DPDI 2023: SRIs and DPOs

There’s a lot of discussion about the effect on DPOs of the senior responsible individual (SRI) under the UK’s GDPR reform bill, DPDI 23. We’ll give you our view in this opinion piece.

This is an opinion piece, not legal advice. Always talk to your lawyer on legal matters. On naming, there was DPDI1, then DPDI2 and the Bill is now called the Data Protection and Digital Information Bill. To identify this 8 November 2023 incarnation we’ll call it DPDI23.

Right, onto the 2 big questions. And keep reading to meet the Impoverished DPO and the Petrified SRI…

The 2 BIG questions

There are two predictions we’re hearing more and more as DPDI23 makes its way through Parliament:

     1. DPOs will just become SRIs

We don’t think that’s possible for most DPOs (and won’t matter).

     2. There’ll be less need for DPOs

We don’t think so and, in practice, DPDI23 would be great for Keepabl and current UK DPOs (not so much for British business).

Let’s dig in and we’ll show you our thinking. We’ll look at:

• Who is this ‘SRI’?
• Who are DPOs now?
• Will there be as many SRIs as DPOs?
• A bonanza for Privacy advisors

Who is this ‘SRI’?

Given the definition of SRI, we think it’s unlikely that the vast majority of DPOs can just change their job title to SRI on the basis of the technical definition.

How that works in practice remains to be seen. For example, many organisations now have a DPO when they don’t need one. And the same may be said of SRIs in future, we’ll have to wait and see.

Section 15 of DPDI23 inserts the SRI obligation as Article 27A into UK GDPR.

Under draft Art 27A, certain controllers and processors (the test is almost identical to the DPO test) ‘must designate one individual to be its senior responsible individual‘.

‘Senior Management’ defined

The individual designated as SRI must be part of the organisation’s ‘senior management‘ which is defined as (our emphasis):

the individuals who play significant roles in the making of decisions about how the whole or a substantial part of its activities are to be managed or organised.

The SRI Pool

Let’s parse that definition. The individual must:

1. play a ‘significant role‘ in decision-making. Laws are interpreted on the basis that lawmakers use words (and leave out words) for a reason so the use of ‘significant’ has to have its natural meaning. Those not playing significant roles in any decision-making don’t pass this first limb of the definition.
2. those decisions then have to be decisions about how the organisation’s ‘activities are to be managed or organised‘. So, if decisions made by a role are not about that, then that role doesn’t pass this limb.
3. and those decisions must be about how either ‘the whole‘ of the organisation’s activities are managed or organised – and very few employees could claim to make decisions about the whole of their organisation’s activities, maybe only the CEO and COO?
4. or the decisions are about how ‘a substantial part of its activities‘ are managed or organised. It’s this limb that expands the pool of employees who could be an SRI, but by how much it does in practice will depend on the meaning of ‘substantial’.

On paper, it looks like only a small number of employees at smaller organisations will fit this definition of an SRI and, at larger organisations, it’s only going to be the most senior ‘Head of’, SVPs, EVPs and up.

Help from UK Gov or Parliament

The government’s Explanatory Notes on the Bill’s page don’t help much. Neither do the Hansard records of the 14 April 2023 debate on the draft Bill.

The official compilation of Committee stages up to 24 May 2023 does have a couple of passages on SRIs, and one of those in particular (page 85) seems to confirm the seniority envisaged by the definition of ‘senior management’.

Committee member Sir John Whittingdale noted: ‘We recognise that some people have raised concerns that giving organisations more flexibility in how they monitor and ensure compliance with the legislation could reduce standards of protection for individuals‘.

Sir John continued (our emphasis): ‘We are confident that that will not be the effect of the [SRI] clause. On the contrary, the [SRI] clause provides an opportunity to elevate discussions about data protection risks to senior levels within organisations by requiring a senior responsible individual to take ownership of data protection risks and embed a culture of data protection.’

With that definition laid out, let’s look at who we see as holding the role of DPO under UK GDPR and EU GDPR.

