UK data reform: Data Protection Officers

September 2021

One of the more surprising and thought-provoking proposals in the UK Government’s plans for data regime reform is removing the mandatory requirements surrounding appointing a DPO.

The idea is to replace the DPO with a requirement to designate a suitable individual (or individuals), who would be responsible for a privacy management programme and for overseeing data protection compliance.

Is this a good or risky move?

The consultation accepts there may be potential risks in removing mandatory DPO requirements, if this was seen to significantly weaken internal scrutiny. It points out organisations which undertake high risk processing may still choose to appoint someone who performs a similar role.

Who currently falls under the mandatory requirement?

At present, organisations need to appoint a DPO if they are a public authority or body or if their core activities require large scale, regular and systematic monitoring of individuals or consist of large-scale processing of special categories of data, or data relating to criminal convictions and offences. These requirements apply to both controllers and processors.

Most small businesses not involved in high-risk processing have always been out of scope. However some medium sized organisations have been unsure whether they should appoint a DPO or not. The advice given in the past was ‘if in doubt appoint a DPO’.

What key tasks must a DPO currently perform?

The DPO role currently has a formal set of accountabilities and duties, laid down within the GDPR. Let’s look at how these could be affected under the new proposal.

  1. Duty to inform and advise the organisation and its employees about their obligations under UK GDPR and other data protection laws. This includes laws in other jurisdictions which are relevant to the organisation’s operations. It’s questionable if a ‘designated individual’ without the obligations to stay close to these laws and guidance would remain so well informed about significant developments which may affect processing and if they would feel empowered to speak up when changes are needed.
  2. Duty to monitor the organisation’s compliance with the UK GDPR and other data protection laws. This includes ensuring suitable data protection polices are in place, training staff (or overseeing this), managing data protection activities, conducting internal reviews & audits and raising awareness of data protection issues & concerns so they can be tackled effectively. It appears the Government doesn’t want to formalise these responsibilities.. Some feel this could that lead to a reduction in awareness and understanding of data protection across businesses and potentially a slipping back in data protection standards across the wider business.
  3. Duty to advise on data protection impact assessments (DPIAs). The proposals also include scrapping the mandatory requirement to conduct DPIAs. Risk assessments for data will continue to important, but they would not need to be formalised like a DPIA is now. Instead, organisations will enjoy greater flexibility around their approach to assessments.
  4. Reporting directly to the highest level of management. So who will the designated individual report too? Could they become siloed within a specialist function (such as IT or Marketing) leading to a change of focus? Current law and guidance highlighted potential conflicts of interests between operating within a specialist function and the impartiality required to perform DPO tasks (Article 39). Is there a risk the level of oversight of data protection matters by the Board could be diminished?
  5. Autonomy. Under the GDPR, a DPO must not receive any instructions regarding the exercise of his/her duties: therefore they currently need a high degree of autonomy. The GDPR also states a DPO cannot be dismissed or penalised for performing his or her duties. It looks likely autonomy will reduce under these proposals.
  6. Duty to be the first point of contact for individuals whose data is processed, and for liaison with the ICO. It seems logical the designated individual would continue to fulfil these roles, but would it be mandatory?

What do people think?

We’ve gathered the views of some key people on whether the DPO role should be scrapped or not:

“The role of the DPO is an essential part of ensuring compliance and the UK GDPR is clear that a DPO is only a mandatory requirement in certain circumstances, particularly where the processing of personal data involves large scale processing of sensitive data. To remove this requirement weakens accountability. It creates even more uncertainty than there is now. To suggest that the need for a DPO is a burden on SMEs is red herring as most SMEs do not have to have a DPO.”
Robert Bond – Senior Counsel, Bristows Law Firm

“The proposals are not a massive change on the substance and practice of the DPO role. Changes might come to the employment protections the DPO currently enjoys, but in managing the privacy programme, many of the activities that the DPO completes in Art. 39 (Tasks of the DPO) will be broadly the same. Where things might differ is the requirements in Art. 37 (Designation of the DPO) and 38 (Position of the DPO), particularly when it comes to resources, instructions and independence. I am not convinced these were all implemented to the letter of the law already, but they might not be explicit requirements.

I think the biggest impact will be DPO as a service. But for the in-house DPO, they will take on the management of the privacy programme and the world will keep turning.”
Stephen McCartney – Data Protection Officer, Simply Business

“We welcome the consultation to ensure legislation surrounding data protection continues to be appropriate. An area being considered is no longer requiring a mandatory Data Protection Officer to be in role. For us having a dedicated individual at a suitable level helps with overall ownership and accountability. Although we are not at the size to have a dedicated DPO in place, having someone who as part of their role can lead the development and oversight is important and I worry there could be a lack of consistency applied across firms with how they apply the ‘suitable individual’ and would they be at the required seniority in the business or have the ability to influence required changes to systems and controls.”
David Mollison – Chief Risk Officer, Monmouthshire Building Society

“I’m highly sceptical about the government’s proposals. Simplification is a laudable ambition, but removing the mandatory requirement to appoint a DPO risks removing the clear accountability that the role is intended to provide – and which is an essential foundation for data protection. The government says some organisations, particularly smaller ones, “may struggle to appoint an individual with the requisite skills who is sufficiently independent.” It’s unclear how the proposal to designate “a suitable individual” helps solve this problem and avoids weakening internal scrutiny, which the government itself highlights as a risk.”
Martin Turner, Managing Director, Full Frame Technology

Thanks to the contributors above.  It’s going to fascinating to see how the proposals progress – especially with Nadine Dorries now at the helm of the DCMS and a new John Edwards all set to become the new Information Commissioner.

It all makes me think of another quote – ‘May you live in interesting times!’.