The Bluebox Blog

Contributions from our professional team

Partner Piece – Marriott Harrison

July 31, 2018

Personal Liability for Directors and Officers- GDP-argh?!

This month Alex Denoon and Marina Ehrlich from Marriott Harrison LLP discuss the potential for personal liability of directors and officers (Ds&Os) of a company for a breach of data protection compliance.

The General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018) have been in force since late May 2018. While much has been publicised about the potential for the Information Commissioner’s Office (ICO) to issue record-breaking fines under the GDPR (up to €20 million or 4% of a company’s global annual turnover, whichever is higher), we are regularly highlighting to clients that Ds&Os may also be personally liable for a breach of a company’s data protection obligations.

The responsibility for compliance with data protection obligations will, in practice, fall on a company’s Ds&Os.  There is a wide range of scenarios in which a director and/or officer could be personally liable, for example where a vulnerable network is compromised leading to business interruption, property damage or loss of/theft of customer data (typically alongside reputational damage).

 

Pressure Points

There are a number of potential legal pressure points that may create personal liability for Ds&Os of a company as a result of a breach of data protection obligations (including cyber breaches).  These areas can be summarised as follows: (i) the Companies Act 2006, (ii) case law, and (iii) data protection and anticipated legislative changes.  We explore some of these areas below.

Directors have always owed legal duties to companies of which they are directors. The Companies Act 2006 codified these into seven separate duties. In the context of personal liability, two of the duties are particularly relevant for directors, namely (a) the duty to promote the success of the company and (b) the duty to exercise reasonable care, skill and diligence.

The duty to exercise reasonable care, skill and diligence requires the standard of a reasonably diligent person with the knowledge and skill of the director in question.  Directors who fail to manage data protection adequately may fail to reach this standard.  Consequently, a board’s failure to understand and mitigate, say, cyber risk, for instance by failing to implement appropriate cyber security measures, could lead to a claim against a director related to a breach of these duties, misconduct or negligence.  In theory, this could also extend to a person acting as a data protection officer or an information security officer.

Likewise, as well as the scope for greater fines under the GDPR, the ICO is already empowered to request personal undertakings as to future conduct from senior board members to ensure that a company complies with its obligations going forward.

Interestingly, while the GDPR does not provide for personal liability of Ds&Os where a company breaches data protection legislation, the DPA 2018, the successor to the Data Protection Act 1998 (DPA 1998), introduces personal liability for a director, manager, secretary or officer (or person who was purporting to act in any such capacity), by incorporating provisions directly from the DPA 1998.

Where an offence is committed by a company and it is established that the offence was committed “with the consent or connivance of or attributable to neglect” of a director, manager, secretary or officer (or person who was purporting to act in any such capacity), such individual(s) as well as the company will be guilty of an offence. Offenders will be “liable to be proceeded against and punished accordingly”.  The DPA 2018 also includes two new criminal offences that are not outlined in the GDPR, namely: (i) alteration of personal data to prevent disclosure (to deter employees of data controllers from altering, erasing or otherwise interfering with personal data in the context of subject access requests) and (ii) re-identification of de-identified personal data, where offenders will be liable to a fine.

Likewise, potential legal developments regarding personal liability of Ds&Os under the proposed changes to the Privacy and Electronic Communications Regulations (PECR) (colloquially known as the “anti-spamming” laws, which sit alongside the GDPR and the DPA 2018) should be closely monitored during the passage of PECR through Parliament.

 

Action points

There are a number of steps which a board should consider in this regard, for example: (a) appointing a data protection officer who understands the risks and regulatory framework, (b) having a simple written data protection and cyber policy regularly communicated and updated, (c) having an independent audit of the company’s data supply chain / hosting providers, and (d) conducting data protection impact assessments.  Companies should have some (if not all) of these in place already as part of their GDPR compliance programme.

It is also worth considering extending current Ds&Os insurance policies to cover matters related to data protection and cyber security (in particular, it may be worth reviewing the extent of any exclusions for a cyber incident / hacking).

 

Watch this space

The ICO has been calling for increased directorial responsibility and sanctions for some time.  In this respect, it will be interesting to see the ICO’s approach to recent scandals, such as the misuse of information by the now collapsed Cambridge Analytica (recently under investigation by a Parliamentary committee) and Dixons Carphone’s data breach involving 5.9 million payment cards and 1.2 million personal data records.  Significantly, regarding the former, the ICO has confirmed that it will continue its civil and criminal investigations and will seek to pursue individuals and directors even where companies may no longer be operating.

