Background

There were concerns that the General Data Protection Regulation (GDPR) would be repealed by the UK Government in the immediate aftermath of Brexit. That didn't happen but data protection law reform is now firmly on the agenda.

New data protection laws were first proposed in July 2022 with the Data Protection and Digital Information Bill (the Bill). This was paused in Liz Truss's short-lived tenure as UK Prime Minister and a new version was introduced in March 2023. This new version is the Data Protection and Digital Information (No.2) Bill (Bill No.2). The rationale for Bill No.2 is to have a common-sense-led version of GDPR and to cut back on the cost and 'pointless paperwork' associated with data protection compliance. While Bill No.2 is not yet in the end stages of the legislative process, it is making progress through Parliament and looks likely to become law in 2024. Its content is not yet 'set in stone' but there are some concepts that are likely to be in the final version. 

One of the areas that is likely to be retained in the final version is that relating to the scrapping of the DPO role. It is proposed to replace DPOs with a new role of SRI. Articles 37 to 39 of the UK General Data Protection Regulation (UK GDPR) will therefore be removed and replaced by new Articles 27A, B, and C.

Concerns have been raised about the new role such as whether it is really needed and what its impact will be on existing DPO functions. Many organizations have already assessed whether a DPO is required and if so, have set up a structure and procedures around the DPO function. They are reluctant to change this unless they need to. 

Will the replacement of the DPO role in the UK therefore make much difference? Is the SRI a DPO under another name? 

In short, the answer is no. There are important differences that change the nature of the role, which potentially means that organizations have to restructure their compliance teams and even appoint a completely different person.

When do you need an SRI?

An SRI must be appointed where a controller or processor is a public authority or where it carries out high-risk processing. A DPO is also needed where a controller or processor is a public body and so there is no difference there. The main difference relates to private sector organizations. 

In the private sector, an SRI is required where processing meets the broad criteria of being high-risk. A DPO is needed in more specific circumstances, such as where the core activities consist of regular and systematic monitoring of data subjects on a large scale or large-scale processing of special category or criminal offense data. Until the Information Commissioner's Office (ICO) or the Information Commission (the ICO's successor under Bill No.2) issues guidance, it is not clear what 'high risk' means. Potentially, an SRI will be required in more situations than a DPO, although this is probably not the intention of the UK Government.

What does an SRI do and is it different to a DPO?

The role of an SRI differs depending on whether the organization appointing them is acting as a controller or processor. 

From a controller perspective, there are some broad similarities between what the role of an SRI and DPO covers. For example, both are required to monitor compliance with data protection legislation, inform and advise the organization on compliance, cooperate with the supervisory authority, and act as the point of contact with the supervisory authority.

One area where the role of an SRI differs substantially is in relation to processors. Where the SRI works for an organization acting as a controller that has appointed processors, the SRI must not only advise the organization it works for but also the processors it has appointed. This is the case even if the processor is an independent company and not a group company. This seems to be an odd requirement as processors will often be large IT companies that don't require input from the SRI of their customers. It is also unlikely that the SRI will have enough knowledge about the operation of the processor in order to advise. Finally, it may give rise to liability if the SRI gets things wrong. Organizations will be reluctant to allow their SRIs to advise processors if they will potentially be on the hook if the advice is not correct.

Who can be a DPO or SRI?

A core requirement relating to a DPO is that they can carry out their role in an independent manner and do not have a conflict of interest. They should not therefore decide what personal data the organization collects and what is done with it on the one hand and then on the other advise whether the use is compliant. In a nutshell, they should not be marking their own homework. This means that certain roles in an organization should not also be DPO. Examples of where a conflict of interest will typically arise include:

• Chief Executives; 
• Chief Financial Officers;
• Chief Operating Officers;
• Chief Medical Officers; 
• Head of Marketing; 
• Head of Human Resources; and 
• Head of IT. 

