5

I work for a company that doesn't take privacy laws very seriously. As far as I can tell, they're woefully unprepared for GDPR and don't seem to care very much.

My tasks mainly consist of software development and maintenance, with some degree of systems administration, data analysis, and reporting. I regularly come into contact with user data (including plain-text passwords).

Am I in any way personally at risk?

To what degree is "I was just doing what I was told" a valid defense (nothing is in writing though)?

If I quit my job before GDPR applies, do I escape any such liability from that employment?

Improve this question
4
  • 1
    Employees are not usually held liable for the decisions of their employers, but I don't know how that works in Belgian law.
    – phoog
    Commented Feb 17, 2018 at 15:43
  • Are you or is the firm considered a data processor and/or data controller? Also, for what reason are you coming into contact with user data?
    – A.fm.
    Commented Feb 18, 2018 at 3:53
  • @A.fm. : I'm pretty sure that the company would be considered a data controller. I might be considered a data processor. I come into contact with individual user data when investigating bug or abuse reports, and with aggregate user data when doing reporting tasks (figure out how many users fit various profiles, provide contact info for users that fit a particular profile, ...). I also occasionally build (parts of) integration systems intended to allow third parties to acquire user data.
    – anonymouscoward
    Commented Feb 18, 2018 at 18:52
  • Hi @anonymouscoward, yeah, it sounds like it, though I am not an authoritative source on the determination of such facts. Check the content at the links I included in my answer. Also, the UK's guidance for data privacy officers provides probably the best explanations and examples I've come across on this topic.
    – A.fm.
    Commented Feb 18, 2018 at 18:56

1 Answer 1

Reset to default
4

Not legal advice - you should consult an attorney who knows your local jurisdiction. That's a general statement, but especially true here because the GDPR does not include personal liability for directors (or others) in the event of a data breach, but domestic laws may indeed do just that. The UK is one example where certain circumstances can lead to criminal liability for directors of a firm in the event of a breach.

That said, your company should care. The fines for knowingly allowing a breach or not reporting it properly in a timely manner have been made more significant than the prior Directive. There are things you could do to potentially mitigate consequences in the event of a breach and a fine being levied on the company, such as aligning with best practices and getting certifications.

In sum, the actual punishments for noncompliance will vary by jurisdiction, but any business that handles data in the EU should undoubtedly be ensuring it is aware of what, if any, obligations it has and taking steps to comply before May's deadline.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .