Skip to content
English
Incident Support Customer Portal
Contact Us
  • There are no suggestions because the search field is empty.

Are UK Company Directors personally liable for a data breach?

Yes, under certain circumstances this can be the case.

While liability usually falls on the business as a legal entity, there are situations where directors can face personal legal action, fines, or even imprisonment.

πŸ”Ή When Can a Director Be Personally Liable?

1️⃣ Under UK GDPR & Data Protection Act 2018 (DPA 2018)

  • The company is typically responsible for GDPR compliance.
  • However, directors can be held personally accountable if they:
    βœ… Knowingly allowed poor cybersecurity practices.
    βœ… Ignored security warnings or failed to act on risks.
    βœ… Attempted to cover up a data breach (e.g., failing to report to the ICO within 72 hours).
  • Example: A director who fails to implement security policies could face fines or legal action.

πŸ›‘ Penalty: Fines up to Β£17.5M or 4% of global turnover.

2️⃣ Under the Computer Misuse Act 1990

  • If a director is involved in or negligently allows hacking, data theft, or cyber fraud, they could face:
    βœ… Criminal charges for unauthorised access to data.
    βœ… Up to 10 years in prison for serious offences.

3️⃣ Under the Companies Act 2006 – Director’s Duties

  • Directors must act with reasonable care, skill, and diligence.
  • If a director ignores cybersecurity risks, shareholders or regulators can sue for negligence.
  • Example: If a director fails to invest in cybersecurity despite clear risks, they could be personally liable.

4️⃣ Under FCA Regulations (Financial Services Firms)

  • If your company is in banking, fintech, or insurance, the FCA (Financial Conduct Authority) can take action.
  • Example: A director failing to protect customer financial data could face personal bans or fines.

πŸ”Ή Can Directors Face Criminal Prosecution?

Yes. If a director is found deliberately negligent or complicit in a breach, they could face:
🚨 Fines & bans from serving as a director.
🚨 Criminal prosecution under fraud or data protection laws.
🚨 Jail time for serious cases (e.g., knowingly exposing customer data).

πŸ”Ή How Can Directors Protect Themselves?

βœ… Ensure Cyber security Governance – Appoint a CISO (Chief Information Security Officer). Check out our CISO as a Service
βœ… Follow GDPR & Cyber Essentials – Implement strong data protection policies.
βœ… Conduct Regular Risk Assessments – Identify and fix security vulnerabilities.
βœ… Train Staff on Cybersecurity – Ensure all employees know how to prevent breaches.
βœ… Have Cyber Insurance – Cover financial losses from cyberattacks.
βœ… Report Breaches Promptly – Notify the ICO within 72 hours if data is exposed.