*Reassuringly dull cyber security e: info@normcyber.comt: +44 (0) 203 855 6215

Directors Personal Liability & Data Protection

norm notebook

A GDPR & Data Protection Advisory Note.

Published: 27/01/2020 Last Updated:27/01/2020

Warning! Advanced learning – read with tea or coffee and biscuit*

  • Directors can be personally liable for data breaches or other data protection failures in several circumstances.
  • A director’s failure to understand and mitigate risk, for example for failing to implement appropriate security measures, could trigger personal liability.


It is undeniable that the increasing risk of a data breach or other data protection failure affects practically every business. These increased risks can translate into personal liability for directors in a number of ways. It is therefore imperative that directors of organisations familiarise themselves with the potential liability they face.

Data Protection Act 2018 (DPA)

Although the General Data Protection Act (GDPR) does not provide for directors’ personal liability where a company commits a data breach, by section 198 DPA, personal liability arises where an offence has been committed by the company and it is proved to have been committed with the consent or connivance of or to be attributable to neglect on the part of a director (or ‘manager, secretary or similar officer’).  

Consent in this context means:

  • must have known about the actions of the company
  • must have agreed to the action
  • can be established by inference

Connivance in this context means:

  • tacit agreement to the commission of the offence
  • aware of the commission of the offence
  • encompasses wilful blindness to a course of action
  • can occur through reckless conduct by knowing of the risk but doing nothing

Neglect in this context means:

  • failure to carry out a duty but without having actual knowledge of the offence committed
  • objective test that officer has fallen below an identifiable standard of action

Privacy and Electronic Communications Regulations (PECR)

The PECR gives the ICO the power to hold company directors to account by fining them up to £500,000 in the event that their company fails to pay any fine imposed by the ICO or is placed into liquidation, and where the individual is no longer in a senior position (e.g. through resignation).

Companies Act 2006 (CA)

Among other things, under the CA directors are under a duty to promote the success of the company and to exercise reasonable care, skill and diligence in the conduct of their role.

The duty to exercise reasonable care, skill and diligence requires the standard of a reasonably diligent person with the knowledge and skill of the director in question.

A director’s failure to understand and mitigate risk, for example by failing to implement appropriate security measures against data breaches, could equate to a breach of his/her duties under the CA. This could lead to a claim being brought against the directors by the company itself or by shareholders through a derivative action.


Directors should understand that they can be personally liable for data breaches or other data protection failures in some circumstances. This means that Directors should appreciate that they should take steps not only to protect their companies but also to protect themselves. Given the developing litigation landscape relating to cybersecurity issues, cybersecurity breaches not only create regulatory and other legal liability for corporations but can also create personal liability for directors.

Directors contemplating their companies’ cyber security arrangements must elevate cyber security oversight to the top of the risk register to better protect their businesses – and themselves and establish a leadership position in managing the emerging and dynamic risk of cyber-attacks.

*We’re not sure if the above is interesting, but it’s definitely not legal advice.

If your organisation is looking to comply with the requirements of the GDPR then take a look at how our CSaaS and DPaaS solutions can help.

Appointing NormCyber as our virtual DPO has given Ferrero the best of both worlds – access to data protection experts who understand what we stand for as a business, without the hefty overheads usually associated with appointing an in-house DPO.

Harpreet Thandi
Regional Counsel, UK & Ireland, Ferrero

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group