Data Protection & Liability: What risks will company directors face in 2026?

The GDPR defines the ‘controller’ as the entity that determines the purposes and means of processing personal data. In practice, this is usually the company – and therefore the management as the highest governing body.

This responsibility is not limited to deciding on individual measures. The GDPR explicitly requires accountability and effectiveness. The so-called accountability principle obliges companies to be able to demonstrate at all times that data protection is not merely provided for, but is systematically managed and implemented.

For managing directors, this means:
Anyone who merely delegates data protection without ensuring management, control and documentation exposes themselves to a significant liability risk and, consequently, a reputational risk.

Although fines are officially imposed on the company, a lack of, or defects in, the organisational and control structure can result in personal liability for the management (see Federal Court of Justice, judgment of 10 July 2018 – II ZR 152/17). The risks increase where:

• there is no evidence of clearly structured data protection governance,
• advice from data protection officers is ignored,
• or escalations arise due to a lack of preparation.

Managing directors may be liable for recourse in internal proceedings if they breach their duties “intentionally or through gross negligence” (section 43 of the German Limited Liability Companies Act (GmbHG)). Important: Understanding the law does not require detailed knowledge, but it does require informed management and effective oversight – as is the case with health and safety, financial supervision or compliance. In cases of repeated warnings or obvious weaknesses that are ignored, the liability risks are substantial and may also trigger claims for damages from the shareholders.

For managing directors, data protection is particularly relevant because breaches rarely occur in isolation. They usually result in operational disruptions, a loss of trust and consequential financial damage. Production stoppages, supply chain issues or the loss of sensitive customer information directly undermine the very core objectives that managing directors seek to protect.

At the same time, data protection is increasingly becoming a marker of trust and quality in the B2B environment. Customers, partners and insurers expect clear and transparent statements on data processing, IT security and incident management. Companies that adopt a structured and transparent approach in this area gain measurable advantages – for example, in tenders, RFx processes or long-term partnerships.

Modern data protection requirements can no longer be met through isolated measures. What is needed is an integrated data protection and risk management approach that combines governance, processes, technology and corporate culture.

At management level, this means, above all, establishing data protection as an integral part of corporate governance. This involves ensuring that data protection features regularly in management reporting, that risks are assessed and that decisions are documented. It is not perfection that is crucial, but demonstrable diligence and structured governance.

An effective starting point is to take a structured look at four key levels of data protection management.

1. At the governance level, the focus is on whether data protection is visibly embedded in the management agenda, whether roles are clearly defined, and whether responsibility is exercised not just formally but in practice. Data protection officers and those in steering roles require adequate resources and the backing of senior management.
2. At the process level, the ability to provide evidence is crucial. Documentation, risk analyses, technical and organisational measures, and incident response processes must be consistent, up to date and readily accessible. In an emergency, what counts is not what was planned, but what can be proven to work.
3. The technical level encompasses protective measures that combine data protection and IT security. Network protection, endpoint security, access controls, backup strategies and monitoring are not merely IT details, but prerequisites for data protection compliance and resilience.
4. Last but not least, corporate culture plays a decisive role. Employees must be aware of their responsibilities and know how to act in critical situations. Data protection rarely fails due to technology – it often fails due to a lack of awareness.

For small and medium-sized enterprises in particular, data protection offers an opportunity to position themselves strategically. Companies that can demonstrate in a structured manner that data protection and IT security are managed systematically not only reduce risks but also strengthen the trust of external stakeholders.

In an era of increasing regulation and growing cyber threats, this ability to demonstrate compliance is becoming a key differentiator – particularly when compared to larger competitors with complex, cumbersome structures.

Data protection in 2026 is no longer merely a compliance obligation. It is a reflection of professional corporate governance. For managing directors, this means taking visible responsibility, actively managing risks, and recognising data protection as an integral part of stability, trust and growth.

Those who take a strategic approach to data protection are not only protecting data – but the company itself.