Digital privacy for board directors: the eighteen-post version

An honest start to a long series. What digital privacy actually means for a board director in 2023, why the home / travel / work boundary is the right framing even though it leaks, and why children deserve four of the eighteen posts.

Most cyber security writing for executives is about the firm. This series is not. It is about the eighteen things a board director, in 2023, would benefit from doing — and asking their household to do — about personal digital privacy. Some of it overlaps with the firm's cyber posture. Most of it does not.

I am writing this because, after several years of NED and advisory work, I have noticed a consistent gap. Directors are reasonably well-served by corporate cyber guidance and very poorly served by personal privacy guidance. The two are not the same problem. The threats are different. The controls are different. The conversations are different. And the children of board directors, who have not asked for any of this and yet inherit the digital footprint their parents create, are the population whose privacy the existing literature serves worst of all.

The series in one paragraph

Eighteen posts. Three groups. The home — the network you live on, the devices in your kitchen, the photo backups, the financial paperwork. The travel — what changes when you leave the country, what to take, what not to. The work — the public exposure the role creates, the staff who see what you see, the board portals you use. And a fifth strand running through all of it: the children of board directors, who deserve at least four posts of their own and probably more.

The posts are short, practical, and written for someone who has more important things to do than read about digital privacy. I will tell you, in each one, what to do, why it matters, and what to ignore.

Why this is a board-director problem, not a generic one

There are good general guides to digital privacy. The NCSC's individual guidance and Cyber Aware are sensible. The ICO publishes guidance for individuals on data subject rights. These are useful. They do not, however, address the specifics of being a board director.

The specifics are three things. First, the threat surface is larger and more identifiable than for a typical adult. Your name is on Companies House. Your photograph is on the corporate website. Your business email and movement patterns are inferable from public sources. The threat actor who wants to reach you has more starting material to work with than the actor targeting an anonymous adult. Second, the consequences of your accounts being compromised are larger. The supplier who phishes the CFO's personal Gmail is one step from social-engineering the firm's CFO. Third, the people around you — assistant, driver, family, household staff — are part of the security boundary in a way they are not for an anonymous adult.

The everyday consumer privacy guidance does not engage with any of these. This series will.

Why children get four posts

I have run the threat-modelling exercise enough times for senior executives with school-age and adult children to be confident that the children are the under-protected population in the household. Specifically:

The digital footprint a child accumulates between birth and 18 is largely created by the parent, often before the child has any say.
Schools and education technology platforms gather a remarkable amount of data on children, much of it lawfully and necessarily, but not all of it competently.
The platforms where children spend their time — gaming, social, communications — are designed against adversarial threat models the child cannot reasonably evaluate alone.
The deepfake and AI-image era is changing what image of a child means in a way that no existing parent has had to navigate before.

These are big enough subjects to deserve dedicated posts. Four is the minimum. There may be a fifth as the series develops.

The voice you should expect

Practical, not paranoid. Specific, not exhaustive. British, in case that needs saying. I will tell you what to do this month, not write you a textbook. The posts will include some links to authoritative sources where they are genuinely useful — the NCSC, the ICO, the NSPCC for children's matters, the FCDO for travel. Most posts will close with a small practical action — this week, do this one thing — that you can finish in under an hour.

There will be no scary statistics. There will be no the dark web paragraphs. I find both genres tiresome and they distract from the work.

What this series is not

It is not a guide to becoming invisible. Most board directors cannot become invisible without giving up the role, and most do not want to. It is a guide to deliberate exposure — to knowing where your digital footprint sits, who can reach it, what the consequences of compromise would be, and how to make a sensible set of choices about each.

It is not a guide to corporate cyber security, which I write about elsewhere. The audience for this series is the director at home in their own kitchen, not the director in the boardroom.

It is not legal advice. For your specific circumstances, particularly anything regarding the public visibility of your family, talk to a lawyer.

The schedule

The posts will appear roughly every two to four weeks for the next two years. Most will be six to eight minutes to read. The series header at the top of each post will say which number you are reading and link back here.

One thing to do this week

If you are about to read post two next month, here is the simplest preparation. Sit down for ten minutes and write a list of every internet-connected device in your home. Phones, laptops, TVs, the Alexa, the Ring camera, the smart thermostat, the smart fridge, the children's tablets, the gaming consoles. The list is usually longer than people expect. Pin it to the fridge. We will use it in post two.

See you in three weeks.