UK Data Enforcement Is Structurally Broken. The Currys’ Case Proves It. Let's Stop Pretending Otherwise.

Written By Noel Bradford

I have spent forty-plus years in IT, long enough to remember when "data protection" meant locking the filing cabinet and hoping the building did not burn down. I have watched this industry evolve, sometimes forwards and sometimes decidedly sideways, through the Data Protection Act 1984, the 1998 Act, GDPR, UK GDPR, and whatever the Data (Use and Access) Act 2025 eventually turns into in practice.

I have a lot of patience for the complexity. I have a lot of patience for the genuine difficulty of regulating something as fast-moving and technically intricate as data security in the modern economy.

What I have run out of patience for is the polite industry fiction that the UK's data protection enforcement regime is working as intended.

The DSG Retail saga is the proof. Not because the outcome was surprising to those of us who follow this closely, but because it is so complete a demonstration of every structural failure in the system that it could have been designed as an examination question.

Let me tell you what actually happened, what it means, and why the comfortable reassurances you hear at compliance conferences are dangerously wrong.

The Architecture of Failure

DSG Retail had malware on 5,390 payment tills for nine months. The ICO found the security failures to be, in their own words, "basic, commonplace" shortcomings: inadequate patch management, poor network segmentation, absent monitoring. Not sophisticated. Not nation-state. Basic.

The ICO fined DSG the maximum available under the Data Protection Act 1998: five hundred thousand pounds. That maximum has been in place since the Act came into force. It was not indexed to inflation. It was not scaled to turnover. For a company the size of DSG, it is a legal expenses budget line.

DSG appealed. The First-tier Tribunal halved it. The Upper Tribunal threw it out entirely on a technical argument about whether card numbers constitute personal data. The ICO appealed to the Court of Appeal. The Court of Appeal restored the fine in February 2026.

Nine years. The breach was 2017. The judgment is 2026.

That timeline is not an anomaly created by unusual legal complexity. It is a structural feature of a system with no fast-track mechanism, a capped fine that makes fighting economically rational for large organisations, and an appeals process that runs from First-tier Tribunal through Upper Tribunal to Court of Appeal with no practical time limit at any stage.

The Deterrence Maths Do Not Work

Let me do the numbers.

Under the Data Protection Act 1998, the maximum fine is £500,000. Full stop. No matter how large the organisation, no matter how many millions of people's data was compromised, no matter how long the breach ran or how negligent the security posture. Five hundred grand.

Currys had revenue of around £9.3 billion in the 2022/23 financial year. Half a million pounds is approximately 0.005% of that figure. Less than a rounding error on the annual accounts.

Against that, what does fighting the fine cost? Years of senior management time. Lawyers at commercial rates. Barristers at QC rates. Multiple tribunal appearances across three levels of jurisdiction. A case that is by 2026 almost certainly costing more in legal fees than the fine itself.

And yet DSG fought it. Because the expected value calculation said fighting was the right call. Partial win at First-tier Tribunal: fine halved. Full win at Upper Tribunal: fine eliminated entirely. Even the worst case, losing at the Court of Appeal after nine years, means paying a fine whose real value has been eroded by a decade of time and whose deterrent impact on the business was minimal from the outset.

That is not a broken legal argument. That is a correctly working legal argument against a fundamentally broken deterrent structure.

The Victims Got Nothing. That Is Not an Accident.

I want to push back against the view that the absence of victim compensation is just an unfortunate side effect of the regulatory process.

It is the predictable consequence of a system that was never primarily designed to compensate individuals. The Data Protection Act 1998 is a compliance framework. Its main instrument is the monetary penalty notice. Its enforcement theory is deterrence: fine organisations enough that others invest in better security. The individual victim, in this architecture, is a beneficiary of future deterrence, not a party to the current enforcement action.

UK GDPR's Article 82 does provide individual compensation rights. But as the Warren case demonstrated, exercising those rights in a consumer mass breach context runs into structural obstacles: narrow causes of action, distress-only harm without quantifiable financial loss, and a limitation clock that runs regardless of where the regulatory process has reached.

The lawyers who ran group action campaigns knew this. That is why their books closed quietly.

The system was not designed to help Darren Warren get his five thousand pounds. It was designed to discourage DSG from doing it again. Whether it achieves even that secondary aim, given the cost-benefit calculation I described above, is debatable.

