Is a Card Number Personal Data? The Court of Appeal Has Answered. Here Is What Your Business Needs to Do with That Answer.
I want to start with the argument itself, because it was a good one.
DSG Retail’s legal team, confronting an ICO enforcement action over a breach that exposed card data from 5,390 payment terminals, identified a genuine ambiguity in the Data Protection Act 1998 and ran with it. Their position: for data to constitute “personal data,” it must relate to an identifiable individual. The hackers who exfiltrated the data captured 16-digit card numbers and expiry dates for most cards, but not names. From the attackers’ perspective, those numbers do not immediately identify a specific person. Therefore, the argument ran, the stolen data was not personal data from the relevant processing perspective. Therefore the ICO’s enforcement powers did not fully apply.
The Upper Tribunal in September 2024 found sufficient merit in this to overturn the ICO’s fine entirely.
The Court of Appeal, in its February 2026 judgment ([2026] EWCA Civ 140), disagreed. Lord Justice Warby’s ruling is important and worth reading carefully, because it does not just resolve the DSG dispute. It establishes a test you can apply directly to your own data today.
The Controller’s Perspective Test: What It Actually Says
Warby’s central holding is precise: you assess whether data constitutes personal data from the perspective of the controller. The organisation that holds and processes the data. Not the attacker who exfiltrates it.
DSG, as the controller, could link those card numbers to real people. Card number, combined with transaction records, customer database, and purchase history, produces a specific named individual with an address and a purchasing profile. DSG acknowledged this in proceedings. The bank that issued the card could make the same link. Any analyst with access to DSG’s own systems could do it without difficulty.
That is the test. If you, as the organisation holding the data, can identify an individual from it, either directly or by combining it with other data you hold, it is personal data. Your protective duty applies.
The attacker’s inability to make the same identification from the stolen fragment alone is irrelevant to your obligation as controller.
This matters beyond the DSG context. The judgment specifically addresses ransomware. Ransomware groups do not pause to sort through exfiltrated data and confirm each record contains a complete, immediately identifiable profile. They take everything available. Under the attacker-perspective logic the Upper Tribunal had partially endorsed, a ransomware attack that exfiltrated partial or fragmented records might struggle to meet the personal data threshold. Warby’s ruling forecloses that interpretation entirely.
Jigsaw Identification: The Concept Your Risk Assessment Is Probably Missing
The second concept from the judgment that I want to examine carefully is what lawyers call “jigsaw identification.”
Warby cites the growth in technology’s capacity to “locate, assemble, and combine disparate items to elicit information about individuals.” The point is operational: attackers rarely depend on a single complete file. They collect fragments from multiple sources and combine them.
Your card number from one breach. Your email address from another. Your home postcode from a third. Your employer from a LinkedIn scrape. Your date of birth from a fourth database. Each fragment looks like partial information. The assembled picture is precise enough to be operationally useful to an attacker.
I am going to be direct about the implication for your risk assessment. If your organisation holds any of the following, and you have told yourself it is low-risk because it is incomplete, you need to revisit that assessment.
Internal customer reference numbers that map to full records elsewhere in your CRM. Device identifiers or IP addresses that your logs can correlate to a user account. Email addresses without corresponding names. Partial form submissions. Location data without names attached. Transaction timestamps tied to a customer account number. Historical access logs.
Every one of these fragments can, when combined with other available data, identify a specific individual. The Court of Appeal’s ruling makes your protective duty over these fragments the same as your protective duty over a name-and-address file.
The sentence that needs to leave your organisation’s vocabulary is: “it’s only partial information, we don’t need to worry about it.” That is the precise argument DSG tried to run through three tribunals. It failed.
Where This Fits in UK GDPR
The judgment was handed down under the Data Protection Act 1998. The ICO has been explicit that its interpretation is directly relevant to current UK GDPR obligations.
Article 5(1)(f) of UK GDPR requires that personal data be processed in a manner that ensures appropriate security, using appropriate technical and organisational measures. This is the integrity and confidentiality principle.
Article 32 requires controllers and processors to implement security measures appropriate to the risk presented by their processing activities.
The controller’s perspective test from the February 2026 ruling applies to both. Your obligation is to protect the data you hold that you can link to individuals, including partial and fragmented data. There is no attacker-perspective carve-out. There is no “but the fragment looks innocuous” exception.
