The Corporate Veil Does Not Work the Way You Think
Most founders assume incorporation protects them. That assumption died in 2024. The Irish High Court ruled in Nolan & Ors v Dildar & Ors that a company director was personally liable for unlawful disclosure β not the company, the person. He was the "human author" of the breach.
The Three-Element Test: Knowledge, Authority, Omission
The Dutch DPA made the framework explicit with the Clearview AI β¬30.5 million fine (September 2024):
- You knew the GDPR was being violated
- You had authority to stop the violation
- You consciously omitted to do so
| Element | Startup Founder Reality |
|---|---|
| Knowledge | You built the product. You know how it handles data. |
| Authority | You are the founder. You can change anything. |
| Conscious omission | You noticed the cookie banner was wrong three months ago and "deprioritized" the fix. |
The Enforcement Numbers
β¬5.65 billion in cumulative fines. 2,245 enforcement actions since 2018.
| Company | Fine | Violation |
|---|---|---|
| β¬310M | Unlawful targeted advertising | |
| Uber | β¬290M | Illegal US data transfers |
| Meta | β¬251M | 2018 data breach |
| Clearview AI | β¬30.5M | Illegal facial recognition |
What This Means at Your Scale
| Business Size | Turnover | Fine Range |
|---|---|---|
| Micro enterprise | Up to β¬2M | 0.2% β 0.4% of turnover |
| Small enterprise | β¬2M β β¬10M | 0.4% β 2% of turnover |
| Medium enterprise | β¬10M β β¬50M | 2% β 10% of turnover |
The Violations That Create Personal Exposure
| Violation | Total Fines | Founder Risk |
|---|---|---|
| Insufficient legal basis | β¬1.65B | Critical |
| Non-compliance with principles | β¬2.4B | Critical |
| Insufficient security | β¬480M | High |
| Failure to comply with data subject rights | β¬200M+ | High |
Why Your Insurance Probably Will Not Save You
| Coverage Type | Typically Included? |
|---|---|
| Legal defense costs | Yes |
| Settlement payments | Sometimes |
| GDPR fines (negligent) | Rarely |
| GDPR fines (intentional) | Never |
The Founder's Personal Protection Checklist
Essential Documentation
- Data processing register
- Legal basis documentation for each processing activity
- Privacy policy β accurate, up-to-date, and actually followed
- Data processing agreements with all processors
- Security measures documentation
- Training records
- Incident response plan
- Board minutes recording compliance decisions
Actions That Demonstrate Good Faith
| Action | How It Protects You |
|---|---|
| Regular compliance reviews | Shows ongoing attention, not "conscious omission" |
| Legal consultation on data practices | Demonstrates you sought expert guidance |
| Documented risk assessments | Shows you identified and addressed risks |
| Data protection impact assessments | Required for high-risk processing |
When to Use AI vs. When to Call a Lawyer
| Approach | Monthly Cost | Protection Level |
|---|---|---|
| DIY + templates | β¬0 β β¬500 | Low |
| AI-assisted (like Outlex) | β¬300 β β¬600/mo | Medium |
| Law firm engagement | β¬5,000 β β¬20,000+ | High |
| Hybrid: AI + periodic review | β¬300β600/mo + β¬2,000/year | High |
The Bottom Line
Personal liability for GDPR violations is not theoretical. It is precedent. Your company's data practices are your personal responsibility. Build the documentation. Get the review. Protect yourself.
Related: β¬5.65B in GDPR fines: what SMEs can learn | GDPR reforms and AI training
