Already under attack from several directions, including ever more stringent regulatory compliance and the threat of shareholder activism, the last thing that UK company directors want to hear in the present environment is that such pressure is increasing.

Yet with the imminent arrival of the EU’s new General Data Protection Regulation (GDPR) regime on 25 May, there is the very real possibility that directors and officers’ liabilities for data breaches or personal data misuse in Europe will increase.

The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals' rights and freedoms, you must also inform those individuals without undue delay.