AI, Data and Director Liability: Practical Governance Steps for Cyprus Companies
Artificial intelligence is no longer a prospective or experimental consideration for businesses. It is already embedded in routine operations.
Customer communications are automated, documents are reviewed by software, recruitment processes rely on algorithmic screening and significant volumes of commercial and personal data are processed through third-party platforms. In many organizations, these systems are introduced incrementally and with limited formal oversight at board level.
While such adoption may appear operationally efficient, it raises a distinct governance question: not whether the technology functions effectively, but whether accountability for its use has been properly structured and supervised. In practice, that question is increasingly a legal one.
When AI-related issues come to the attention of legal advisers, they seldom arise from sophisticated coding failures or complex technological defects. More commonly, they stem from routine operational decisions made without appropriate legal or governance oversight.
Departments may adopt external platforms without prior review, employees may upload confidential or proprietary information to publicly available tools, customer data may be processed by third-party providers without clearly defined safeguards, or automated systems may operate without documented supervision or accountability.
Individually, these circumstances may appear unremarkable. Collectively, however, they can give rise to significant regulatory, contractual and reputational exposure.
Accordingly, the principal risk associated with AI adoption is rarely technological. It is a question of governance and governance, as a matter of law and responsibility, rests with the board.
Under Cyprus law, directors are not expected to possess technical expertise in digital systems or artificial intelligence. Their obligation is of a different nature. Directors are required to exercise due care, skill and diligence in the supervision of the company’s affairs and to ensure that appropriate systems of control are in place to manage foreseeable risks.
That responsibility increasingly extends to the manner in which data is collected, processed and safeguarded, as well as to the oversight of digital and automated decision-making tools deployed within the business.
When incidents occur whether in the form of a data breach, misuse of personal information or an erroneous automated outcome regulators and counterparties rarely focus on the technical implementation alone. The more immediate inquiry is whether the company had established reasonable governance structures and adequate supervision at board level.
The practical question therefore becomes not who operated the system, but whether the board exercised appropriate oversight.
Where such oversight cannot be demonstrated, exposure may arise in several forms, including regulatory sanctions, contractual claims, reputational harm and transaction disruption. In more contentious circumstances, individual decisions and conduct may also be scrutinised.
For directors, the issue is therefore not technological sophistication, but the ability to demonstrate structured and defensible governance.
Across companies of differing sizes and sectors, similar governance weaknesses tend to emerge with notable consistency. These issues are rarely the result of complex legal or technical deficiencies, but rather of informal practices that develop over time without adequate oversight.
AI-enabled tools are frequently introduced on an ad hoc basis, often characterized initially as limited “pilot” initiatives that subsequently become embedded in core operations. Technology vendors may be selected for operational convenience, with insufficient attention given to contractual safeguards or allocation of risk. Data processing activities are not always clearly mapped, resulting in uncertainty as to what information is handled, where it is stored and by whom. Employees may be granted access to powerful systems without clear parameters governing appropriate use, while incident response procedures exist in principle but remain untested in practice.
Individually, such shortcomings may appear routine. Taken together, however, they create avoidable exposure and reflect gaps in governance rather than deficiencies in law or technology.
In our experience advising boards and management teams, effective mitigation of AI- and data-related risk does not depend on complex frameworks or extensive bureaucracy. It depends primarily on clarity of responsibility and visibility over how systems are used within the organisation.
As a starting point, boards benefit from ensuring that the company maintains a clear understanding of the AI and data-driven tools deployed across its operations. Risks are difficult to supervise where their existence is not fully mapped. Even a straightforward inventory of systems and data flows often reveals exposures that had not previously been considered at management level.
Similarly, technologies that involve the processing of personal, confidential or commercially sensitive information are best assessed before deployment. A short, documented review of purpose, safeguards and accountability can provide a clear record of responsible decision-making and materially reduce subsequent scrutiny.
Relationships with external providers warrant particular attention. In practice, many disputes turn less on technical failure than on contractual allocation of risk — including the scope of data protection obligations, security standards and liability for breaches.
Internal controls are equally significant. Clear policies governing the use of external platforms and the handling of sensitive information reduce the likelihood of inadvertent disclosure, which remains a frequent source of preventable incidents.
Finally, oversight is most effective where responsibility is expressly allocated and supported by periodic reporting to the board. When accountability is defined and documented, digital risk becomes a matter of managed governance rather than informal practice.
Individually, these measures are straightforward. Collectively, they establish a defensible and proportionate framework for supervision.
Beyond regulatory exposure, digital governance increasingly carries direct commercial significance. In transactional contexts, data management practices are now routinely scrutinized during due diligence exercises, with investors and acquirers seeking clear evidence that companies understand how their information is collected, processed and controlled.
Weak or informal systems may raise concerns not only as to technical compliance, but as to broader standards of management discipline and risk oversight. In practice, such concerns can affect valuation, delay transactions or introduce additional protections and conditions into negotiations.
Conversely, a structured and documented approach to AI and data governance tends to provide reassurance. It demonstrates that risk is actively managed and that the organisation operates with appropriate controls.
Viewed in this light, governance is not merely defensive. It is an element of value preservation and, in many cases, value creation.
The rapid pace of AI adoption can give the impression that the associated legal risks are novel or highly specialised. In practice, however, most exposure arises from familiar governance considerations: documentation, oversight and accountability. The principles that safeguard shareholder value in any corporate structure apply equally in this context. Where boards approach AI and data use as matters of routine governance, rather than purely technical implementation, uncertainty is reduced and risk becomes proportionate and manageable.
At that stage, legal advice is no longer confined to reacting to incidents. It assumes a strategic function supporting informed decision-making and preserving long-term value.
This article is provided for informational purposes only and does not constitute legal advice. For advice tailored to your specific circumstances, you are encouraged to contact our office by telephone at +357 25 101080 or by email at info@mylonas.law to consult with one of our specialist lawyers.