Indeed, as noted by Elizabeth Denham, the UK’s Information Commissioner, “25 May merely marks the end of the beginning” for data protection regulation.

 

For more information on data protection, how to address the challenges and mitigate the risks, please contact Alex Denoon (Alex.Denoon@marriottharrison.co.uk) or Marina Ehrlich (Marina.Ehrlich@marriottharrison.co.uk).

Categories

  • Articles
  • Blog
  • Interview
  • News
  • Partner Piece
  • Podcast
  • Success story
    • quote marks icon

    Testimonials

    “We were delighted with the services that Bluebox offered us. Bluebox’s attention to detail through their Diamond Programme ensured that we were well prepared for when the business was taken to market and that the sale process itself was managed expertly.

    We challenged Bluebox with finding the right strategic buyer and thereafter negotiating a deal that met our requirements. In helping initially to identify and to secure the deal with Mountville Mills they accomplished just that. Communication throughout was excellent and professional, managing each stage of the process. I would have no hesitation in recommending Bluebox to any corporate shareholder or private business owner looking to divest their business.”

    Richard Millward, Former Client

    “We were delighted with the services that Bluebox offered us. Bluebox were challenged with finding us the right strategic investor and, thereafter, negotiating a deal that met our complex requirements. In identifying and securing the deal with LGC they have done exactly that. The process itself was efficient and smooth, largely due to the excellent communication from the Bluebox team, who also demonstrated excellent experience at managing a very engaging auction process. I would be delighted to recommend Bluebox to any corporate shareholder or private business owner looking to divest a business.”

    Helen Dickinson, Former Client

    It has been a real privilege working with the team at Bluebox over this last year or so. Bluebox’s attention to detail ensured that we were well prepared for when the business was taken to market and the sale process itself was managed expertly. Starting the process, I had no idea exactly what this would entail and the volume of work that has been produced by everyone and the result reached today is nothing short of brilliant.

    Hugh Morris, Former Client

    We are delighted with the services that Bluebox was able to offer. They showed an intimate knowledge of a deal cycle, managed a tight auction process and were highly communicative from the start. I would happily recommend Paul and his team to business owners contemplating a sale of their business in the next 24 months. Experience is key and this has paid off for us.

    Laurence Seward, Former Client

    Aligning ourselves early with Bluebox, and entrusting the team to guide us through their process proved to be a highly rewarding investment from all viewpoints. Bluebox’s support significantly enhanced both the value of our business and its ‘saleability’. I would highly recommend Bluebox to business owners contemplating an exit in the next two years. The earlier the engagement the better so far as I am concerned.

    Mike Minett, Former Client

    We began working with Bluebox in early 2015 through their Blue Diamond Programme, as we were contemplating an exit. We found that the process focussed our minds on the key areas of growth in the business, and prepared us well for the inevitable rigours of due diligence. During the sale process itself, the advice offered by the Bluebox team was invaluable. We found them to be helpful, straightforward and honest.

    David Stokes, Former Client

    When selecting our adviser, it was extremely important that they had access to international buyers and were experienced in cross-border M&A. The team at Bluebox proved to be invaluable by identifying a strategic acquirer from America who was not known to us and by negotiating an excellent deal for all parties. I was also impressed with the process management from Bluebox, which ensured that the deal was closed in a timely fashion.

    Jeff Weinstein, Former Client

    When I first engaged with Bluebox, I was hesitant as to the benefits of using an advisor to firstly, find a buyer for my business and secondly, to get a deal over the line. However, now that the deal has completed with KPM, I can honestly say that the finer negotiation points handled by Bluebox and their overall management of this process has been nothing short of first class. I would be delighted to recommend Bluebox’s services to any entrepreneur contemplating the sale of their business.

    Bill Ballard, Former Client

    Bluebox worked closely with us over the following six months and helped us to implement some key initiatives which made InferMed a more attractive acquisition target. Once we decided to sell the business, the Bluebox team were very diligent in ensuring that no stone was left unturned. They negotiated expertly on our behalf to ensure we got the best deal possible.

    Alan Montgomery, Former Client

    The pre-sale planning programme that we signed up for with Bluebox made us develop our strategies and focus on the bigger picture. It proved to be a very rewarding investment from all viewpoints and significantly enhanced both the value of our business and its ‘saleability’. I would highly recommend Bluebox to business owners contemplating an exit in the next two years.