Under UK GDPR, serious security failures can attract fines of up to £17.5 million or 4% of global annual turnover. The £500,000 ceiling that applied to DSG under the 1998 Act is not the environment we are operating in. The scope of what counts as personal data, now confirmed by the Court of Appeal, has not changed between regimes. The consequences of getting it wrong have increased substantially.
Five Steps Your Business Should Take This Month
I want to be practical, because the legal clarity is only useful if you translate it into operational change.
Step one: apply the controller’s perspective test to your data inventory. If you have a data inventory or record of processing activities, review it with this question applied explicitly to every entry: can we, as the organisation, link this data to a specific individual using other data we hold? If yes, it is personal data. If you do not have a data inventory, this is the month to build one. It does not need to be elaborate. A spreadsheet listing your main systems and the data types they hold is sufficient to start.
Step two: extend your scope to include partial and fragmentary data. Most data inventories focus on obvious personal data: names, addresses, contact details. The Court of Appeal ruling requires you to extend that scope. Add your transaction logs, your access logs, your internal identifier systems, your partial form data, your device telemetry. Apply the jigsaw question: could this fragment contribute to identification when combined with other data sources?
Step three: update your security risk assessment. Under UK GDPR Article 32, your risk assessment must reflect the nature of the data you hold and the risks associated with your processing activities. If your assessment does not currently account for fragmented data or jigsaw identification risk, it is incomplete. Add it.
Step four: review your Data Protection Impact Assessments. If you operate systems that process payment data, log user behaviour, or aggregate customer interactions, your DPIAs should reflect the broader definition of personal data confirmed by the Court of Appeal. Any DPIA completed before February 2026 that relied on an attacker-perspective interpretation of personal data scope should be revisited.
Step five: document your analysis. The ICO’s accountability principle requires that you can demonstrate you considered data protection questions and took reasonable steps. Write down how you applied the controller’s perspective test to your data. Note the date. That documentation is your evidence base in any investigation. It is also the foundation of the credible data stewardship story you can tell clients and prospects.
How to Turn This Into a Competitive Advantage
The ruling has clarified the legal landscape. Most of your competitors do not know this. Fewer still have taken operational steps in response.
If you handle client data as part of your service, you can speak to the Court of Appeal ruling directly: “We apply the controller’s perspective test to all data we hold, including partial records and reference identifiers. We have reviewed our data inventory and security controls against the February 2026 ruling.” That is a substantive, legally grounded statement. It is not marketing language.
In sectors where data stewardship is a procurement consideration, professional services, healthcare, legal, financial advisory, the ability to articulate a credible and current compliance position wins work. It also builds the kind of trust that sustains client relationships through difficult moments.
How to Sell This to Your Board
The board question is whether your organisation is applying the correct test to determine the scope of your personal data obligations.
The answer, before the Court of Appeal’s February 2026 ruling, may have been uncertain. After it, there is no longer any ambiguity. The controller’s perspective applies. Fragmentary data that you can link to individuals is in scope. Jigsaw risk is real and legally recognised.
Frame the board conversation around three points.
The scope of what counts as personal data is now judicially confirmed and broader than many organisations assumed. Your security obligations extend to partial and fragmented data, not just complete personal profiles.
The consequences of serious security failures under UK GDPR are material. Up to £17.5 million or 4% of global annual turnover. DSG’s nine-year legal battle was conducted under a regime that capped exposure at £500,000. That ceiling does not exist in your environment.
The cost of conducting a data inventory review and applying the controller’s perspective test is measurable and bounded. The cost of finding out you had it wrong during an ICO investigation is not. This is a straightforward risk management decision.
What This Means for Your Business
Apply the controller’s perspective test to your data this month. The question is not whether an attacker could identify someone from what you hold. The question is whether you could. If yes, your protective duty applies and your security controls need to reflect that.
Retire the assumption that partial data is low-risk data. It is not. The Court of Appeal has confirmed that your fragment may be the piece that enables identification when combined with other available sources. Protect it accordingly.
Document your analysis. The ICO rewards organisations that can demonstrate they thought about this and acted on it. That documentation is both your regulatory protection and your competitive differentiator.
The test is clear. The scope is broad. The consequences of non-compliance are significant. This is the month to make sure you have done the work.