for unusual access patterns (logging in at 3am, logging in from an unfamiliar location, downloading a very large number of records at once). Most CRM platforms, including Salesforce, HubSpot, and Zoho, provide built-in activity logs.

For accounting software, someone should be watching for bulk data exports, new user account creations, and failed login attempts.

For Microsoft 365 or Google Workspace, the admin portal provides audit logs showing who signed in, from where, and what actions they took. Review these at minimum weekly.

The MSP test: if you use an external IT provider, ask them directly: "If malware or an unusual script started running on one of our systems tonight, how quickly would you know? What would trigger an alert? Show me the last three weeks of alerts for our systems." If they cannot answer that in concrete terms, you have identified a risk.

A simple monitoring log entry costs nothing. A brief weekly review of system activity logs takes twenty minutes. That is the bar. DSG cleared neither.

Control Two: Access — Who Has the Keys to What?

Every personal data breach investigation asks two questions immediately: who had access, and should they have had it?

For each system on your ticked list, you need to answer: who has administrator-level access, and who has day-to-day read or write access?

The access audit in three steps:

Step one: pull the user list from each system. Most software platforms let you export this from the admin panel. Generate that list today.

Step two: identify accounts that should not exist. Former employees. Contractors who finished a project months ago. Previous IT providers who were never offboarded. Old test accounts. These are zombie accounts and they are a standing invitation to attack. Kill them immediately. This is not a complicated job. It is just a job that does not get done unless someone makes it a specific task.

Step three: review remaining accounts against a "need to know" principle. Your sales team almost certainly does not need access to payroll records. Your front-of-house staff do not need admin rights to your accounting software. Your temps definitely do not need domain administrator privileges.

Trim everything to the minimum access required for the job.

Write it down. Create a simple spreadsheet with columns: System, User, Role, Date Last Reviewed. This document becomes part of your accountability record under UK GDPR. It is also the first thing a cyber insurance assessor will ask for following a claim.

The ICO's investigation found DSG lacking in its approach to password policies and patch management for privileged accounts. Access hygiene was one of the two failings the First-tier Tribunal confirmed as made out. It is not a sophisticated failing. It is a housekeeping failing.

Control Three: Basic Technical Controls — The Floor, Not the Ceiling

This is not about buying expensive security tooling. This is about meeting the floor that every organisation processing personal data should be at.

Patching. Are the operating systems and key applications on systems that hold personal data up to date? This means running current, supported software versions and applying security patches within a reasonable timeframe of release. For Windows systems, this means automatic update policies are enabled. For cloud software, updates are typically automatic, but you should verify. DSG's security failures included issues with patch management on its own systems. This is explicitly cited in the tribunal judgments.

Endpoint protection. Do the devices that access personal data run reputable, up-to-date security software? For most SMBs this means a managed endpoint detection solution. Microsoft Defender, included in Microsoft 365 Business Premium, is a credible baseline for most UK SMBs. It is not an add-on cost. Use it properly.

Multi-factor authentication. MFA should be enabled on every account that accesses personal data: email accounts, CRM logins, accounting software, HR systems, cloud storage. No exceptions. This single control blocks the overwhelming majority of credential-based attacks.

Remote access. If staff access company systems remotely, that access should be through a VPN or equivalent secure gateway, not direct RDP exposure to the internet. The NCSC's guidance on this is clear and has been clear for years. Direct RDP is a standing target for attackers.

The NCSC's "10 Steps to Cyber Security" (available free at ncsc.gov.uk/collection/10-steps) covers all of these in detail with implementation guidance calibrated for organisations that are not security specialists. Work through each of the ten headings and write one sentence against each describing what you currently do. That exercise reveals both your current state and your to-do list simultaneously.

Control Four: Documentation — Your Evidence Base and Your Safety Net

Under UK GDPR's accountability principle, you are required to be able to demonstrate that you have considered data protection and taken reasonable steps. The word "demonstrate" matters. It means written records.

This is not asking for a 200-page compliance manual. It is asking for enough documentation that, if the ICO knocked on your door tomorrow, you could show that you thought about this and did something about it.

The minimum viable accountability pack for an SMB:

A one-page data map showing the systems you hold personal data in, the categories of data, and the approximate number of individuals whose data you hold. Apply the controller's perspective test: if you can link it to a person, it goes on the map.

A one-page access control record: the spreadsheet from Control Two above showing who has access to what and when you last reviewed it.

A one-page security statement describing the technical controls you have in place. What endpoint protection you run. Whether MFA is enabled on key systems. How patches are managed. Who reviews access logs and how often.

A brief incident response plan: three paragraphs covering who you call first if something goes wrong, how you would notify the ICO within the 72-hour requirement, and how you would communicate with affected individuals.

That is four pages. It takes an afternoon to produce. It probably takes DSG's legal team longer than that to bill their morning.

The ICO provides free templates for many of these documents. The NCSC accountability guide and the ICO's guide to accountability and governance are your starting frameworks. Both are free. Both are written for organisations that are not compliance specialists.

Putting It Together: Your Implementation Order

If you are starting from scratch, here is the order that delivers the fastest risk reduction.

This afternoon: run the ten-minute data scope exercise. Identify your ticked systems.

This week: run the access audit on each ticked system. Kill zombie accounts. Trim over-privileged access.

This week: check MFA status on every account that touches personal data. Enable it everywhere it is not already on.

This month: review patch status on devices and software that hold personal data. Identify anything running unsupported software and schedule upgrades.

This month: run through the NCSC 10 Steps headings. Write one sentence per heading describing your current state. Identify gaps.

This quarter: produce your minimum viable accountability pack. Data map, access record, security statement, incident response plan.

That is a credible, proportionate programme. It does not require consultants. It does not require expensive tooling. It requires an afternoon of focused work spread across a few weeks.

It also happens to be the list of controls the ICO's investigation said DSG was failing on. Do not be the next case study.

How to Turn This Into a Competitive Advantage

Once you have done this work, use it.

If you respond to tenders or proposals where you will handle client or customer data, add a "Data Stewardship" section to your standard proposal. In plain English: here is how we have mapped our data, here is who has access and how we review it, here is how we monitor for unusual activity, and here is our incident response plan.

Most of your competitors have a generic privacy policy and a cookie consent banner. You have done the actual work. That is visible and it is valuable to clients who care about where their data goes.

How to Sell This to Your Board

The DSG breach was not a sophisticated attack. It was basic hygiene failures on payment systems. The ICO said so. Multiple tribunal judges confirmed it.

For your board, the question is: if the ICO investigated our security controls today, would we be in the same category? Can we demonstrate a data map, an access review, active monitoring, and basic technical controls?

If not, the cost of getting there is a few days of focused internal work. The cost of not getting there is a potential fine under UK GDPR of up to £17.5 million or 4% of global annual turnover, plus the reputational and operational fallout of a notifiable breach.

That arithmetic is not complicated.