    Nigel Parsons, Former Client

    I have experienced first hand the value that can be created through highly structured pre-sale planning. It amazes me that it is not something that everyone does. It is so disappointing to see around 90% of transactions collapse before they complete and pre-sale planning will not only enhance your price, but also significantly enhance your chance of a closed deal.

    James Caan, Investor

    We worked incredibly closely with our advisers who provided expert knowledge of the sale process with which we were not familiar. We were truly delighted with the results.

    Marten Nielson, Former Client

    We appointed advisers to manage the sales process after we had received a number of unsolicited approaches for the business. I was incredibly impressed by the immense value that could be created by expertly negotiating with a group of already interested parties.

    Paul Duckworth, Former Client

    I was delighted with the service that the team offered and their real attention to detail. The deal was not without its complexities and it was reassuring to have such experienced advisers assisting me throughout the negotiations.

    Peter Bennett, Former Client

    Truly delighted with the way my sale process was managed. The fact that the team I worked with achieved such a great multiple is testament to their experience and their ability to create some true competitive tension.

    James Averdieck, Gü, Former Client

    The team at Bluebox provided invaluable support in negotiating this complex transaction. Their access to international purchasers, and exceptional knowledge of cross border M&A ensured that the deal was concluded efficiently, achieving a highly successful outcome for us all.

    Jon Parslow, Former Client

    “We selected Bluebox after a fairly long round of evaluating potential advisors because of their scientific, yet challenging approach to maximising value. During our initial meetings they showed us how far short of “ready” we were and consequently we completed more preparation in the early stages which meant we were equipped for what was to come. We were delighted with our choice of Corporate Finance partner. I do not hesitate in recommending Bluebox for any SME to consider.”

    Simon English, Former Client

    Bluebox provided invaluable advice in managing the negotiations with incoming investors. Their skills in handling these discussions were evident from the outset and the vital interface that they provided between the incumbent team and the incoming investors was truly beneficial.

    Henry Braham, Former Client

    Bluebox have a professional, dynamic and experienced team that is greatly assisting me with my focus on my exit within the next 24 months. Their structured approach is very refreshing and their ‘Blue Diamond’ programme is adding immense value.

    Matt Evans, Former Client

    The team at Bluebox provided me with a seamless service from the start of the engagement until our deal was completed. Attention to detail was commendable and their understanding of corporate M&A very impressive. I could not recommend them highly enough.

    Victor Lewis, Former client

    Having tried to sell my business previously – and failed – I was only too aware of the importance of pre-sale planning. This is a talented team offering a service that most people find out about, but too late.

    Simon Hulme, Former Client

    Bluebox are a quality outfit. Their access to International acquirers and relationships with the highest quality domestic investors was impressive. My shareholders and I received excellent service from start to finish and it was refreshing to be dealing with a senior team throughout the sale exercise.

    Michael Clapper, Former Client

    I cannot recommend the team at Bluebox highly enough. Their expert guidance throughout the entire sale exercise resulted in my shareholders securing an excellent deal with which the entire team was delighted.

    Mark Rodol, Former Client

    I’m really pleased with the service Bluebox provided. The team demonstrated excellent knowledge of the process to follow and led negotiations for the hospital in a way that allowed us to ensure we received appropriate value whilst focusing on reputational risk. Communication and service were of a very high standard.

    Steven Davies, Former Client

    With Bluebox’s expert advice we were able to find the right buyer that will benefit our business strategically. We’re delighted with the outcome and look forward to starting our new chapter

    Clive Hillier, Former Client

    The advice offered by the Bluebox team throughout the process was invaluable to the shareholders. We strongly believe that participating in Bluebox’s pre-sale planning programme was a significant driver behind the success of the deal. Their project management and negotiation skills throughout the sale process itself resulted in an exceptional deal being delivered to all parties involved.

    Harpal Singh, Former Client

    I chose Bluebox because they were the only CFA we considered who were a real ‘solution sales’ organisation rather than a team of accountants and/or ex-bankers! Selling a business is a solution sell and therefore a sell-side CFA requires this skill at its core.

    Jeremy Harford, Former Client

    Bluebox were a full solution in every respect. As an example, I never spoke with any of the potential or actual buyers directly. This separation allowed Bluebox to do what they do best which is to sell companies for the best price and on the most favourable terms.

    Jeremy Harford, Former Client