The EU GDPR has been established data protection legislation in the UK and EU since May 2018. In the UK, the EU GDPR was replaced by the UK GDPR following Brexit in January 2021.
Since Brexit, the UK Government has spoken about diverting away from the GDPR to a “more pro-growth and pro-innovation data regime whilst maintaining the UK’s world-leading data protection standards” and announced a data protection reform in the way of the ‘Data Protection and Digital Information Bill’.
In March 2023, the Data Protection and Digital Information Bill had its second reading in the House of Commons. Although the bill doesn’t seem to be the seismic shift in data protection law that many were expecting, there are a number of proposals within the legislation that will have an impact on the way of working in the not-for-profit sector.
Upon review of the proposed legislation, one of the more immediately noticeable changes is the complete removal of the Data Protection Officer (DPO), which includes their position within the organisation and their duties. This is quite the departure from the GDPR which makes it mandatory for organisations to appoint a DPO where they are public bodies, where their core activities consist of the systematic monitoring of individuals on a large scale, or where they process special category data (e.g. personal data concerning health) or criminal offence data on a large scale.
The Senior Responsible Individual (SRI)
The Bill instead introduces a new role titled the Senior Responsible Individual (SRI), who is allocated overall responsibility for data protection compliance at the organisation. This individual must be an internal member of staff who is part of the senior management team. The tasks and responsibilities of this new role are comparable to those of the DPO within the UK GDPR, but there are a few notable differences. Whilst this may appear to be change for the sake of change and not much of a departure from the role of the DPO within the GDPR, unlike the role of the DPO, the SRI must be with a member of the senior management team and the role cannot be outsourced to a third-party provider.
Being able to allocate the role of the SRI internally without the concern that the employee’s existing role will result in a conflict of interest is likely going to bring some relief to a number of not-for-profits (charities in particular) that have found it challenging to appoint a DPO without it resulting in a conflict of interest. However, whilst the role of the SRI must be allocated to a member of the senior management team (even where the organisation may believe there to be a conflict of interest), the Bill does state that the completion of tasks that could result in a conflict of interest should be performed by others.
Delegating some of the tasks to others will help to ease some of the administrative burden put onto senior members of staff. These tasks can be performed by other internal members of staff but can also be outsourced to third party providers where the organisation lacks the specialist knowledge to comply with data protection legislation.
The introduction of the SRI in the Data Protection and Digital Information Bill looks to try and present a different level of responsibility within organisations for data protection compliance, and push this to a senior level. This could potentially be a very positive change where some organisations have found it difficult to understand where data protection compliance should sit within the organisation and means that data protection becomes a standing item on the agenda for senior leadership.
In Summary
- Data Protection is being reformed in the UK, meaning a departure from the GDPR.
- The Data Protection Officer requirement is being replaced with the ‘Senior Responsible Individual’.
- The Senior Responsible Individual must be a member of senior management and will be responsible for monitoring data protection compliance.
Get support and further advice
Our team of Information Governance specialists work exclusively with charities and nonprofits, and are here to assist organisations with any current challenges they face with data protection compliance, as well as support in navigating these new proposed changes to Data Protection legislation and provide some peace of mind to those allocated the role of the Senior Responsible Individual.
For more information about the services our Information Governance Team can offer, please contact us today.
