The UK government introduced the new Data Protection and Digital Information Bill in July 2022, which includes a widely debated change: the removal of the Data Protection Officer (DPO) requirement. Despite much opposition, the removal is retained in the new version of the bill which was sent to parliament in March 2023. The government justifies this by stating that the appointment of a Senior Responsible Individual (SRI) will ensure data protection is established at a high level, fostering a company-wide culture of data protection. Most of the DPO’s tasks will become the ultimate responsibility of the SRI as part of the privacy management programme.
Organisations should note that this change will only affect processing activities involving the personal data of UK residents. International laws, such as GDPR, will still apply when processing personal data of individuals from other countries, and most of these laws require the appointment of DPOs.
In some countries, like China, the Personal Information Protection Officer is held ultimately responsible and can face criminal liability for failures in the organisation’s data protection regimen. The UK’s Data Protection and Digital Information Bill does not go to such extremes, but it still holds the SRI directly accountable, stating clearly that they ‘must be responsible’ for implementing the organisation’s privacy management programme, with specific responsibilities listed depending on whether the organisation is a controller or processor.
Responsibilities of the Senior Responsible Individual
The Senior Responsible Individual must be a member of the organisation’s senior management, indicating board/director level, and their tasks will include monitoring compliance with data protection legislation, handling data breaches, and organising employee training, this broadly similar with the tasks as outlined within UKGDPR Article 39. The SRI will be in a position to directly initiate and implement a privacy management programme, and any failures or breaches can be traced back to their actions or inactions.The bill distinguishes between the responsibilities of the SRI in a controller and one in a processor.
Controller SRIs are required to monitor and develop compliance with data protection law, organise training, deal with complaints and data breaches, and act as a liaison with the Information Commissioner, once again broadly the same as duties as outlined in Article 39 of UKGPDR. On the other hand, the SRI in a processor organisation is required to ensure compliance with Articles 28, 30A and 32 specifically, and act as a liaison with the Information Commissioner.
Given that even organisations whose core operations are as a data processor still act as a controller for certain data (such as their human resources data), it is doubtful that the distinction will be of significant effect in practise. In both cases, the Senior Responsible Individual’s contact details must be made publicly available an sent to the Information Commissioner’s Office, making them the public face of the organisation’s compliance or lack thereof. That could potentially have significant consequences for them. Section 198 of the Data Protection Act makes officers acting as managers or directors personally liable if their company commits an offence under the Act, which includes unlawfully obtaining and selling data, amongst others. This personal liability extends to the SRI in cases where their actions constitute a crime.
Apart from the risk of legal sanction, the SRI’s professional reputation would arguably be tied to the success or failure of the company’s privacy management programme. This situation could be compared to a Chief Financial Officer, where fraud or other serious breaches of financial policy would be seen as their personal responsibility within and outside the organisation, with serious implications for their careers that may even be more impactful even than receiving a fine.
Perhaps in recognition of the onerous burden SRIs would have to bear, the bill also allows the SRI to outsource their duties for any reason insofar as they oversee the performance of the specified functions. Outsourcing is made mandatory where the performance of their tasks would result in a conflict of interest. Such outsourcing may be to another individual within or outside their organisation or a corporate body. In either case, the bill requires the SRI to evaluate the qualifications and resources available to the third party, as well as their ability to act independently.
Choices Open to Organisations
Organisations and SRIs will have three options if the bill is passed in its current form.
First, they can train a member of the management team to manage the organisation’s data protection functions as the designated SRI. This is unlikely be practical for many organisations because typically, the officers at management level are highly specialised and their productivity would be best applied to their specific portfolios.
Second, they can either appoint a data protection expert to the board or promote their current data protection officer (some organisations already use the Chief Privacy Officer designation). That person would then be able to discharge the data protection functions based on their expertise on the subject.
Last, organisations may appoint a current executive to act in the role with the understanding that they would be delegating data protection tasks to suitably qualified staff or external consultants. The consultants can be individuals or corporate bodies, as the law merely specifies that the functions can be outsourced to a ‘person’, a term which covers natural persons and incorporated companies with corporate personality. Such executives could undergo short training courses designed to give them the baseline understanding of data protection required to oversee the development and implementation of a privacy management programme.
Organisations can also use the Act to develop their board or senior team in a way that embraces data. For example, an NHS Trust board might appoint a Non-Executive Director responsible for data compliance, data governance, and data value, creating a new executive role called the Chief Data Officer. This approach focuses on proactively managing data rather than adhering to traditional “protection” and “compliance” perspectives, thereby adding value to the organisation’s objectives.
Seeking Assistance and Training
Organisations concerned about these changes can opt for outsourced Data Protection Officer or Senior Responsible Individual services from DPAS, where we would liaise with the designated executive to deliver a privacy management programme that would satisfy all regulatory requirements. Our goal would be to make sure that the interests of the organisation, the SRI and the data subjects whose personal data the organisation processes will be well secured.
We would also provide training to the SRI as well as other staff of the organisation, to facilitate a culture of compliance that will minimise risk and maximise operational efficiency.
To find out more about available assistance, they can contact relevant support services, attend upcoming training sessions, and stay informed about the latest developments in data protection legislation.
If you want to find out more about how we can help you, please get in touch today.