By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyse site usage, and assist in our marketing efforts. View our Privacy Notice for more information.
Data Protection

UK Proposes Replacing Data Protection Officers with Senior Responsible Individuals, Facing Backlash

February 6, 2023
5 min read

The UK government has put forward a proposal in its new Data Protection and Digital Information (DPDI) Bill to remove the mandatory requirement for most organizations to appoint a Data Protection Officer (DPO) and replace it with a "senior responsible individual" (SRI). This move has faced significant opposition from UK data protection officers, who overwhelmingly disagree that it would be in the best interest of data subjects.  

 

The Proposed Senior Responsible Individual

Under the DPDI Bill, the SRI would be a member of the organization's senior management team and be responsible for implementing the organization's privacy management program. This would include monitoring compliance with data protection laws, handling data breaches, and organizing employee training on data protection.  The government has argued that this change would provide organizations with more flexibility and reduce unnecessary burdens, while still maintaining high data protection standards.  The intention is to update and simplify the UK's data protection framework in a "common-sense" way after Brexit.  

However, this proposal has faced significant pushback from UK data protection officers. In a survey, 90% of DPOs gave low scores, indicating they do not believe the reform would be beneficial.  Concerns have been raised that the SRI role carries significant personal risk and liability, and that it may not be feasible for groups of companies to have a single SRI across the entire organization.  

 

The Data Protection Officer Role

The current requirement for organizations to appoint a Data Protection Officer (DPO) under the UK GDPR aims to ensure independent oversight and accountability for data protection compliance. DPOs must have expert knowledge of data protection law and practices, and they play a crucial role in advising the organization, monitoring compliance, and acting as a liaison with the regulator. Proponents of the DPO role argue that it provides an important check and balance, as the DPO must be able to operate independently and cannot be dismissed or penalized for performing their duties. This independence is seen as essential for protecting the rights and freedoms of data subjects.

 

Pros and Cons of the SRI vs. DPO

 

Pros of the SRI:

- Potentially more flexibility and reduced administrative burden for organizations

- SRI could have a stronger voice at the senior management level compared to a DPO.

- SRI role may be more feasible for smaller organizations that struggle to justify a dedicated DPO

 

Cons of the SRI:

- Significant personal risk and liability for the SRI, which may deter qualified individuals from taking on the role

- Lack of independence, as the SRI is a member of senior management, raising concerns about conflicts of interest

- Difficulty for larger organizations or groups of companies to have a single SRI overseeing data protection across the entire organization

- Potential loss of specialized data protection expertise and oversight that a dedicated DPO provides

- Concerns that the reform could weaken data protection standards and the rights of data subjects

Pros of the DPO:

- Provides independent oversight and accountability for data protection compliance

- DPOs have specialized knowledge of data protection law and practices

- DPOs can act as a liaison between the organization and the regulator

- DPOs are required to have the authority and resources to perform their duties effectively

 

Cons of the DPO:

- Can be an administrative burden for smaller organizations to justify a dedicated DPO role

- DPOs may not have as strong a voice at the senior management level compared to an SRI

 

Ongoing Debate and Uncertainty

The DPDI Bill's second reading in Parliament has been postponed, allowing the government to consider the legislation further before proceeding. This delay suggests the government may be reconsidering the proposal in light of the significant opposition from data protection officers.

The UK's Information Commissioner, John Edwards, has welcomed the overall aims of the DPDI Bill to "enable organizations to grow and innovate while maintaining high standards of data protection rights." However, the concerns raised by data protection officers indicate that the replacement of the DPO with an SRI may not achieve this balance. There are also broader concerns that the DPDI Bill's reforms could put the UK's data adequacy status with the European Union at risk. The EU has emphasized that data protection is a fundamental right, and any significant divergence from the EU's GDPR could trigger EU scrutiny and a reassessment of the UK's status as an adequate jurisdiction for data transfers. The UK government's proposal to replace the mandatory Data Protection Officer with a Senior Responsible Individual has faced significant opposition from UK data protection officers, who overwhelmingly believe it would not be in the best interest of data subjects. While the government's stated aims of reducing administrative burdens and providing more flexibility have some merit, the concerns raised about the SRI role's lack of independence, potential conflicts of interest, and the loss of specialized data protection expertise are significant.

As the DPDI Bill progresses through Parliament, the government will need to carefully weigh the pros and cons of this reform and address the concerns raised by data protection professionals. Maintaining high data protection standards and the rights of data subjects should be the top priority, even if it means retaining the established DPO model or finding a compromise solution.The outcome of this debate will have important implications for the future of data protection in the UK, both in terms of domestic compliance and the country's continued data adequacy status with the European Union.

 

How can we help you?

Get in touch and find out how we can help you achieve your goals