Cybersecurity and the Law: What Directors Need to Know About Personal Data Risk

15 December 2025

Cybersecurity is no longer a purely technical issue delegated to IT teams. For directors, it is a core governance and legal risk, particularly where cyber incidents expose personal data. Under English and Welsh law, failures in this area can trigger regulatory action, civil claims, reputational damage and, in some circumstances, personal consequences for directors themselves.

This article outlines the key legal framework and practical implications directors should understand when overseeing cybersecurity and personal data risk.

Why Cybersecurity Is a Board-Level Issue

Most cyber incidents, such as ransomware attacks, phishing, insider misuse or system vulnerabilities, have one thing in common: they put personal data at risk. Customer data, employee records and business contacts are all protected by law.

Regulators and courts increasingly expect directors to treat cyber risk in the same way as financial, health and safety or compliance risks. A failure to do so may be characterised not simply as bad luck, but as poor corporate governance.

The Data Protection Framework: UK GDPR and the Data Protection Act 2018

The primary legal obligations relating to personal data arise under the UK General Data Protection Regulation (UK GDPR), as supplemented by the Data Protection Act 2018.

Key obligations relevant to cybersecurity include:

· Security of processing Organisations must implement “appropriate technical and organisational measures” to ensure a level of security appropriate to the risk (Article 32 UK GDPR).

· Risk-based approach Security measures must reflect the nature, scope, context and purposes of data processing, as well as the likelihood and severity of harm to individuals.

· Accountability Organisations must be able to demonstrate compliance, not merely assert it. Documentation, policies and evidence of decision-making are critical.

· Breach notification Certain personal data breaches must be reported to the Information Commissioner’s Office (ICO) within 72 hours, and in some cases to any affected individuals.

Cybersecurity failures that expose personal data will often amount to a breach of these obligations.

Regulatory Enforcement and Financial Exposure

The ICO has wide enforcement powers, including:

· Fines of up to £17.5 million or 4% of global annual turnover (whichever is higher)

· Enforcement notices requiring changes to systems and practices

· Public reprimands, which can cause significant reputational harm

While fines are imposed on organisations rather than individuals, directors should note that regulators increasingly scrutinise governance, oversight and decision-making at senior level when assessing enforcement action.

Claims Following Data Breaches

Data breaches frequently lead to claims, including:

· Claims by individuals for distress and/or financial loss

· Group actions, particularly where large volumes of data are affected

· Contractual claims from customers or suppliers where security obligations have been breached

Courts have shown a growing willingness to entertain claims based on loss of control of personal data, even where financial loss is limited. Cyber incidents can therefore translate quickly into substantial litigation risk.

Directors’ Duties Under the Companies Act 2006

Cybersecurity also intersects with directors’ general duties, including:

· The duty to promote the success of the company (section 172) Ignoring known cyber risks or underinvesting in security may undermine long-term value, customer trust and regulatory compliance.

· The duty to exercise reasonable care, skill and diligence (section 174) Directors are expected to keep themselves informed and to take appropriate steps to manage material risks. This does not require technical expertise, but it does require informed oversight and challenge.

Where a serious cyber incident occurs, decisions (or omissions) made at board level may be examined with hindsight by regulators, courts, shareholders or insolvency practitioners.

Personal Liability: How Real Is the Risk?

In England and Wales, personal liability for directors in cybersecurity matters is not automatic, but risks arise where:

· Directors have knowingly ignored serious and foreseeable risks

· There is evidence of systemic governance failure

· Statements to regulators, customers or the market are misleading

· The company becomes insolvent and cyber risk mismanagement is scrutinised in that context

In addition, reputational damage and disqualification risks should not be overlooked in extreme cases.

What Good Cyber Governance Looks Like

Directors are not expected to be cybersecurity specialists, but they are expected to ensure that appropriate structures, resources and oversight are in place. Practical steps include:

· Clear board ownership of cyber and data protection risk

· Regular risk reporting, including threat assessments and incident metrics

· Appropriate policies and training, particularly around phishing and access controls

· Incident response planning, including breach notification procedures

· Third-party risk management, especially where data is outsourced or hosted

· Documented decision-making, evidencing how risks are assessed and addressed

From a legal perspective, the ability to demonstrate active and informed oversight can be as important as the technical measures themselves.

Preparing for the Inevitable

Most organisations will experience a cyber incident at some point. The legal focus is therefore not on achieving perfect security, but on whether the organisation, and its directors, acted reasonably, proportionately and in accordance with their legal obligations.

Early engagement with legal advisers following an incident can be critical in managing regulatory exposure, preserving privilege and coordinating communications.

Berry Smith’s Bottom Line

Cybersecurity and personal data protection are firmly embedded in the legal and governance responsibilities of directors under English and Welsh law. Treating cyber risk as a purely technical matter is no longer tenable.

Directors who take a proactive, structured and well-documented approach to cybersecurity will not only reduce the risk of regulatory and civil liability, but also strengthen the resilience and long-term value of their organisations.

If you are looking for data protection guidance and advice, get in touch with us today on 02920 345511 or at commercial@berrysmith.com.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.