Directors’ duties in the digital age: oversight, data privacy and artificial intelligence

In today’s rapidly evolving digital landscape, directors face an increasingly complex set of responsibilities. The core principles governing directors’ duties are set out in case-law but the practical application of these duties is being reshaped by emerging technologies, heightened cybersecurity threats, and rising regulatory expectations. The recent Appellate Division decision in Goh Jin Hian v Inter-Pacific Petroleum Pte Ltd (in liquidation) [2025] SGHC(A) 7 (“Goh Jin Hian”) provides timely clarification on the standard of care required of directors, particularly the extent to which they must understand and supervise the affairs of the company. Against this backdrop, issues such as data protection obligations and the governance of artificial intelligence (“AI”) introduce new dimensions to oversight and risk management. This article explores how the principles reaffirmed in Goh Jin Hian apply in the modern digital age, and how directors can meaningfully discharge their duties in a modern environment shaped by digital developments. 

Scope of director’s duties

As stated above, Goh Jin Hian clarifies the scope of duties owed by a director. In that case, the liquidators of a bunkering and cargo trading company sued a director (“Dr Goh”) for breaches of director’s duties. It was alleged that certain sham transactions relating to drawdowns on fictitious cargo sales could have been avoided if Dr Goh discharged his duties. 

Crucially, the Appellate Division of the High Court reaffirmed the principle that all directors, regardless of whether they are engaged in an executive or non-executive capacity, are subject to a minimum standard of care which entails the obligation to take reasonable steps to place oneself in a position to guide and monitor the management of the company. However, It is not part of a director’s duty of supervision and oversight to pick up fraud unless there are tell-tale warning signs. A director is a “sentinel” but is not expected to be a “forensic investigator or a sleuth, unless there are signs that would put him on inquiry”, as per Goh Jin Hian.

On the facts, the Appellate Division upheld the finding of the High Court that on the facts, Dr Goh had breached his duty of care. Among other things, Dr Goh was ignorant of the company’s cargo trading business but there were no red flags which could have alerted him to the fraud being perpetrated on the company. The Appellate Division also overturned the High Court’s finding that Dr Goh’s breach had caused the company to incur the losses resulting from the sham drawdowns from banking facilities. 

A question arises as to how the standard applies to a director in this ever-changing world of data privacy and AI. Indeed, a common query a director has is “How much do I need to know regarding data privacy and AI and when have I done enough”? 

Data protection

Data protection is a critical governance issue in the digital age, and directors must ensure that their companies comply with the Personal Data Protection Act (“PDPA”). In line with a director’s duty to exercise reasonable care, skill and diligence, boards should ensure that the company has implemented appropriate data governance structures. This could include that the company ensures that the following:

1. Appointment of a Data Protection Officer.
2. Development and Implementation of internal protocol and practices including data protection policies, reasonable security arrangements and a cyber incident response plan.
3. Regular simulations of a cyber incident response plan with Incident Response Team – this is especially important given the proliferation of cyber-attacks including ransomware threats.
4. Conducting compliance and awareness training sessions on data protection and data breach risks for employees.
5. Conducting periodic reviews of internal protocol.
6. Understanding of data breach notification obligations.

Depending on one’s industry, directors are encouraged to refer to best practice guidelines when formulating internal policies including the Technology Risk Management Guidelines and Guidelines on Outsourcing (Financial Institutions other than Banks) by the Monetary Authority of Singapore when structuring their internal policies and procedures.

With the increased incidence of cyber-attacks, Boards may consider the benefit of purchasing cyber insurance as part of their risk management strategy. In so doing, directors would avail their companies of their cyber insurer’s network of incident response management providers, including breach coaches like Kennedys.  

Navigating new waters: artificial intelligence

Beyond data privacy, directors must also pay close attention to the ever-evolving challenges posed by AI. As companies increasingly adopt AI across their operations, directors must recognise that AI is not merely a technical tool but a governance and risk-management issue. In the same way that Goh Jin Hian emphasises a director’s obligation to place themselves in a position to guide and monitor the company as a “sentinel”, directors must ensure they have a sufficient understanding of how AI is used within the business. This does not require technical expertise, but it does require taking reasonable steps to familiarise themselves with the risks, limitations and impact of AI systems. 

In Singapore, while there is no dedicated AI legislation, there is  regulatory guidance that provides a practical framework for responsible AI governance. The PDPA remains the primary legal touchpoint, especially for AI systems that involve personal data. In addition, there is non-binding guidance such as Singapore’s Model AI Governance Framework (which included generative AI in 2024) together with Singapore’s AI Verify testing framework, which allows for organisations to test for qualities including fairness, robustness, and explainability against internationally recognized principles.

Beyond Singapore, global regulatory developments are rapidly shaping compliance expectations. The EU AI Act introduces a comprehensive risk-based regime, imposing strict obligations for high-risk and general-purpose AI systems. China has also rolled out significant requirements on algorithmic transparency, content moderation and generative AI governance. It would be useful for directors, especially those involved in global businesses, to keep abreast of these changes. Directors must also be alert to ethical and reputational risks arising from AI. Algorithmic bias, discriminatory outcomes, a lack of transparency or explainability, and misuse of personal or copyrighted data can all undermine trust and cause harm.

Conclusion

Against this backdrop, directors may have to take a more active role in ensuring that the company adopts practical governance measures proportionate to the impact of the AI systems being deployed. This may include establishing board or management-level oversight committees, conducting AI risk assessments, performing vendor due diligence. Crucially, if a company requires expert knowledge in their assessment of the company’s use of AI, the relevant experts should be appointed. It is also important for directors to document the steps that they have taken in assessing AI governance systems and create a record of what has been discussed at the Board level. This would go a long way in protecting directors and proving that they have complied with their fiduciary duties.

Ultimately, as AI becomes more integral to businesses, what is required for a director to fulfil his duties as a “sentinel” will continue to evolve. It is the directors who proactively navigate this landscape who will be able to adequately discharge their duties to mitigate legal and operational risks to the company. This will in turn help position the company to harness the benefits of AI in a manner consistent with their fiduciary obligations.