The UK’s Data Protection and Digital information (No 2) Bill (the Bill) would remove the need for many organisations to appoint a Data Protection Officer. Instead, there would be an obligation on (i) public sector bodies, and (ii) organisations whose processing of personal data is likely to result in a “high risk” to the rights and freedoms of individuals to appoint a “Senior Responsible Individual” (SRI). Although presented as a measure to reduce administrative burdens and compliance costs, the requirement could have the opposite effect, also creating a role that carries significant personal risk for anyone willing to take it on.
Although limiting the requirement to private sector organisations that undertake “high risk” processing of personal data might seem to limit the reach of the new requirement, it is likely that many organisations will in fact be caught. The Information Commissioner’s Office (ICO) has an expansive view of what constitutes “high risk” processing, including the use of innovative technologies, large-scale profiling, tracking and the use of biometric data. Any implementation of artificial intelligence (AI) or machine learning (ML) to make or to inform decisions that have a significant legal or similar effect on individuals would be within scope. Any measure of targeted or behavioural advertising would also be caught. The question does not relate to the size of the business, but to the risks that stem from the processing of personal data. Consequently, businesses from start-ups to multinationals might well find themselves obliged to appoint an SRI for the UK.
Senior management or independent advisor?
Quite apart from the personal risk to SRIs, the UK government’s proposal offers the benefit of streamlining only to organisations that operate solely within the UK, and whose processing of personal data is subject only to UK GDPR. An organisation processing personal data subject to EU GDPR will still need to consider appointing a DPO. Given that a DPO must not be a senior decision-maker in relation to data protection matters, it is highly unlikely that the same individual could fill both roles. The need to appoint an SRI for UK GDPR purposes and a DPO for EU GDPR purposes would inevitably increase costs, and could lead to costly and potentially intractable difficulties should those individuals disagree on compliance issues that have an organisation-wide impact.
A challenge for groups?
The Bill requires the SRI to be a member of senior management of “the organisation” to which the appointment relates. Given that “the organisation” will be either a controller or a processor for data protection purposes, that test must be applied on an entity-by-entity basis. Each member of a group of companies would constitute a separate organisation. Consequently, it is not possible for a group of companies to designate an individual to act as SRI for the whole group, unless that individual is a member of senior management within each company. The individual would therefore need to be separately employed by and/or appointed to the board of each group company. That position differs markedly from the current position, under which a group of companies can appoint a single DPO.
UK groups (and potential SRIs) would therefore have to weigh the costs and administrative burdens of separate appointments for each separate company, or of appointing the same SRI to the board or senior management team of each group entity. While it is possible for the SRI role to be shared by more than one individual, it must be on a “job share” basis. Consequently, it would not be open to a group to appoint a team to act across businesses unless the members of that team were appointed to a job share within each entity. Either way, the cost and complexity is likely to outstrip current DPO arrangements.
An onerous new obligation – or a drafting glitch?
The Bill lists the SRI’s tasks and includes what appears to be an extremely onerous new obligation.
Under EU GDPR and UK GDPR Article 37, both controllers and processors may be required to appoint a DPO. The Bill makes a similar provision and distinguishes between the tasks of an SRI appointed by the controller, and the more limited tasks of those appointed by the processor. So far, so good.
Article 39 then provides that the DPO’s tasks include a duty to “inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions”. In practice, this means that a DPO appointed by the controller owes a duty to the controller, while one appointed by the processor owes its duty to the processor.
The Bill takes a different approach. It states that where an SRI is appointed by a controller, then that SRI’s tasks include “informing and advising the controller, any processor engaged by the controller and employees of the controller who carry out processing of personal data of their obligations under the data protection legislation”.
The controller’s SRI is, it seems, expressly made responsible not only for informing the processor of its obligations under data protection legislation, but also for advising the processor. A cardinal principle of statutory drafting is that different terms are intended to carry different meanings. Consequently, “advising” must mean something other than “informing”. If the controller’s SRI is required to advise the processor, then there must be a risk to the SRI of personal liability should any advice be found to be negligent.
Quite apart from the risk of liability, there will often be an inherent absurdity in requiring a controller’s SRI to inform and advise a processor. The controller might be a UK start-up or a business whose core focus is not on the mechanics of data protection. The processor might well be a large global organisation providing cloud services. Given the sophistication, resources and negotiating strength of those organisations, advice from a UK controller’s SRI would serve little purpose and would be unlikely to meet a warm welcome.
If the Bill proceeds beyond its second reading in the House of Commons (currently scheduled for 17 April 2023) then this provision should be probed and challenged during the committee stage, and hopefully amended to remove a feature that would make the SRI’s role an extremely unattractive and risky prospect.