There’s a lot of discussion about the effect on DPOs of the senior responsible individual (SRI) under the UK’s GDPR reform bill, DPDI 23. We’ll give you our view in this opinion piece.
This is an opinion piece, not legal advice. Always talk to your lawyer on legal matters. On naming, there was DPDI1, then DPDI2 and the Bill is now called the Data Protection and Digital Information Bill. To identify this 8 November 2023 incarnation we’ll call it DPDI23.
Right, onto the 2 big questions. And keep reading to meet the Impoverished DPO and the Petrified SRI…
There are two predictions we’re hearing more and more as DPDI23 makes its way through Parliament:
1. DPOs will just become SRIs
We don’t think that’s possible for most DPOs (and won’t matter).
2. There’ll be less need for DPOs
We don’t think so and, in practice, DPDI23 would be great for Keepabl and current UK DPOs (not so much for British business).
Let’s dig in and we’ll show you our thinking. We’ll look at:
Given the definition of SRI, we think it’s unlikely that the vast majority of DPOs can just change their job title to SRI on the basis of the technical definition.
How that works in practice remains to be seen. For example, many organisations now have a DPO when they don’t need one. And the same may be said of SRIs in future, we’ll have to wait and see.
Section 15 of DPDI23 inserts the SRI obligation as Article 27A into UK GDPR.
Under draft Art 27A, certain controllers and processors (the test is almost identical to the DPO test) ‘must designate one individual to be its senior responsible individual‘.
The individual designated as SRI must be part of the organisation’s ‘senior management‘ which is defined as (our emphasis):
the individuals who play significant roles in the making of decisions about how the whole or a substantial part of its activities are to be managed or organised.
Let’s parse that definition. The individual must:
On paper, it looks like only a small number of employees at smaller organisations will fit this definition of an SRI and, at larger organisations, it’s only going to be the most senior ‘Head of’, SVPs, EVPs and up.
The government’s Explanatory Notes on the Bill’s page don’t help much. Neither do the Hansard records of the 14 April 2023 debate on the draft Bill.
The official compilation of Committee stages up to 24 May 2023 does have a couple of passages on SRIs, and one of those in particular (page 85) seems to confirm the seniority envisaged by the definition of ‘senior management’.
Committee member Sir John Whittingdale noted: ‘We recognise that some people have raised concerns that giving organisations more flexibility in how they monitor and ensure compliance with the legislation could reduce standards of protection for individuals‘.
Sir John continued (our emphasis): ‘We are confident that that will not be the effect of the [SRI] clause. On the contrary, the [SRI] clause provides an opportunity to elevate discussions about data protection risks to senior levels within organisations by requiring a senior responsible individual to take ownership of data protection risks and embed a culture of data protection.’
With that definition laid out, let’s look at who we see as holding the role of DPO under UK GDPR and EU GDPR.
In our – totally qualitative – experience, DPOs generally fall into 4 camps.
This is the smallest group (at least now, it was bigger before) and typically only still happens at small organisations.
We’re not talking any senior employee. We don’t tend to see many Heads of Marketing or HR as DPO.
This group is the IT, Security, Ops or Compliance professional who is thrown GDPR. We see this group and the next group as the two biggest as at Q4 2023.
This group clearly cannot be an SRI because they are not employees, they’re not part of the organisation’s ‘senior management‘. They’re external.
Whether they should or not, let’s look at when SRIs and DPOs are needed, before turning to why we think this is great for the other current DPOs in the UK and the broader Privacy advisory industry, be that lawyers or consultants, and Privacy software providers like Keepabl.
Art 37 of UK GDPR says you need a DPO in 3 situations:
Art 27A of the draft DPDI23 says you need an SRI if you’re:
in each case, other than a court or tribunal acting in its judicial capacity.
You can see that the tests are very similar, though:
Under both regimes, there’s nothing to stop you appointing a DPO/SRI voluntarily. Given the market signalling going on with the number of DPOs appointed when they might not be technically required, it’s fair to assume we’ll also see more SRIs appointed than strictly needed.
