DPDI Bill: DPO vs Senior Responsible Individual

It’s been confirmed the Data Protection and Digital Information Bill will not be enacted before the UK General Election on 4th July.  It remains to be seen if this is resurrected under a new Government, in a similar or amended form, or is completely dead.

One of the key proposed changes was to amend UK GDPR to remove the requirement for the role of the Data Protection Officer. Instead, where public bodies and commercial businesses meet certain criteria, they would be required to appoint a Senior Responsible Individual (SRI).

I’ve taken a close look at the proposed SRI requirements, compared these with the current DPO role and assessed the options for how this change might play out in practice.

My observations are based on what we know to date, so these findings have the potential to change before agreement on a final text.

Just because DPDI as planned does not include a requirement to appoint a DPO, it’s worth stressing, this doesn’t mean an organisation can’t have one. In fact, for many UK-based organisations operating in the EU, who’ve already appointed a DPO, they may need to retain this position to comply with EU GDPR.

When to appoint an SRI

Currently a DPO must be appointed by public bodies and other organisations (both controllers and processors) if core activities involve the large-scale and systematic monitoring of individuals or core activities involve large-scale processing of special category data or data relating to criminal convictions and offences. The DPO must report to the highest level of management. 

(There is a distinction under existing legislation for courts acting in their judicial capacity. This is also covered in the DPDI Bill, but not a focus in this article.)

The proposed change is a requirement to designate an SRI, where the organisation (either controller or processor);

• is a public body, or
• carries out processing of personal data likely to result in a high risk to the rights and freedoms of individuals.

The SRI would need to part of the organisation’s senior management. If two or more individuals are employed part-time and share a single role within the organisation’s senior management, they would be able to act jointly as the SRI.

Also, in a similar way to current the DPO obligations, the controller or processor would have to make sure contact details for the SRI are publicly available and provide these details to the Information Commissioner’s Office (ICO).

What constitutes ‘high risk’?

Organisations would need to take account of the ‘nature, scope, context and purposes of the processing of personal data’ in assessing whether their activities are ‘high risk’ and they therefore fall under the SRI requirement. So, rather than the current focus on whether the processing of personal data is ‘large-scale’ the focus would shift to whether that processing is ‘high risk’ to the rights and freedoms of individuals.

The ICO will be under an obligation to produce and publish a document containing examples of the types of processing which would be considered likely to result in a ‘high risk’ to the rights and freedoms of individuals.

What constitutes ‘senior management’? 

It’s stated the term ‘senior management’ means individuals with ‘significant roles in making decisions about how the whole, or a substantial part of the organisation’s activities are managed or organised.’

Currently there is a requirement for DPOs to be ‘designated based on professional qualities and in particular, expert knowledge of data protection law and practices’. 

It is not specifically mentioned in the Bill that the SRI needs specialist knowledge.

SRI tasks

The Bill splits this the tasks of the SRI between a controller and a processor. In our experience many organisations which act primarily as processors will also be controllers, even if solely for their employee data, so will need to consider all SRI tasks. It’s clear the SRI can make sure these tasks are carried out by another person i.e. they can delegate their responsibilities in part or in full.

The table below sets out the tasks of the SRI for a controller, and how these compare with the current tasks of a DPO. This is based on DPDI Bill as amended by the House of Lords’ Grand Committee and the text of Article 39, UK GDPR.

SRI tasks for a controller

SRI tasks for a processor

The SRI appointed by a processor would be expected to fulfil at least the following tasks (again, these tasks could be delegated):

(a) Monitoring compliance with a processor’s obligations to;
– Make sure contractual terms are in place with Controllers meeting required standards (e.g. Article 28)
– Maintain ‘records of high-risk processing of personal data’, where relevant. Note the existing requirements relating to Records of Processing Activities would change, which we’ve written about in our DPDI Bill Summary.
– Implement appropriate measures, including technical and organisational measures to protect personal data.

