5

I work for a company that doesn't take privacy laws very seriously. As far as I can tell, they're woefully unprepared for GDPR and don't seem to care very much.

My tasks mainly consist of software development and maintenance, with some degree of systems administration, data analysis, and reporting. I regularly come into contact with user data (including plain-text passwords).

Am I in any way personally at risk?

To what degree is "I was just doing what I was told" a valid defense (nothing is in writing though)?

If I quit my job before GDPR applies, do I escape any such liability from that employment?

anonymouscoward
  • 53
  • 4

1 Answers1

4

Not legal advice - you should consult an attorney who knows your local jurisdiction. That's a general statement, but especially true here because the GDPR does not include personal liability for directors (or others) in the event of a data breach, but domestic laws may indeed do just that. The UK is one example where certain circumstances can lead to criminal liability for directors of a firm in the event of a breach.

That said, your company should care. The fines for knowingly allowing a breach or not reporting it properly in a timely manner have been made more significant than the prior Directive. There are things you could do to potentially mitigate consequences in the event of a breach and a fine being levied on the company, such as aligning with best practices and getting certifications.

In sum, the actual punishments for noncompliance will vary by jurisdiction, but any business that handles data in the EU should undoubtedly be ensuring it is aware of what, if any, obligations it has and taking steps to comply before May's deadline.

A.fm.
  • 2,927
  • 13
  • 27