*Reassuringly dull cyber security

Data Protection & Directors Personal Liability


A GDPR & Data Protection Advisory Note.

Published: 27/01/2020 Last Updated:27/01/2020

Warning! Advanced learning – read with tea or coffee and biscuit*

  • Directors can be personally liable for data breaches or other data protection failures in several circumstances.
  • A director’s failure to understand and mitigate risk, for example for failing to implement appropriate security measures, could trigger personal liability.


It is undeniable that the increasing risk of a data breach or other data protection failure affects practically every business. These increased risks can translate into personal liability for directors in a number of ways. It is therefore imperative that directors of organisations familiarise themselves with the potential liability they face.

Data Protection Act 2018 (DPA)

Although the General Data Protection Act (GDPR) does not provide for directors’ personal liability where a company commits a data breach, by section 198 DPA, personal liability arises where an offence has been committed by the company and it is proved to have been committed with the consent or connivance of or to be attributable to neglect on the part of a director (or ‘manager, secretary or similar officer’).  

Consent in this context means:

  • must have known about the actions of the company
  • must have agreed to the action
  • can be established by inference

Connivance in this context means:

  • tacit agreement to the commission of the offence
  • aware of the commission of the offence
  • encompasses wilful blindness to a course of action
  • can occur through reckless conduct by knowing of the risk but doing nothing

Neglect in this context means:

  • failure to carry out a duty but without having actual knowledge of the offence committed
  • objective test that officer has fallen below an identifiable standard of action

Privacy and Electronic Communications Regulations (PECR)

The PECR gives the ICO the power to hold company directors to account by fining them up to £500,000 in the event that their company fails to pay any fine imposed by the ICO or is placed into liquidation, and where the individual is no longer in a senior position (e.g. through resignation).

Companies Act 2006 (CA)

Among other things, under the CA directors are under a duty to promote the success of the company and to exercise reasonable care, skill and diligence in the conduct of their role.

The duty to exercise reasonable care, skill and diligence requires the standard of a reasonably diligent person with the knowledge and skill of the director in question.

A director’s failure to understand and mitigate risk, for example by failing to implement appropriate security measures against data breaches, could equate to a breach of his/her duties under the CA. This could lead to a claim being brought against the directors by the company itself or by shareholders through a derivative action.


Directors should understand that they can be personally liable for data breaches or other data protection failures in some circumstances. This means that Directors should appreciate that they should take steps not only to protect their companies but also to protect themselves. Given the developing litigation landscape relating to cybersecurity issues, cybersecurity breaches not only create regulatory and other legal liability for corporations but can also create personal liability for directors.

Directors contemplating their companies’ cyber security arrangements must elevate cyber security oversight to the top of the risk register to better protect their businesses – and themselves and establish a leadership position in managing the emerging and dynamic risk of cyber-attacks.

*We’re not sure if the above is interesting, but it’s definitely not legal advice.

I’m thrilled to have signed off on the CSaaS offering.  I’m looking forward to having the most complete cyber security package for the mid-market and continuing our successful working relationship with norm.

Richard Taylor, CIO
Summit Therapeutics

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO

The biggest factor was that they had a data protection lawyer in-house who worked for them, which meant there was someone we could directly go to with specific questions about the (GDPR) regulation.

Phil Everitt, Management Information Systems Manager
Leicester Tigers

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group