The new UK data protection reform bill contains a new obligation which may represent a serious challenge for UK based organisations. Article 27A discusses the potential to appoint a Senior Responsible Individual (SRI), and the bill goes on to suggest that will apply to all data controllers and processors.
In practise this means that you will need to identify someone from senior management (Someone who has a significant role in every day decision making) who is willing and able to fulfil this role. Their qualities will include monitoring the organisation’s compliance, developing measure to ensure compliance, advising on the obligations to the law, dealing with breaches and being the point of contact with the ICO. If you have a DPO they will report to the SRI. Crucially, where a task may result in a conflict of interest, the SRI may need to ensure this is performed by another person, whoever that might be. This will inevitably lead to uncertainty and therefore it is advised that any decisions made will need to be documented to ensure accountability. It goes without saying that the SRI should have an adequate knowledge and sound experience of data protection law. The role can be shared between two or more individuals and those individuals will need to be registered with the ICO.
We think it highly unlikely that many of these individuals exists in quite the way the bill prescribes. Given this is going to be a mandatory role for all organisations, the potential risk of non-compliance seems high. We recommend that you plan in advance for this new obligation and consider who the individual/s might be. Despite the fact the role must be fulfilled by a member of the senior team, support for such a person may be outsourced. Hope and May is developing SRI support services in a similar way to the existing DPO representation, to take on this responsibility, and mitigate any concerns or risks you may face. For further details please get in touch.
