Skip to main content
13.03.2024

UK: Data protection law reform - is an SRI the same or different from a DPO?

There were concerns that GDPR would be repealed by the UK Government in the immediate aftermath of Brexit. That didn’t happen but data protection law reform is now firmly on the agenda.

New data protection laws were first proposed in July 2022 with the Data Protection and Digital Information Bill. This was paused in Liz Truss’s short-lived tenure as UK Prime Minister and a new version introduced in March 2023. This new version is the Data Protection and Digital Information (No.2) Bill (“DPDI No.2”). The rationale for DPDI No. 2 is to have a common-sense-led version of GDPR and to cut back on the cost and “pointless paperwork” associated with data protection compliance.  Whilst the bill is not yet in the end stages of the legislative process, it is making progress through Parliament and looks likely to become law in 2024. Its content is not yet “set in stone” but there are some concepts that are likely to be in the final version. 

One of the areas that is likely to be retained in the final version is that relating to the scrapping of the DPO role. It is proposed to replace DPOs with a new role of “Senior Responsible Individual” (“SRI”). Articles 37-39 of UK GDPR will therefore be removed and replaced by new Articles 27A, B and C.

Concerns have been raised about the new role such as whether it is really needed and what its impact will be on existing DPO functions. Many organisations have already assessed whether a DPO is required and if so, have set up a structure and procedures around the DPO function. They are reluctant to change this unless they need to. 

Will the replacement of the DPO role in the UK therefore make much difference?  Is the SRI a DPO under another name? 

In short, the answer is no. There are important differences that change the nature of the role and which potentially mean that organisations have to restructure their compliance teams and even appoint a completely different person. 

When do you need an SRI?

An SRI must be appointed where a Controller or Processor is a public authority or where it carries out high risk processing.  A DPO is also needed where a Controller or Processor is a public body and so there is no difference there. The main difference relates to private sector organisations. 

In the private sector, an SRI is required where processing meets the broad criteria of being high risk.  A DPO is needed in more specific circumstances i.e. where core activities consist of regular and systematic monitoring of data subjects on a large scale or large scale processing of special category or criminal offence data. Until the ICO or the Information Commission (the ICO’s successor under DPDI No.2) issues guidance, it is not clear what “high risk” means. Potentially, an SRI will be required in more situations than a DPO, although this is probably not the intention of the UK Government.

What does an SRI do and is it different to a DPO?

The role of an SRI differs depending on whether the organisation appointing them is acting as Controller or Processor. 

From a Controller perspective, there are some broad similarities between what the role of an SRI and DPO covers. For example, both are required to monitor compliance with data protection legislation, inform and advise the organisation on compliance, co-operate with the supervisory authority and act as the point of contact with the supervisory authority. 

One area where the role of an SRI differs substantially is in relation to Processors. Where the SRI works for an organisation acting as Controller which has appointed Processors, the SRI must not only advise the organisation it works for but also the Processors it has appointed. This is the case even if the Processor is an independent company and not a group company. This seems to be an odd requirement as Processors will often be large IT companies which don’t require input from the SRI of their customers. It is also unlikely that the SRI will have enough knowledge about the operation of the processor in order to advise. Finally, it may give rise to liability if the SRI gets things wrong. Organisations will be reluctant to allow their SRIs to advise Processors if they will potentially be on the hook if the advice is not correct.

Who can be a DPO or SRI?

A core requirement relating to a DPO is that they can carry out their role in an independent manner and do not have a conflict of interest. They should not therefore decide what personal data the organisation collects and what is done with it on the one hand and then on the other advise whether the use is compliant. In a nutshell, they should not be marking their own homework. This means that certain roles in an organisation should not also be DPO. Examples of where a conflict of interest will typically arise includes: 

  • Chief Executives 
  • Chief Financial Officers 
  • Chief Operating Officers
  • Chief Medical Officers 
  • Head of Marketing 
  • Head of Human Resources 
  • Head of IT 

In contrast, an SRI must be a part of senior management. This is defined as being someone who plays a significant role in making decisions about how the organisation (or a substantial part of its activities) is managed. In view of the role an SRI must occupy it is unlikely that they will also meet the independence requirement of a DPO.

