Senior Responsible Individual: Your organisation’s key decision-maker in data protection
It’s a year of change with impending elections, shrinking economies and now the Data Protection and Digital Information Bill (the Bill) is likely to become law in summer this year! Perhaps not as momentous as the other shifts mentioned, but for businesses the Bill represents a substantial shift in this landscape as it requires a member of senior management to take responsibility for data protection, ensuring that it is built into governance at the highest level.
The purpose of the Bill is to take advantage of the UK’s status outside the EU to reform certain aspects of the UK’s General Data Protection Regulation (GDPR). It intends to boost the economy by £10.6 billion, reduce burdens on businesses and support international trade. All whilst maintaining high standards for personal data use.
The Data Protection Officer (DPO) was an independent advisor to senior management. In contrast the Senior Responsible Individual (SRI) must be “part of the organisation’s senior management”, i.e. one of ‘the individuals who play significant roles in the making of decisions about how the whole or a substantial part of its activities are to be managed or organised’. In practice this will be a member of the executive management team, but could also be a director of the board.
The purpose of this change is to make it clear that data protection responsibilities ultimately rest with an organisation’s senior management. While this is already the case, it has been an issue that lacks clarity and accountability – this change is aimed at ensuring issues around data protection automatically reach board level as they would form part of a senior management report.
SRIs may replace DPOs, but they have different responsibilities depending upon whether the organisation is a controller or a processor. Their tasks will be broadly similar to DPO’s with the inclusion of monitoring compliance with data protection legislation, handing data breaches and training employees. The difference between an SRI and a DPO is that the former can delegate certain tasks to suitably qualified staff. The SRI will need to understand data protection and maintain accountability, only the tasks can be delegated not the accountability, consistent with any senior management function.
The SRI’s contact details must be made public and sent to the Information Commissioner’s Office.
Add the SRI function to a member of senior management to be responsible for strategic risk assessment and overall compliance and monitoring of the data protection consistent with the law. These individuals will not need a specialised role as the operation execution of the tasks would be delegated, and some organisation may therefore choose to keep and delegate to their existing DPO.
Promote your existing DPO or appoint a data protection expert to the board.
Appoint a new member to the senior management team who has both the technical knowledge and capabilities to carry out the tasks as well as the executive management capabilities to provide accountability and transparency at the senior level.
The executive and the board would likely require training to have the necessary understanding of data protection so that when the SRI raises issues they can adequately identify and assess risks within the context of their overall decision-making.
The SRI represents just one of many changes in data protection. To comply with these changes, it’s essential you are currently compliant with data protection. If you are compliant now, you will remain compliant after the new legislation. This presents an opportunity to review your data management practices throughout your organisation.
Contact Nick to discuss this further.
