The United Kingdom (UK) has recently proposed significant changes to its data protection regime, through introduction of the Data Protection and Digital Information Bill (the Bill). It proposes changes particularly in the realm of data protection officers (DPOs).
The planned abolishment of DPOs and the introduction of the Senior Responsible Individual (SRI) signals a paradigm shift in the regulatory landscape. This article explores the key aspects of these proposed changes and their implications for organisations operating within the UK.
Status quo: designation, position, and tasks of a DPO
Currently the UK General Data Protection Regulation (UK GDPR), mandates the appointment of DPOs in the following circumstances for private organisations acting as either a controller or a processor:
- They process special categories of data, such as health data or biometric data, on a large scale as part of their core activities.
- They process data relating to criminal convictions and offences on a large scale as part of their core activities.
- They carry out regular and systematic monitoring of individuals on a large scale as part of their core activities.
To illustrate, organisations currently affected by the requirement to appoint a DPO are everything from hospitals, private security companies, insurance companies, telephone or internet service providers, search engines, to organisations conducting data-driven marketing activities, location tracking or monitoring of wellness, fitness and health data via wearable devices.
The position of a DPO may be filled by an employee or by an external third party the basis of a service contract. Whoever fills the position must act independently, without a conflict of interest, receive sufficient resources and report directly to the highest management level of the organisation. The DPO needs to be appointed on the basis of their professional qualities and, in particular, their expert knowledge of data protection law and practices. Lastly, they must be able to fulfil the following tasks:
- to inform and advise the organisation and its employees on data protection;
- to monitor compliance with data protection laws and the policies of the organisation in relation to the protection of personal data;
- to sensitise and train the staff;
- to conduct data protection audits;
- to provide advice where requested as regards the data protection impact assessment (DPIA);
- to monitor the performance of DPIAs;
- (to cooperate with the Information Commissioner Office´s (ICO), the data protection supervisory authority for the UK;
- to act as the contact point for the ICO;
- to always have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
Proposed changes: the new role of the SRIs
The proposed changes seek to replace DPOs entirely with the introduction of Senior Responsible Individuals (SRIs). Under the amended data protection law, organisations will be mandated to appoint an SRI, who must be a part of the senior management. This change aims to clarify that data protection responsibilities ultimately rest with the organisation´s management. While this is already the case under the current data protection laws, this is often not clear to everyone.
The new provisions come with several adapted key features:
Requirement to appoint an SRI
Only private organisations which carry out processing of personal data from or in the UK which, considering, “the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of individuals”, are mandated to appoint an SRI. In comparison the current requirement to appoint a DPO covers more organisations.
The reform aims to replace the current term of DPIA with “assessments of high risk processing”. However, those sections of the law which currently clarify when a proposed processing of personal data would require a DPIA are abolished by the reform, thus there will in future be a lack of clarity regarding when exactly “assessments of high risk processing” will required and thus when organisations will be mandated to appoint an SRI.
Assuming that high risk processing is likely to mean all processing for which under the current data protection regime a DPIA would be required, organisations will have to appoint an SRI when they e.g. conduct one of the following:
- systematic and extensive profiling with significant effects;
- large scale use of special categories of data;
- systematic monitoring of a publicly accessible area on a large scale.
It is obvious that organisations mandated to conduct a DPIA for their processing of personal data will be mandated to appoint a DPO under current regulations if the activities for which they require a DPIA form part of their “core activities”. It may be assumed that this correlation will continue after the reform, only an SRI will have to be appointed and an assessment of high risk processing conducted instead.
Long story short: Organisations currently mandated to appoint a DPO and/or conduct DPIAs will likely be required to appoint an SRI after the passing of the reform.
Position of the SRI – abolishment of the independency requirement
The proposed changes eliminate the requirement for independent DPOs, mandating organisations to designate an internal member of senior management as the SRI. “Senior management” is defined as the individuals who play significant roles in the making of decisions about how the whole or a substantial part of the organisation’s activities are to be managed or organised.
Loosely said, data protection thus becomes a matter for the boss.
This is seemingly in direct contrast to the current requirement for DPO´s to be independent and free from conflict of interests. It does however provide an advantage for businesses in the UK who now no longer have to expend resources on an independent DPO as well, instead an existing senior manager.