If, therefore, an organisation is subject to both GDPR and UK GDPR and is required to have both a DPO and SRI it is hard to see how that could be the same person.

Having said this, DPDI No.2 does recognise the fact that conflicts of interest may arise. These are considered on an ad hoc basis, i.e. the performance of a particular task by the SRI would result in a conflict of interest. In that case, the task must be given to another person.

What level of expertise does an SRI need?

Another difference between the requirements relating to a DPO and an SRI is the level of expertise in data protection law required. A DPO must be appropriately qualified for the role. The more complex and sensitive the personal data, the higher level of expertise required. DPDI No.2 does not require that the SRI has any level of expertise in data protection law. They need to have knowledge of the business but not of data protection law. It seems counter-intuitive that someone with a role to advise on data protection compliance does not need to have any expertise in data protection law!

Oddly, if the SRI is required to step back and involve another individual where a conflict arises, then one thing that must be considered in decided who the other individual should be is what level of data protection knowledge they have.

Can the SRI role be outsourced?

Article 37 of GDPR and UK GDPR makes it clear that the role of DPO can be outsourced as it mentions the fact that it can be done on the basis of a service contract. This is not in DPDI No.2.  This makes sense as the SRI needs to be part of the organisations senior management. It would be hard to think of how someone could be a member of senior management and be an outsourced service provider. The ability to use an outsourced provider therefore seems to be gone in the context of an SRI.

Can you appoint a single SRI to cover all group organisations?

Again, Article 37 of GDPR and UK GDPR makes it clear that a single DPO can be appointed in relation to a group. This is not mentioned in DPDI No.2. It doesn’t prohibit the appointment of a single SRI across multiple group companies but in order for them to be eligible to be an SRI then must have a senior management role in all organisations in relation to which they are appointed.

If a group needs to appoint multiple SRIs, this will likely lead to increased costs and administrative burdens which runs contrary to the stated aim of DPDI No.2.

Is an SRI personally liable for compliance?

Concerns have been raised about whether the SRI will be personally liable for the compliance of the organisation. This was also raised back in 2018 in relation to DPOs. SRIs are not made personally liable under DPDI No.2. Their liability position is much like DPOs currently. They also have some of the protections afforded to DPOs. For example, they cannot be dismissed or penalised for performing their role. This protection is also applied to any individual who is delegated a task to perform by the SRI.

Indeed, the SRI (and their delegates) must be supported by the organisation, e.g. by having sufficient resources to carrying out their tasks.

What is the current position with DPDI No.2?

At the time of writing, DPDI No.2 has had its second reading in the House of Lords in December 2023 and is now in the House of Lords committee stage. It is not yet in the final stages of the UK legislative process, but it is hoped that it will be finalised in the first quarter of 2024.

What do the changes mean for UK adequacy?

There has been a degree of conjecture amongst commentators that DPDI No.2 might put the adequacy decision of the UK at risk. The ICO’s assessment of the bill is that it strikes “a positive balance and should not present a risk to the UK’s adequacy status”.  This has not, however, put concerns to bed. Preserving adequacy with the EU remains of central importance and it is expected that the House of Lords will scrutinise DPDI No.2 with the question of adequacy in mind.

Conclusions

Even though DPDI No.2 aims to be a less burdensome and more flexible regime for Controllers and Processors the changes will still require organisations to re-look at their current data protection compliance.  Even if the organisation is solely UK based, changes will likely be required.  This is even more so where they have cross-border operations which are subject to GDPR. Since the move to an SRI in the UK will potentially mean that group SRIs cannot be appointed, that a DPO and an SRI may both be required and an outsourced provider cannot be used, the changes will be unlikely to be welcomed.  It will likely be seen more as an additional administrative hurdle than a simplification and reduction of the compliance burden.

This article first appeared in Data Guidance