A GDPR & Data Protection Advisory Note.
Published: 27/01/2020 Last Updated:27/01/2020
Warning! Advanced learning – read with tea or coffee and biscuit*
- Directors can be personally liable for data breaches or other data protection failures in several circumstances.
- A director’s failure to understand and mitigate risk, for example for failing to implement appropriate security measures, could trigger personal liability.
It is undeniable that the increasing risk of a data breach or other data protection failure affects practically every business. These increased risks can translate into personal liability for directors in a number of ways. It is therefore imperative that directors of organisations familiarise themselves with the potential liability they face.
Data Protection Act 2018 (DPA)
Although the General Data Protection Act (GDPR) does not provide for directors’ personal liability where a company commits a data breach, by section 198 DPA, personal liability arises where an offence has been committed by the company and it is proved to have been committed with the consent or connivance of or to be attributable to neglect on the part of a director (or ‘manager, secretary or similar officer’).
Consent in this context means:
- must have known about the actions of the company
- must have agreed to the action
- can be established by inference
Connivance in this context means:
- tacit agreement to the commission of the offence
- aware of the commission of the offence
- encompasses wilful blindness to a course of action
- can occur through reckless conduct by knowing of the risk but doing nothing
Neglect in this context means:
- failure to carry out a duty but without having actual knowledge of the offence committed
- objective test that officer has fallen below an identifiable standard of action
Privacy and Electronic Communications Regulations (PECR)
The PECR gives the ICO the power to hold company directors to account by fining them up to £500,000 in the event that their company fails to pay any fine imposed by the ICO or is placed into liquidation, and where the individual is no longer in a senior position (e.g. through resignation).
Companies Act 2006 (CA)
Among other things, under the CA directors are under a duty to promote the success of the company and to exercise reasonable care, skill and diligence in the conduct of their role.
The duty to exercise reasonable care, skill and diligence requires the standard of a reasonably diligent person with the knowledge and skill of the director in question.
A director’s failure to understand and mitigate risk, for example by failing to implement appropriate security measures against data breaches, could equate to a breach of his/her duties under the CA. This could lead to a claim being brought against the directors by the company itself or by shareholders through a derivative action.
Directors should understand that they can be personally liable for data breaches or other data protection failures in some circumstances. This means that Directors should appreciate that they should take steps not only to protect their companies but also to protect themselves. Given the developing litigation landscape relating to cybersecurity issues, cybersecurity breaches not only create regulatory and other legal liability for corporations but can also create personal liability for directors.
Directors contemplating their companies’ cyber security arrangements must elevate cyber security oversight to the top of the risk register to better protect their businesses – and themselves and establish a leadership position in managing the emerging and dynamic risk of cyber-attacks.
*We’re not sure if the above is interesting, but it’s definitely not legal advice.