However, the reform does not allow the position of the SRI to be compromised entirely, instead it mandates that where a task of the SRI (see below) would result in a conflict of interest the SRI must delegate said task to another person. SRIs, while no longer independent, may not be subject to a conflict of interest either.
Like a DPO the ICO must be informed of who has been designed to be the SRI for the organisation and their contact details must be published publicly. The SRI must be assigned sufficient resources and is protected from penalties or dismissal for performing their tasks.
Tasks of the SRI – when the organisation is controller
In future the tasks of an SRI will differ depending on whether the organisation is acting as a controller or processor. The SRI for a controller must be responsible for at least substantially similar tasks as the DPO (see above), or alternatively, responsible for outsourcing these tasks to another party. Outsourcing of individual tasks is required where there may be a conflict of interest.
Thus, senior management is burdened with data protection tasks but the reality and practical implications of this are taken cognizance of and the UK legislator has allowed for the delegation of these burdensome tasks.
The reform does specifically grant the SRI for a controller the following new responsibilities, namely:
- dealing with data breaches;
- ensuring that the organisation develops, implements, reviews and updates compliance measures;
- dealing with complaints made to the organisation on connection with the processing of personal data.
These new tasks are significant as the SRI, or whomever the SRI delegates the tasks fully or partially too, now becomes responsible for implementation, rather than acting in a purely advisory capacity as a DPO would. A far more hands-on approach is called for.
Tasks of the SRI – when the organisation is processor
The SRI for a processor is responsible only for the following tasks, or ensuring that these are performed by someone else:
- monitoring compliance with a processor´s obligations in terms of data protection law, namely the requirements for a data processing agreement in terms of Art 28 UK GDPR, implementation of technical and organisation measures and keeping records of processing activities;
- cooperating with the ICO;
- acting as a contact point for the ICO.
Considerations for outsourcing SRI tasks
The SRI may not delegate their tasks to just anyone. According to the current version of the Bill, “in deciding whether one or more of their tasks should be performed by another person (whether alone or jointly with others) and, if so, by whom, the senior responsible individual must consider, among other things—
(a) the other person’s professional qualifications and knowledge of the data protection legislation,
(b) the resources likely to be available to the other person to carry out the task, and
(c) whether the other person is involved in day-to-day processing of personal data for the controller or processor and, if so, whether that affects the person’s ability to perform the task.
Organisations currently using the services of a good external DPO can therefore continue doing so, as the external service provider will already meet the above considerations, offering the required experience, expertise, resources and familiarity with the organisation.
The SRI´s organisation also has to ensure that the person to whom the SRI´s tasks are delegated has appropriate resources, is not dismissed or penalised for performing the tasks and does not receive instructions on how to perform the tasks. The latter does not imply the SRI cannot instruct an external DPO to whom it has outsources its tasks, but rather that any such instruction may not involve a conflict of interest.
Tasks for UK based organisations
Operational changes
Organisations will need to adapt their internal structures to accommodate the new requirements, ensuring that an SRI is appointed and that they have the necessary seniority and resources to fulfil their responsibilities effectively. Alternatively, ensuring that the SRI can delegate their tasks to an appropriate person, be they internal or external.
If an external service provider for data protection is already in use, they can continue to be tasked with data protection responsibilities. Only the appointments of external DPOs will no longer be possible, DPOs no longer being part of the UK data protection regime.
Terminology changes
Organisations will need to update regulatory documents, privacy policies and information letters to reflect the new terminology of the Bill and the appointment of an SRI instead of a DPO.
Practical implications of the reform
The proposed changes to the DPO role signify a notable departure from the previous data protection regime, the reform being aimed at alleviating the data protection compliance burdens on UK based businesses, freeing up their resources by getting rid of the need for a DPO and making things easier for data processors. The established model of DPOs assigned certain tasks regardless of the business model of the organisation for which they are appointed will be abolished. In future the SRIs tasks will vary depending on the role of the organisation, thus alleviating the data protection burden on organisations acting merely as data processors.
However, the reform eases the compliance burden only on data processors who are subject only to UK data protection laws. In reality, UK based data processors will often be processing personal data from the EU and thus remain subject to the more stringent requirements of the EU GDPR. The UK based data processors will see little benefit from the reform but will also have little to fear from it.
Such organisations must only consider the integration of data protection responsibilities within the senior management team, or their outsourcing and the updates of their documents. This may also be said of organisations who are already compliant with the UK GDPR.