Boards & Trustees
Guidance on oversight, accountability, & assurance for GDPR & cyber risk, in plain English.
Boards don’t need technical detail, they need clarity, confidence, and evidence. These answers explain what trustees should do, see, and expect when managing GDPR risk and responding to incidents.
How to Use These Answers
- Each page answers one specific question.
- Written for non‑specialists anddecision‑makers.
- Designed to be quoted, shared,and relied upon.
Featured answers
- What should a board do after a data breach?
Ensure containment, decide on notification within 72 hours, and retain evidence of oversight. - Who is accountable for GDPR compliance at Board level?
The organisation is accountable; the board provides governance, oversight and assurance. - What should Trustees see in a GDPR risk report?
A clear view of risk, incidents, trends, and actions - without operational noise. - How can Boards get assurance over data protection risk?
Through independent advice, structured reporting, and evidence-based compliance. - What does good GDPR governance look like?
Clear ownership, proportionate controls, and documented decisions. - How do Boards know if their organisation is GDPR compliant?
When they can evidence decisions, controls, and oversight - not just policies. - What evidence should Boards expect during and ICO investigation?
Time-stamped decisions, risk assessments, and governance records. - How should Trustees oversee cyber risk linked to GDPR?
Focus on data impact, incident readiness, and escalation - not tools. - What happens in the first 72 hours after a data breach?
Containment, impact assessment, notification decision, and communications. - How do boards demonstrate challenge and oversight on GDPR?
By asking the right questions and recording decisions and follow-ups.
Why this hub exisits
Boards often get flooded with technical or legal detail. The above answers cut through to what matters for accountability and assurance.