BARRY AND ANDREW’S VIEW: The Need for Data Protection Officers, whether the Data Protection and Digital Information Bill say so or not.

By Barry Moult and Andrew Harvey

No Article 'this' or subsection 'that' here. Let’s start with some brief reflections on the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA18). It was only five years ago since organisations were implementing it into their businesses. As part of that the Data Protection Officer (DPO) role was mandated in some, though not all, organisations. We wrote on article then about how they should be implemented in the health and care sector, which was later re-published in Robert Smallwood’s Information Governance for Healthcare Professionals.

Views on the necessity and effectiveness of DPOs have been varied, but many organisations have taken it seriously as a route for them to demonstrate their compliance with the law. And there have been various models by which they have been employed, whether directly recruited by the organisation, outsourced, or shared between Data Controllers. They all have their pros and cons.

Some organisations were, unfortunately, taken in and recruited someone who had completed a two-day DPO course, but had no previous experience in Data Protection and never worked in the field. In some organisations the role was inappropriately allocated to someone with no experience, but by virtue of having appointed one, allowed them to claim they ‘complied with the law’.

Organisations that have made these decisions risk failing their Data Subjects regarding the Rights and Freedoms they have under the GDPR and DPA18.?They need to consider the consequences should something go wrong based on poor advice and poor Risk Assessment and mitigation.

Some organisations have, however, taken it seriously, invested in the role, carried out due diligence and recruited a DPO with experience, skills, and knowledge of how the law and regulatory guidance applies in their organisation.?Some even have impressive qualifications, despite the GDPR and DPA18 not specifically requiring them.

From here we move to the Data Protection and Digital Information (No. 2) Bill (DPDI2B), which replaces the DPO role with a Senior Responsible Individual (SRI).

For some organisations this could be seen as a legitimate rationale to remove the DPO role as a cost-saving. ?We are already aware of organisations that are considering this route. So, once King Charles III gives the DPDI2B Royal Assent, what could organisations do?

They could remove the DPO and assign the role to a senior person in the organisation. The risk here is that it will be given to someone with no knowledge or experience in Data Protection and its related disciplines. The Data Controllers will, of course, be complying with the letter of law by having appointed an SRI. But it is unlikely they will be complying with its spirit.

Data Controllers will still need to comply with the rest of the law, taking care not to compromise the Rights and Freedoms of their Data Subject concerning their Personal and Special Category Data.

The questions that arise, therefore, are whether the newly formulated SRIs will have sufficient knowledge and experience in assessing data risks and be able to carry out due diligence with suppliers of software and services, especially with the growth of Data Sharing?for research and Artificial Intelligence. And, of course, the horrid ChatGPT.

The potential consequence is the increased risk of data being inappropriately accessed and disclosed, and subject to enforcement and fines from the newly-restructured Information Commission.

Within the public sector there is already an SRI, due to HMRC losing vast swathes of data on disks way back in 2007, which resulted in the Cabinet office mandating a Senior Information Risk Owner. But this is a different role to the SRI.

They are usually someone in a senior role in an organisation, ideally a Board Member, that is responsible for information risk across the whole organisation. But they are not experts in Data Protection. They rely on the advice of a DPO, who reports (directly or indirectly) to them.??

Going forward, organisations cannot ignore compliance with the law, they would be churlish not to take it seriously.??An analogy is the insurance sector, in that if you have an accident, reparation is likely to cost a whole lot more without having arranged insurance. Retaining a DPO after the DPDI2B becomes law is akin to an organisation’s Data Protection insurance.

Cutting the role of the DPO as a cost saving exercise will very possibly be a false economy. Organisations that value their clients, the data the hold, and the organisations reputation, will continue to invest in a one, whatever they are called, and however they are employed or contracted to the organisation.

Now is not the moment to make hasty decisions, we need to bide our time to protect data and protect our subjects. And then make informed decisions about whether a DPO is required going forward.?