The UK Government introduced to Parliament the Data Protection and Digital Information Bill on 18 July 2022. The Bill is the UK’s first attempt toward data protection reform since Brexit. As covered in our previous article, the Bill proposes various changes, including to the handling of data subject requests, the definition of personal data, and the future of legitimate interest assessments. It is important to note that the Bill is still going through the legislative journey with further readings expected, the next being 5th September 2022. As such, there is an expectation that additional information will become available regarding the legislative changes so please watch out for future issues from us.
The Bill has also introduced some changes that will see things being removed from current requirements. In this article, we will focus on the Bill's approach to removing the requirement for a Data Protection Officer ("DPO") and replacing the position with a Senior Responsible Individual ("SRI"), highlighting the changes and key considerations for your organisation.
Need for a DPO
Within the existing legislative framework, organisations need to appoint a DPO if they are doing one of the following:
- The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope, and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.
Within the new framework proposed within the Bill, clause 14 introduces a new Article 27A(1) to the UK GDPR, which sets out the requirements for appointing a SRI. It states that a SRI ought to be appointed where the organisation:
- Is a public body, or
- Carries out processing of personal data which, taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of individuals, other than a court or tribunal acting in its judicial capacity.
What does this mean? What is different? In short, there is no real difference between the requirements of appointing a SRI to that of a DPO. The only caveat is the necessity to consider the risks of processing the data subject(s) personal data. However, most organisations already understand the need to consider the risks of processing personal data; this is not new. On the face of it, there appears to be little difference between the necessity to appoint a SRI and the DPO.
Expertise and Knowledge
The UK GDPR states that "the data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39." While the DPO need not be a qualified lawyer, given some of the complexities of the data protection legislation, understanding the law and having the expertise to propose and implement practical solutions to the organisational is essential.
However, the Bill omits a similar requirement i.e. the SRI does need to have any particular qualification, experience, or data protection knowledge thus giving organisations the freedom to appoint whoever it deems appropriate to the SRI position. This change does seem somewhat surprising given the importance of data protection compliance and potential risks.
The SRI does have the ability to delegate the tasks of the SRI to another person and in such cases there is a need to consider the other person's professional qualifications and knowledge of the data protection law. This approach perhaps presumes that in most cases the SRI will routinely delegate tasks as opposed to fulfilling the role themselves, either because they do not have the experience or the time. Arguably, this is no different to the current situation where the Board is ultimately responsible for compliance yet discharging the duties and overseeing compliance is routinely delegated to someone else, with the relevant expertise and bandwidth to discharge the duties.
An essential feature of the DPO's position is the need to discharge their responsibilities independently. Nothing has changed for the SRI; the Bill expects the SRI to carry out their tasks independently, as prescribed. While the SRI can be an existing senior staff member, they must ensure their position is not in conflict with the tasks of the SRI. The SRI's tasks are set out as follows:
- monitoring compliance by the controller with the data protection legislation;
- ensuring that the controller develops, implements, reviews and updates measures to ensure its compliance with the data protection legislation;
- informing and advising the controller, any processor engaged by the controller and employees of the controller who carry out processing of personal data of their obligations under the data protection legislation;
- organising training for employees of the controller who carry out processing of personal data;
- dealing with complaints made to the controller in connection with the processing of personal data;
- dealing with personal data breaches;
- co-operating with the Commissioner on behalf of the controller;
- acting as the contact point for the Commissioner on issues relating to processing of personal data.
If, for any reason there is a conflict of interest, then the SRI must delegate the tasks to a suitably qualified person. The SRI tasks, as set out in the Bill, are broadly similar to the tasks of the DPO within the UK GDPR. However, the Bill does not discharge the importance of impartial and independent data protection advice. Therefore, simply appointing a senior management member may require some thought and evaluation to ensure no conflict of interest in assuming the SRI role. The expectations of the SRI within the Bill are broadly similar to that of the DPO. As such, those organisations with existing DPOs or DPO as a service may have already assessed any conflict of interest risks.
While the Bill proposes a range of changes, including removing the DPO position, what is the real practical difference? In short, not much! One of the key differences we noted is the necessity for the SRI to form part of the organisation's senior management instead of the DPO simply having to report to the highest level of management. The Bill defines senior management to ensure this is clear.
Otherwise, the tasks and necessity to have a SRI are broadly similar to the status quo in terms of when a DPO is required and the tasks of a DPO. Given the risks associated with non-compliance, organisations still require skill, experience and independent support when it comes to data protection compliance. Where the SRI does not have the experience or the time to execute the role, it is highly likely the organisation will continue to nominate another staff member or third party to manage and execute the day-to-day compliance tasks. Therefore, in our view, the jobs of current DPOs are not immediately under threat; it may be that just the job title will change. What the Bill does do however, is that it continues to highlight the importance of data protection compliance by designating that a senior figure ought to discharge (or ensure another party discharges) the tasks set out in the Data Protection legislative framework, keeping compliance very much a Board level issue.