Does UK GDPR Fix This?

I hear this argument a lot. The regime has changed. The fines are now in the millions. The deterrent maths are different. The ICO is more assertive. Move on.

There is genuine truth in part of this. The upper bound for serious UK GDPR violations is £17.5 million or 4% of global annual turnover, whichever is higher. For large organisations, that is a genuinely significant number. British Airways paid £20 million. Marriott paid £18.4 million. Those sums are actual deterrents, not rounding errors.

But the structural problems I am describing are not primarily about fine size. They are about enforcement speed, appeal availability, and the gap between regulatory process and individual remedy.

The appeals infrastructure has not changed. First-tier Tribunal, Upper Tribunal, Court of Appeal, and potentially the Supreme Court remain available to any well-funded defendant. The investigation process is still slow. The ICO publishes no binding target for investigation timelines. The gap between breach notification and enforcement action consistently runs to years.

Individual compensation remains structurally limited by the same features of English civil procedure that defeated Warren's claim. UK GDPR's Article 82 right is real but practically narrow for diffuse consumer harm.

The numbers got bigger. The architecture stayed the same.

What Actually Needs to Change

I am not calling for the abolition of the ICO or a revolution in data protection law. I am making three specific arguments.

First: the investigation and enforcement timeline needs hard targets and public accountability. If the ICO opens an investigation, there should be a published expected timeline and a published reason when that timeline is exceeded. "The case is complex" is not accountability. The DSG investigation ran from breach discovery in 2018 to fine in January 2020 to final judgment in February 2026. That is an eight-year process. Every year of delay is a signal to every other large organisation that contesting enforcement is a viable strategy.

Second: individual compensation mechanisms need reform. Article 82 of UK GDPR exists on paper. In practice, the combination of narrow causes of action, distress-only harm, and short limitation periods creates a gap between statutory right and practical remedy. The Scottish Law Commission and the Law Commission have both noted the difficulty of accessing compensation for data breaches. A workable small-claims-style mechanism for data breach compensation claims, with explicit provision for distress-only harm, would change the calculus significantly.

Third: the appeals process needs a proportionality mechanism. An organisation choosing to appeal an ICO fine to the First-tier Tribunal is using a public resource. The more appellate levels they use, the more public resource they consume. There is no obligation on a well-funded defendant to make proportionate choices about contesting enforcement. A system where the appeal process itself has a cost dimension beyond legal fees, perhaps through an escalating cost contribution mechanism, would change the economic incentive structure.

None of these changes are technically complex. All of them require political will that has so far been absent.

What This Means for You

Here is the thing. I can identify every structural failure in UK data enforcement and still arrive at the same practical conclusion for the business owner reading this.

The system is not going to be fixed before your next security decision. The ICO's culture and the civil litigation landscape have not changed because of one Court of Appeal judgment. Your customers remain in the same position they were in before February 2026: dependent on your choices, not on the law, for any meaningful protection of their data.

The answer is not to wait for a better enforcement regime. The answer is to be the organisation that does not need one. Map your data. Review your access controls. Monitor for unusual activity. Document what you do. Do those four things and you are already ahead of where a household-name retailer was when malware sat on their tills for nine months.

You will also sleep better. That is worth something.

How to Turn This Into a Competitive Advantage

The organisation that has done the boring, essential work of data stewardship while competitors have assumed the regulator will sort it out has a story to tell.

Clients in professional services, healthcare, legal, and any sector where data changes hands now ask about data security as a procurement question, not an afterthought. If you can answer that question with specifics, you win work that your compliance-averse competitors lose.

"We have a data map, we review access quarterly, we monitor for unusual activity, and we have a documented incident response plan" is not an extraordinary claim. It is the baseline. But it is a baseline most SMBs cannot make, which means the ones that can are differentiated.

How to Sell This to Your Board

The DSG case gives you a clean and current example of what inadequate data governance looks like in practice: nine years of litigation, a fine that was financially irrelevant to the business, and 14 million customers with nothing.

If your board believes the enforcement system is a sufficient incentive for security investment, point at DSG and ask whether they find that incentive credible.

If they want to know what good looks like, point at the four controls the ICO said were missing: monitoring, access management, patching, and network controls. Those are the board's targets. That is the conversation.

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Next

Attackers Aren't Hacking In. They're Logging In. Here's the Data.