Who are DPOs now?

In our – totally qualitative – experience, DPOs generally fall into 4 camps.

The C-Level Exec

This is the smallest group (at least now, it was bigger before) and typically only still happens at small organisations.

• Under DPO rules, these individuals are clearly conflicted as a DPO and can’t technically be DPOs under UK or EU GDPR. There’s clear regulator guidance and some case law on this point.
• While they’re conflicted as DPOs, these individuals clearly fall within the SRI’s definition of ‘senior management’ as they ‘play significant roles in the making of decisions about how the whole or a substantial part of its activities are to be managed or organised‘.
• Despite the fact they’ll still be conflicted as SRIs (see below) we think this is the group that will make up most SRIs. And this is why DPDI23 would be good for current UK DPOs and create extra burdens in terms of time, cost and stress for British business.

The Dedicated Senior Employee

We’re not talking any senior employee. We don’t tend to see many Heads of Marketing or HR as DPO.

• This is a dedicated DPO at senior level and it’s a small group, as only the largest enterprises and groups can afford one. They sometimes have a Deputy DPO. And a larger group may have a small number of DPOs and deputies in different parts of the business.
• Now, senior though these DPOs are, we don’t believe they qualify as an SRI as – almost by definition – they don’t ‘play significant roles in the making of decisions about how the whole or a substantial part of its activities are to be managed or organised‘.

The Non-Senior Employee

This group is the IT, Security, Ops or Compliance professional who is thrown GDPR. We see this group and the next group as the two biggest as at Q4 2023.

• Again – by definition – we don’t believe this group qualifies as SRIs as they don’t ‘play significant roles in the making of decisions about how the whole or a substantial part of its activities are to be managed or organised‘.

The External DPO

This group clearly cannot be an SRI because they are not employees, they’re not part of the organisation’s ‘senior management‘. They’re external.

So…?

• On our analysis, out of these 4 groups, only the rarest of current DPOs can be SRIs: the C-Level Execs.
• We believe most SRIs will come from a 5th group: the ‘Heads of’, the SVPs and EVPs at the top of significant parts of the organisation.

Whether they should or not, let’s look at when SRIs and DPOs are needed, before turning to why we think this is great for the other current DPOs in the UK and the broader Privacy advisory industry, be that lawyers or consultants, and Privacy software providers like Keepabl.

Will there be as many SRIs as DPOs?

Art 37 of UK GDPR says you need a DPO in 3 situations:

1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
2. the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
3. the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.

Art 27A of the draft DPDI23 says you need an SRI if you’re:

1. a public body, or
2. carry out processing of personal data which, taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of individuals,

in each case, other than a court or tribunal acting in its judicial capacity.

You can see that the tests are very similar, though:

• on the one hand, DPDI23 is broader than UK GDPR because limbs 2 and 3 under UK GDPR surely fall within limb 2 of DPDI23 and limb 2 of DPDI23 must include more than that, and
• on the other hand, you shouldn’t really do high risk processing. You’re meant to reduce it to medium. So does this mean the ‘inherent’ or ‘residual’ high risk? But that would either mean everyone needs an SRI or no-one needs an SRI, neither of which should be the intent.

Under both regimes, there’s nothing to stop you appointing a DPO/SRI voluntarily.  Given the market signalling going on with the number of DPOs appointed when they might not be technically required, it’s fair to assume we’ll also see more SRIs appointed than strictly needed.

So there are valid arguments why the number of organisations that end up with an SRI will be the same or higher than the number needing a DPO.

A bonanza for Privacy advisors

The Impoverished DPO

Imagine the (exaggerated) scene.

A mid-level IT Manager is made DPO at an organisation and, after analysing what’s involved in GDPR compliance, comes to the CFO, CIO or COO with a request for budget to buy tools and employ consultants to help with this additional role they’ve been given that is super complex.

