The Labour government has dropped many of the previously proposed UK data protection law changes.

If you have been following the potential changes to UK data protection law, you will have seen that the new bill recently published by the Labour government has dropped many of the previously proposed changes. The most significant of which was the creation of the new Senior Responsible Individual. This person would have needed to be an expert in data protection law and impartial to the interest of the organisation, whilst also being a senior manager, and unlike the current Data Protection Officer (DPO) requirements, this position could not be outsourced to a third party. Thankfully, this novel idea apparently designed to increase accountability, failed and we are back to the more practical and familiar approach of appointing a DPO. So, with impending legislation reinstating the DPO requirement, should you now consider appointing a DPO (If you haven’t already!)?

The guidance on this matter suggests that if large quantities of personal data of a sensitive type is processed by the controller, the threshold for an appointment has most likely been met. But what is a large quantity? The recently published Information Commissioner’s compliance toolkit contained useful information about how to improve overall compliance. In particular the section on accountability expands on the definition of ‘large’ to include not just a quantity of data, but also the variety of categories, the regularity of the processing and the potential for harm to those that may be identified. It is therefore now far clearer that ‘large’ processing may be interpreted as going beyond a volume of personal data and therefore whether to appoint a DPO should take into account a range of differing factors.

We feel confident that the DPO role is back and will stay for the time being. If you haven’t yet appointed a DPO and you process even relatively small quantities of sensitive personal data such as health, ethnicity or sexual orientation, it may be time to consider an appointment. The DPO helps to ensure demonstrable compliance and the ability to meet mandatory expectation concerning the fair and reasonable use of personal data.

Having a DPO also helps an organisation monitor internal compliance regularly, and be informed and advised on data protection obligations. Dealing with complex Subject Access Requests, data breaches could also be made easier if you have a DPO. The DPO also acts as a point of contact for the data subjects of your organisation and the ICO as well.

Are you looking to appoint a DPO? Please reach out Hope and May at info@hope-may.com

Get in touch