In contrast, an SRI must be a part of senior management. This is defined as being someone who plays a significant role in making decisions about how the organization (or a substantial part of its activities) is managed. In view of the role an SRI must occupy it is unlikely that they will also meet the independence requirement of a DPO.

If, therefore, an organization is subject to both the GDPR and the UK GDPR and is required to have both a DPO and an SRI it is hard to see how that could be the same person.

Having said this, Bill No.2 does recognize the fact that conflicts of interest may arise. These are considered on an ad hoc basis, i.e. the performance of a particular task by the SRI would result in a conflict of interest. In that case, the task must be given to another person.

What level of expertise does an SRI need?

Another difference between the requirements relating to a DPO and an SRI is the level of expertise in data protection law required. A DPO must be appropriately qualified for the role. The more complex and sensitive the personal data, the higher the level of expertise required. Bill No.2 does not require that the SRI has any level of expertise in data protection law. They need to have knowledge of the business but not of data protection law. It seems counter-intuitive that someone with a role to advise on data protection compliance does not need to have any expertise in data protection law!

Oddly, if the SRI is required to step back and involve another individual where a conflict arises, then one thing that must be considered in deciding who the other individual should be is what level of data protection knowledge they have.

Can the SRI role be outsourced?

Article 37 of the GDPR and the UK GDPR makes it clear that the role of DPO can be outsourced as it mentions the fact that it can be done on the basis of a service contract. This is not in Bill No.2. This makes sense as the SRI needs to be part of the senior management of the organization. It would be hard to think of how someone could be a member of senior management and be an outsourced service provider. The ability to use an outsourced provider therefore seems to be gone in the context of an SRI.

Can you appoint a single SRI to cover all group organizations?

Again, Article 37 of the GDPR and the UK GDPR make it clear that a single DPO can be appointed in relation to a group. This is not mentioned in Bill No.2. It doesn't prohibit the appointment of a single SRI across multiple group companies but in order for them to be eligible to be an SRI they must have a senior management role in all organizations in relation to which they are appointed.

If a group needs to appoint multiple SRIs, this will likely lead to increased costs and administrative burdens which runs contrary to the stated aim of Bill No.2.

Is an SRI personally liable for compliance?

Concerns have been raised about whether the SRI will be personally liable for the compliance of the organization. This was also raised back in 2018 in relation to DPOs. SRIs are not made personally liable under Bill No.2. Their liability position is much like DPOs currently. They also have some of the protections afforded to DPOs. For example, they cannot be dismissed or penalized for performing their role. This protection is also applied to any individual who is delegated a task to perform by the SRI.

Indeed, the SRI (and their delegates) must be supported by the organization, e.g., by having sufficient resources to carry out their tasks.

What is the current position with Bill No.2?

At the time of writing, Bill No.2 had its second reading in the House of Lords in December 2023 and is now in the House of Lords committee stage. It is not yet in the final stages of the UK legislative process, but it is hoped that it will be finalized in the first quarter of 2024.

What do the changes mean for UK adequacy?

There has been a degree of conjecture amongst commentators that Bill No.2 might put the adequacy decision of the UK at risk. The ICO's assessment of the bill is that it strikes 'a positive balance and should not present a risk to the UK's adequacy status.' This has not, however, put concerns to bed. Preserving adequacy with the EU remains of central importance and it is expected that the House of Lords will scrutinize Bill No.2 with the question of adequacy in mind.

Conclusion

Even though Bill No.2 aims to be a less burdensome and more flexible regime for controllers and processors the changes will still require organizations to re-look at their current data protection compliance. Even if the organization is solely UK-based, changes will likely be required. This is even more so where they have cross-border operations which are subject to GDPR. Since the move to an SRI in the UK will potentially mean that group SRIs cannot be appointed, that a DPO and an SRI may both be required and an outsourced provider cannot be used, the changes will be unlikely to be welcomed. It will likely be seen more as an additional administrative hurdle than a simplification and reduction of the compliance burden.

Joanne Bone Partner
[email protected]
Irwin Mitchell LLP, Leeds