We now have a first draft of the ‘Data Protection and Digital Information Bill’ which, as I’ve mentioned before, is likely to be a confusion tampering with UK GDPR to the detriment of all – Data Subjects and Data Controllers alike.
One of the key elements (which I didn’t mention in my last post) is the removal of the elements of a ‘Data Protection Officer’ (DPO) from the UK GDPR and the replacement with the ‘Senior Responsible Individual’ (SRI).
Let’s start by seeing specifically what has been proposed.
Designation of an SRI (Clause 14):
You will only be required to appoint an SRI if you are a public body or if you a processing data that could result in a high risk to the rights and freedoms of individuals. (So monitoring of a public accessible place is out).
The person who will be the SRI –
- Must be part of the organisations senior management
- Can be shared amongst 2 or more people (job share)
The Controller also has to publish the contact details of the SRI and register those details with the ICO.
My thoughts:
Does this scale down the number of organisations with a ‘mandatory’ DPO, yes it does. Does this also change the nature of a DPO, yes it does. Before the DPO just had to ‘report to’ Senior Management, now the DPO has to be part of Senior Management. If they are part of Senior Management, how are they meant to give free and frank advice to their organisation? Some say that Heads of Legal, Risk, Compliance, Monitoring Officers etc do that today. And to that I say phooey. We all know the job of all those roles is to protect the behind of the organisation, not to balance the rights and freedoms of individuals vs the interests of the Data Controller/organisation. I’ve seen it time and time again, far too often for it to be an exception to the rule – the rule itself is those senior roles work for the organisation’s power, not to speak truth to power.
Senior responsible individual’s tasks:
On the whole the tasks of the SRI are very similar to that of the DPO. It’s worth noting that this provision does explicitly allow for the task to be completed by another.
Those tasks include –
- monitoring compliance by the controller with the data protection legislation;
- ensuring that the controller develops, implements, reviews and updates measures to ensure its compliance with the data protection legislation;
- informing and advising the controller, any processor engaged by the controller and employees of the controller who carry out processing of personal data of their obligations under the data protection legislation;
- organising training for employees of the controller who carry out processing of personal data;
- dealing with complaints made to the controller in connection with the processing of personal data;
- dealing with personal data breaches;
- co-operating with the Commissioner on behalf of the controller;
- acting as the contact point for the Commissioner on issues relating to processing of personal data.
Paragraph 3 then outlines the duties of a DPO for a Processor (a reduced a), g) and h)).
Paragraph 4 says where a conflict of interest should arise for a specific task this should be carried out by someone else (seems reasonable).
Paragraph 6 then gives details as to whom this other person should be. It then lists the things you should consider when determining this person including what qualifications they have, the resources they have, and what their role is and how that affects their ability to do that task.
My thoughts:
This reads like a job description for any DPO you see today. Training, monitoring compliance, breach handling etc. Does this formally change the role of a DPO, yes. But is there anything in there that a DPO doesn’t do today? Not really no.
Can I therefore say that this is a watering down of the DPO’s tasks and duties, no. The sections for allowing others to do tasks is useful, especially for those organisations where we know today those tasks are shared amongst IG teams and others.
The question is, does the SRI/DPO have the suitable support for it’s position in law to make these tasks worthwhile…
Senior responsible individual’s position:
So this section does replicate what is in the GDPR today. For example it states that the Controller/Processor must support the SRI and cannot dismiss them for doing their job. This is edited to take into account the above ‘additional individuals’ who can perform the SRI’s tasks.
It also appears that you cannot outsource your DPO/SRI (or even their tasks). The provisions talk about ‘designating a person’ as the SRI but the wording assumes the person is within your organisation. When it comes to appointing tasks to another, again the wording is written for the person ‘or persons’ to be internal. It does not explicitly state that, but is written in that language.
My thoughts:
Does this therefore water down the independence of the DPO? Yes and no. No, in that the protections of the role are still there. However, by making the SRI/DPO a member of the senior management, does that not create a direct conflict as I’ve mentioned above? And if not, why are the protections afforded to their ‘independence’ so weakly worded here?
I’m also really torn on the removal of an outsourced DPO (or DPO support). IT would still allow for external advice, but tasks would have to remain ‘in-house’. I know a number of organisations that would struggle with that. They would still be caught by the requirement to appoint an SRI but do they have the staff and resources, probably not. Does this provision help them, probably not.
For transparency, I am the DPO for 2 organisations therefore I have an interest in this so of course I’m going to be concerned about any such changes. Even with that in mind, this seems like a backward step to me.
So is the role of the DPO dead?
Yes and no.
Yes in that the role of the DPO is being fundamentally changed to make it more functional for the Data Controller and vested in the priorities of the Data Controller. The term has gone and some of the ‘protections’ for the independence of the new role are a little woolly, especially when put against the role being a member of Senior Management.
No in that the Bill still retains the need to have one (albeit scaled down) and the duties and protections a DPO has today. The term ‘DPO’ is removed yes, but let’s be honest, people are still going to call it a DPO because the job title ‘Senior Responsible Officer’ is utterly useless to the rest of the staff. So the job title DPO will remain and maybe we will also see the rise of ‘Heads of’ (more so than today).
It will be interesting to see how the Bill progresses through Parliament. Once we know a little more concrete information, I’ll reassess and decide if a change in career is in order.