(b) Co-operating with the Commissioner on behalf of the organisation.

(c) Acting as contact point for the Commissioner on issues relating to the processing of personal data.

(The above is not the precise text from the Bill which makes reference to three specific articles (28, 30A and 32), which we’ve explained in more detail.)

Can data protection services still be outsourced?

Currently a DPO ‘may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract’. This means organisations can utilise outsourced DPO services.

It isn’t specifically stated in the Bill that outsourcing of data protection tasks or services is not permitted, so we would anticipate this approach should be acceptable.

SRI and conflict of interests

Currently DPOs ‘should be in a position to perform their duties and tasks in an independent manner.’

As the SRI will be a member of the senior management team, this raises the risk of conflicts of interests. The Bill says where the performance of one or more SRI tasks would result in a conflict of interests, the SRI must make sure the task is carried out by another person. This can be alone or jointly with others. In assigning tasks to others, it will be necessary to take into consideration:

• the other person’s professional qualifications and knowledge of the data protection legislation;
• the resources available to the other person to carry out the task; and
• whether the person is involved in the day-to-day processing of personal data for the controller or processor – and if so whether this affects the person’s ability to perform the task.

Position of the SRI

Currently there’s a requirement to make sure;

• the DPO is involved, properly and in timely manner, in all issues relating to the protection of personal data;
• the DPO is supported in performing their tasks, by being provided with the resources necessary and the ability to maintain expert knowledge;
• a DPO is not to be dismissed or penalised for performing their tasks;
• Data subjects can contact the DPO with regards to all issues relating to the processing of personal data and to exercise their rights;
• the DPO is bound by secrecy or confidentiality concerning the performance of their tasks;
• Where the DPO fulfils other tasks or duties, the organisation make sure these do not result in a conflict of interests.

Under proposed changes, organisations will have an obligation to:

1) support the SRI in the performance of their tasks, including providing the individual with appropriate resources; and
2) not dismiss or penalise its SRI for performing their SRI tasks.

Where the SRI decides one or more of their tasks should be performed by another person, the organisation must make sure that individual has appropriate resources, is not dismissed or penalised for performing the task and does not receive instructions about the performance of the task. This doesn’t stop the SRI giving instructions, unless this would involve a conflict of interests.

How to apply changes in practice

Here are some potential options depending on what roles you have in place now, but not an exhaustive list.

Currently have in-house DPO

If you currently have a nominated DPO and you assess your processing activities to be ‘high risk’, thereby falling within scope to assign a SRI, here are some potential options:

a) Make your DPO a member of senior management and assign them as your SRI.

b) Assign the individual your DPO currently reports into as your SRI. The SRI could then delegate some or all of their tasks to your DPO. You could keep the title DPO or change it something else.

c) Assign another individual from your senior management team to be the SRI, who could delegate all or some of their responsibilities to the current DPO.

d) Remove the DPO position and assign an SRI. The SRI could fulfil all tasks, delegate some or all tasks, and would have to delegate a task / tasks where there was assessed to be a conflict of interests.

Clearly d) wouldn’t be an option if you need to retain the role of a DPO to meet EU GDPR requirements.

Currently have external ‘outsourced’ DPO

It looks like you’ll be able to assign an SRI internally, who could outsource their tasks to your current external DPO.
Remember the SRI’s details would need to be publicly available and provided to the ICO.

Currently don’t have DPO

You’ll need to assess whether your processing activities constitute ‘high risk’ and if so assign an SRI.

What next?

The DPDI Bill finished the House of Lords’ Grand Committee Stage at the beginning of May and the Report stage is set for mid-June. Then there will be a Third Reading, after which it could gain Royal Assent before the Parliamentary Summer Recess in July. This would be where the King formally agrees to make the Bill an Act of Parliament i.e. the law.

If this happens, it’s likely some changes may take immediate effect, while there will be a transition period for others. Check out other key proposed changes in our DPDI Bill Summary.