The development and introduction of new technology has been one of the key drivers for the GDPR and data protection regulations.

New software & technology means large quantities of personal data can be processed, transferred and shared quickly and easily. Artificial Intelligence (AI) and automated profiling allows much greater characterisation and segmentation of individuals and enables better targeting and more informed decision making.

The GDPR helps ensure tech and software organisations respect and protect individual data. To achieve compliance, special consideration must be given to defining the purpose the data is used for, understanding and mapping all data flows from the outset, managing data transfer with third parties and across borders and clearly and transparently defining how individuals’ data is used by them.

This page explains what data protection legislation means for software & technology organisations and the key areas they need to consider when managing personal data.


Like all other organisations, software & technology organisations must:

Be transparent in the way they process personal data and accountable for doing so
Be able to detect, manage, report and respond to data breaches including, if necessary, liaising with the Information Commissioner’s Office (ICO)
Understand the data they have, where it is stored and who has access to it
Implement robust processes and procedures to protect personal data
Allow users, data subjects and staff to:

  • Access the data stored on them
  • Ensure it is correct and modify it as necessary
  • Have it deleted (unless needed for legitimate reasons)

Appoint a designated data protection officer if they:

  • Are a public body
  • Process data on a large scale
  • Use the data for profiling or automated decision making



Software & Technology organisations must protect personal data in a wide range of their operations. Some major considerations include:

Mapping data flows

  • Clearly defining the purpose that the data is used for
  • Limiting the use solely to the purpose
  • Managing consent
  • Transparently explaining how the data is used to all users
  • Adopting privacy by design principles

Sharing data with others

  • Transfers with 3rd parties
  • Data transfers outside the EU
  • Data processing and data sharing agreements

Handling large quantities of data

  • Appointing a designated DPO
  • Profiling and automated decision making

Data security

  • Maintaining network and server security
  • Data encryption


  • Email systems
  • Staff payroll, pension and HR records
  • Visitors’ book, access and CCTV

Identifying Personal Identifiable Information

  • IP addresses
  • GPS Data
  • Cookies and tracking pixels

Policies and agreements

  • Privacy, retention and data protection policies
  • Staff handbooks
  • Data sharing agreements
  • Data processing agreements

Enquire Today

Fill in your details below and we’ll get back to you as soon as possible

Alternatively click one of the options below to speak to us


Email Call

Sign up todayThe DPIA is a bitesize assessment of the impact of the most significant, interesting and important-to-know data protection issues. It’s not the full story, just a brisk, 3-minute resumé, collated and condensed especially for busy privacy professionals to ensure you’re aware of what’s happening in our fascinating, dynamic and engaging industry.