So there are valid arguments why the number of organisations that end up with an SRI will be the same or higher than the number needing a DPO.
Imagine the (exaggerated) scene.
A mid-level IT Manager is made DPO at an organisation and, after analysing what’s involved in GDPR compliance, comes to the CFO, CIO or COO with a request for budget to buy tools and employ consultants to help with this additional role they’ve been given that is super complex.
The CXO listens sympathetically, then notes how many other areas of the business require funding, particularly in these hard times, notes how much resources are available already in IT / Security / Legal etc and basically says no. The DPO leaves the room crestfallen and the CXO returns to their full desk.
This is exaggerated for effect but it’s not far off what we hear about in many organisations. We could imagine much the same if the DPO is an external consultant instead of the IT Manager. Thankfully Keepabl is such great value and we free up so much time and cost that it’s not an issue for our subscriptions
Now let’s imagine DPDI23 becomes law and in comes the SRI.
Given how GDPR has been a hot potato since it came in, we don’t imagine many senior managers will volunteer to be SRI.
So the SRI’s tasks are going to be on top of whatever they’re already doing. And the SRI’s tasks are not light.
Draft Art 27B lists the tasks for a controller’s SRI. If you’ve got a single employee, you’re a controller. So this is for everyone. Look especially at (b) …
(a) monitoring compliance by the controller with the data protection legislation;
(b) ensuring that the controller develops, implements, reviews and updates measures to ensure its compliance with the data protection legislation;
(c) informing and advising the controller, any processor engaged by the controller and employees of the controller who carry out processing of personal data of their obligations under the data protection legislation;
(d) organising training for employees of the controller who carry out processing of personal data;
(e) dealing with complaints made to the controller in connection with the processing of personal data;
(f) dealing with personal data breaches;
(g) co-operating with the Commissioner on behalf of the controller;
(h) acting as the contact point for the Commissioner on issues relating to processing of personal data.
This is a heavier list than for DPOs under GDPR. You can argue that Article 30s don’t have to be kept for as many processes or by as many businesses – we think, on balance, it’s going to make no difference there. And DPIAs are not gone, they’re just called risk assessments.
Bizarrely, the SRI also has to avoid conflict yet, by definition, must be in a role that is most likely conflicted as a DPO under GDPR.
As DPDI23 says: ‘Where the performance of one of its tasks would result in a conflict of interests, the senior responsible individual must secure that the task is performed by another person.’
Look again at the tasks: ensuring compliance, informing and advising, training. Each senior manager at an organisation is tasked with furthering their department’s, and the organisation’s, interests.
So, they do what they need to in practice and what DPDI23 tells them to: they delegate.
Re-picture the scene. The CIO / CTO / CFO has been made SRI. They’ve a full desk. They do not know enough about UK GDPR and the DPA 2018, nor have enough time, to perform the SRI tasks.
But they do have budget control and they’re quite nervous about having to ensure compliance. They call in the same IT Manager and tell them to get whatever help they need so that the CXO never has to stand in an Exec or Board meeting to explain why she or he had failed to ensure compliance.
They want the IT Manager to use the job description in DPDPI23 as a checklist and make sure it’s all done.
If you’re made an SRI, you’re going to want to be able to prove you’re fulfilling your tasks and that you’re ensuring compliance at your organisation. Keepabl’s award-winning Privacy Management Software is your Privacy framework out-of-the-box, with data mapping, rights management, risk, breach and more.
And our B2B SaaS Security will make your IT Manager very happy when you delegate to them
We’re delighted to announce, as part of our internationalisation and to better support customers worldwide, that we’ve updated our RoPA and Data Map solution so you can now select ANY…
3 key lessons from the Dutch DPA’s €290m fine on Uber for transfers to the USA in between Privacy Shield and the Data Protection Framework. First – it’s Summer…