Of all the changes in the new Data Protection and Digital Information Bill laid before parliament by the UK government in July, the removal of the requirement to have a Data Protection Officer has been one of the most hotly debated.
The government’s reasoning for the removal, according to the government’s response to the consultation it started is that the appointment of a senior responsible individual will shift the emphasis to ensure data protection is established at a senior level to embed an organisation-wide culture of data protection. Further, “most of the tasks of a data protection officer will become the ultimate responsibility of a designated senior individual to oversee as part of the privacy management programme.”
First, organisations must note that this would impact only processing activities that deal with the personal data of UK residents exclusively. When the personal data of other countries is to be processed, the relevant international laws (such as the GDPR) would still apply, and most of those laws require the appointment of DPOs.
Secondly, “ultimate responsibility” can mean a wide range of things depending on the context. In China, for instance, the Personal Information Protection Officer of an organization has the ultimate responsibility for any failures that occur in the organization’s data protection regimen. According to the Personal Information Protection Law, they can potentially be held criminally liable for such failures, the punishments for which could range from a fine of up to 1 million Chinese Yuan and prohibition from holding certain positions, to imprisonment where such breaches involve public security.
Obligations of the Senior Responsible Individual
The DPDI does not go to such extents, but its provisions still make the SRI directly accountable to a significant extent. First, the bill requires that the SRI be a member of the organisation’s senior management, indicating board/director level. It also lists the tasks the SRI would be responsible for, ranging from monitoring compliance with the data protection legislation and dealing with data breaches to organizing training for employees. The clear implication is that the SRI would be in a position to directly initiate and implement a privacy management program, thus making any failure to do so or any breaches of the program that occur, traceable directly to their (in)actions.
To buttress that, the law also requires that the current contact details of the SRI are made publicly available and also sent to the Information Commissioner’s Office, making them the public face of the organisation’s compliance or lack thereof. This is despite the provision in the bill that the SRI can outsource their duties to a qualified third party provided that they ensure that third party’s expertise, and ensure their independence.
In addition, Section 198 of the Data Protection Act makes officers acting as managers or directors of a company that has committed an offence (deliberately or by negligence) under the Act also personally liable to be prosecuted. The offences include unlawfully obtaining and selling data, among others.
Taken together, it’s clear that the SRI in the UK may indeed be personally liable from an enforcement perspective, where the actions constitute a crime. Even when those actions do not give rise to criminal liability, their position would still be fraught with risk. It would be similar to that of a Chief Financial Officer in a company – fraud or other serious breaches of financial policy would be seen as their personal responsibility within and outside the organisation, with serious implications for their careers that may well be more impactful even than receiving a fine.
Choices Open to Organisations
Organisations and the Senior Responsible Individuals will have two options open to them if the bill is passed into law in its current form. Organisations can either appoint a data protection expert into the board (some organisations already use the Chief Privacy Officer designation) or appoint a current executive to act in the role with the expectation that they would delegate the actual performance of the data protection tasks to suitably qualified staff, perhaps the existing DPO, within the organisation or external consultants.
There is also the opportunity for organisations to use the Act as a conduit to developing their board or senior team in a way that embraces data. An example would be that on each NHS Trust board a Non-Executive Director is appointed with responsibility for the troika of data compliance, date governance, and data value. This could be reflected in a new executive role named the Chief Data Officer, managing the data trinity from a proactive perspective, rather than a traditional “protection” and “compliance “perspective. This approach would add value to the organisational objectives.
In either case, the ultimate responsibility would lie with the person designated as SRI, and it would be their duty to ensure that the functions are performed to the highest standards because it would be their individual professional profile tied to the success or failure of the company’s privacy management program. Senior Information risk owners already exist in public sector organisations. The proposals, when linked with 21st century data leadership, could see this role enhanced.