The CXO listens sympathetically, then notes how many other areas of the business require funding, particularly in these hard times, notes how much resources are available already in IT / Security / Legal etc and basically says no. The DPO leaves the room crestfallen and the CXO returns to their full desk.

This is exaggerated for effect but it’s not far off what we hear about in many organisations. We could imagine much the same if the DPO is an external consultant instead of the IT Manager. Thankfully Keepabl is such great value and we free up so much time and cost that it’s not an issue for our subscriptions 🙂

Now let’s imagine DPDI23 becomes law and in comes the SRI.

The Petrified SRI

Given how GDPR has been a hot potato since it came in, we don’t imagine many senior managers will volunteer to be SRI.

• The duties of the SRI far outweigh the duties of the DPO.
• It’s not a role that can be pushed down and forgotten about. While Exec teams can nominate someone in their teams to be DPO, the SRI remains on the hook.
• The small pool of people who will fit the definition already have full workloads in their respective areas and it won’t – or shouldn’t – include DPO as they’d almost certainly be conflicted.

So the SRI’s tasks are going to be on top of whatever they’re already doing. And the SRI’s tasks are not light.

The SRI’s Tasks

Draft Art 27B lists the tasks for a controller’s SRI. If you’ve got a single employee, you’re a controller. So this is for everyone. Look especially at (b) …

(a) monitoring compliance by the controller with the data protection legislation;

(b) ensuring that the controller develops, implements, reviews and updates measures to ensure its compliance with the data protection legislation;

(c) informing and advising the controller, any processor engaged by the controller and employees of the controller who carry out processing of personal data of their obligations under the data protection legislation;

(d) organising training for employees of the controller who carry out processing of personal data;

(e) dealing with complaints made to the controller in connection with the processing of personal data;

(f) dealing with personal data breaches;

(g) co-operating with the Commissioner on behalf of the controller;

(h) acting as the contact point for the Commissioner on issues relating to processing of personal data.

This is a heavier list than for DPOs under GDPR. You can argue that Article 30s don’t have to be kept for as many processes or by as many businesses – we think, on balance, it’s going to make no difference there. And DPIAs are not gone, they’re just called risk assessments.

No Conflict

Bizarrely, the SRI also has to avoid conflict yet, by definition, must be in a role that is most likely conflicted as a DPO under GDPR.

As DPDI23 says: ‘Where the performance of one of its tasks would result in a conflict of interests, the senior responsible individual must secure that the task is performed by another person.’

Look again at the tasks: ensuring compliance, informing and advising, training. Each senior manager at an organisation is tasked with furthering their department’s, and the organisation’s, interests.

So, they do what they need to in practice and what DPDI23 tells them to: they delegate.

Our exaggerated example

Re-picture the scene. The CIO / CTO / CFO has been made SRI. They’ve a full desk. They do not know enough about UK GDPR and the DPA 2018, nor have enough time, to perform the SRI tasks.

But they do have budget control and they’re quite nervous about having to ensure compliance. They call in the same IT Manager and tell them to get whatever help they need so that the CXO never has to stand in an Exec or Board meeting to explain why she or he had failed to ensure compliance.

They want the IT Manager to use the job description in DPDPI23 as a checklist and make sure it’s all done.

• The IT Manager is no longer a DPO and has none of that stress on conflict, lack of support, and being the named, designated person on GDPR.
• There’s now a CXO senior sponsor who is actually on the line for this as the designated person and has a whole new perspective on Privacy.
• Budget is suddenly found. And where does it go? Tooling and advisory services to help perform the expanded tasks. And who provides those advisory services? The current crop of internal and external DPOs.

How Keepabl saves SRIs!

If you’re made an SRI, you’re going to want to be able to prove you’re fulfilling your tasks and that you’re ensuring compliance at your organisation. Keepabl’s award-winning Privacy Management Software is your Privacy framework out-of-the-box, with data mapping, rights management, risk, breach and more.

And our B2B SaaS Security will make your IT Manager very happy when you delegate to them 🙂

Book your demo now!