1

This is prompted by this question but that is rather complicated by the technical details. Suppose the following hypothetical:

Alice is a software developer for Bob Inc. perhaps as a normal employee, perhaps as a freelance contractor. She is tasked with developing an application that is clearly not GDPR compliant. She has raised the issue with her management and she has been assured that it is not her problem and she should just develop what she has been asked to.

What are Alice's responsibilities in this situation?

phoog
  • 42,299
  • 5
  • 91
  • 143
User65535
  • 10,342
  • 5
  • 40
  • 88

2 Answers2

2

It's worth saying that there is no such thing as software which isn't GDPR compliant.

Rather, it is certain forms of data collection, storage, and processing that aren't compliant.

It is the organisation who process the data who are responsible for compliance with data protection laws, not the developer of any software that organisation uses as part of their processing.

Obviously, Alice may have responsibilities, either as someone also responsible for data protection compliance at the relevant organisation, or as a contractor or senior employee who is expected to understand what is required for compliance and to design the software in an appropriate way.

But if Alice has raised the concerns and has been directed to work in a particular way inconsistent with her recommendations or warnings, then any professional liability is likely discharged.

What may remain is some kind of criminal liability, if it would be obvious to Alice that the software could only have a criminal application. This might apply if she is writing special malware to exfiltrate data for example.

But there would likely be a high bar, and if the criminality would only be contingent on further action by the employer or client, then it is unlikely Alice would be caught up.

Alice could also make a report to a relevant authority, such as the police or the information commissioner, or seek advice from them. If there were a criminal allegation later, the fact of having made such contact would almost certainly absolve Alice.

Steve
  • 3,383
  • 9
  • 17
1

As a contractor since Alice is neither the Data Controller or Data Processor her responsibilities are nil here. Assuming she's raised her concerns regarding this in writing she probably wants to keep a handy copy so the company can't try and engage in a bit of historical revisionism later, and say that they asked her to make it GDPR compliant and she went rogue. Although even in that scenario she wouldn't be directly culpable for the GDPR violations, it would still be the company, they might sue to recoup losses though.

As an employee it's much the same - it's still the company that's the controller, not the individual employee, and in this scenario negative outcomes are limited to getting fired.

motosubatsu
  • 4,845
  • 20
  • 28