Directors’ Personal Liability – GDP-argh?!
At the time of reading this, the General Data Protection Regulation (GDPR) will already have been in force from 25 May 2018. While much has been publicised about the potential for the Information Commissioner’s Office (ICO) to issue record-breaking fines under the GDPR (up to €20 million or 4% of a company’s global annual turnover, whichever is higher), we are regularly highlighting to clients that directors may also be personally liable for a breach of a company’s data protection obligations.
The responsibility for compliance with data protection obligations will, in practice, fall on a company’s directors. There is a wide range of scenarios in which a director could be personally liable, for example where a vulnerable network is compromised leading to business interruption, property damage or loss of/theft of customer data (typically alongside reputational damage).
There are a number of potential legal pressure points that may create personal liability for directors of a company as a result of a breach of data protection obligations (including cyber breaches). These areas can be summarised as follows: (i) the Companies Act 2006, (ii) case law, and (iii) data protection and anticipated legislative changes. We explore some of these areas below.
Directors have always owed legal duties to companies of which they are directors. The Companies Act 2006 codified these into seven separate duties. In the context of personal liability, two of the duties are particularly relevant for directors, namely (a) the duty to promote the success of the company and (b) the duty to exercise reasonable care, skill and diligence.
A board’s failure to understand and mitigate, for example cyber risk, for instance by failing to implement appropriate cyber security measures, could lead to a claim against a director related to a breach of these duties, misconduct or negligence.
Likewise, as well as the scope for greater fines under the GDPR, the ICO is already empowered to request personal undertakings as to future conduct from senior board members to ensure that a company complies with its obligations going forward.
Interestingly, while the GDPR does not provide for directors’ personal liability where a company breaches data protection legislation, the draft Data Protection Bill (DP Bill), the successor to the Data Protection Act 1998 (DP 1998), introduces directors’ personal liability by incorporating provisions directly from the DP 1998. Where an offence is committed by a company and it is established that the offence was committed “with the consent or connivance of or attributable to neglect” of a director, that director as well as the company will be guilty of an offence. Offenders will be “liable to be proceeded against and punished accordingly”. The DP Bill also includes two new criminal offences that are not outlined in the GDPR (namely: (i) Alteration of personal data to prevent disclosure, and (ii) Re-Identification of de-identified personal data) where offenders will be liable to a fine.
Potential legal developments regarding directors’ personal liability should be closely monitored during the passage of the DP Bill through Parliament and now that the GDPR regime is in force. In this respect, it will be interesting to see the ICO’s approach to recent scandals, such as the misuse of information by the now folded Cambridge Analytica (recently under investigation by a parliamentary committee).
Indeed, as noted by Elizabeth Denham, the UK’s Information Commissioner, “25 May merely marks the end of the beginning” for data protection regulation.
If you would like to receive regular updates via email from Marriott Harrison please request to be added to our distribution list via firstname.lastname@example.org
The information and any commentary contained in this update is for general information purposes only and does not constitute legal or any other type of professional advice. Marriott Harrison LLP does not accept and, to the extent permitted by law, excludes liability to any person for any loss which may arise from relying upon or otherwise using the information contained in this bulletin. If you have a particular query or issue you are strongly advised to obtain specific, personal advice about your case or matter and not to rely on the information or comments in this bulletin.