Have you been tracking the UK government’s new proposed Data Protection and Digital information (No 2) Bill (‘Bill‘)? If so, you will know that the Bill proposes replacing the role of the data protection officer established under the GDPR (‘DPO‘) with a Senior Responsible Individual (‘SRI‘). Is this just a change in terminology or should organisations start thinking about appointing an SRI in addition to an existing DPO if the Bill becomes law?
In short, the two regimes envisage the DPO and the SRI fulfilling very different roles within an organisation. The GDPR sees the role of the DPO as an independent advisor to senior management, while the Bill proposes that the SRI actually is a member of senior management. This means that it will be tricky for the same person to act as both the DPO and the SRI, as a DPO cannot fulfil other tasks that may cause conflicts of interests, such as making decisions of data processing or other business tasks that may conflict with the role of the DPO. In contrast, the SRI has to be an individual that plays a significant role in the making of decisions of the whole or substantial part of the organisation.
The key differences between the two roles are set out below:
|When do they need to be appointed?||An SRI must be appointed by an organisation that:
(a) is a public body; or
(b) carries out processing that is likely to result in a high risk to the rights and freedoms of individuals.
|(a) The requirement in relation to public bodies is the same.
(b) A DPO must be appointed where the organisation’s core activities consist of (i) processing operations which require regular and systematic monitoring on a large scale; or (ii) processing on a large scale of special category data or criminal convictions and offences data.
|Who is eligible?||Senior management.
(a) In the case of an organisation, the SRI must be part of the organisation’s senior management (i.e. the individuals who play significant roles in the making of decisions about how the an organisation’s activities are to be managed or organised).
(b) SRIs cannot be appointed externally.
(c) Where the performance of a task would result in a conflict of interest, the SRl must secure that the task is performed by another person.
(a) The DPO must report directly to the highest level of senior management (but does not need to be senior management).
(b) The DPO may be a member of staff or externally appointed.
(c) The organisation must ensure that other tasks performed by the DPO do not result in conflicts of interest. Guidance published by the UK’s Information Commissioner’s Office (‘ICO‘) explains that this means that the DPO cannot hold a position within the organisation that leads them to determine the purposes and the means of the processing of personal data. Further, the DPO should not be expected to manage competing objectives that could result in data protection taking a secondary role to business interests. It is therefore unlikely that the individual could be a member of senior management, as this will lead to conflicts of interests.
|Position||The organisation must support its SRI in the performance of its tasks, including by providing appropriate resources.
The organisation must not dismiss or penalise its SRI for performing their tasks.
|Similarly, the organisation must support the DPO and provide resources and the DPO cannot be dismissed or penalised.
Additionally, the organisation must ensure the DPO is involved in all data privacy related matters and must not receive instructions regarding the exercise of the tasks.
|Delegation||If the SRI decides that its tasks should be performed by another person, the organisation must ensure that the person:
(a) has appropriate resources to perform the task,
(b) is not dismissed or penalised by for performing the task, and
(c) does not receive instructions from the organisation about the performance of the task (but the person may receive instructions from the SRI).
|The organisation must have a single DPO, but the DPO may appoint other data protection specialists as part of its team.|
|Responsibility (controller)||The SRI is responsible for performing the following tasks (or secure that they are performed by another person):
(a) monitoring compliance with data protection legislation;
(b) ensuring that the controller develops, implements, reviews and updates measures to ensure compliance;
(c) advising the controller, any processor engaged by the controller and employees of their obligations;
(d) organising training for employees;
(e) dealing with complaints and personal data breaches; and
(f) co-operating with the ICO.
|Tasks (a), (b) and (f) are broadly the same.
In addition the DPO must provide advice on data protection impact assessments,
The DPO must have due regard to the risk associated with processing operations.
|Responsibility (processor)||The SRI is responsible for performing the following tasks (or secure that they are performed by another person):
(a) monitoring compliance with Articles 28, 30A and 32; and
(b) co-operating with the ICO.