Have you been tracking the UK government’s new proposed Data Protection and Digital information (No 2) ('Bill')? If so, you will know that the Bill proposes replacing the role of the data protection officer established under the GDPR ('DPO') with a Senior Responsible Individual ('SRI'). Is this just a change in terminology or should organisations start thinking about appointing an SRI in addition to an existing DPO if the Bill becomes law?
In short, the two regimes envisage the DPO and the SRI fulfilling very different roles within an organisation. The GDPR sees the role of the DPO as an independent advisor to senior management, while the Bill proposes that the SRI actually is a member of senior management.
Elisa Lindemann explores the differences of the two roles, explaining why it would be tricky for the same person to act as both the DPO and the SRI under the proposed UK Data Protection Bill. Reasons such as SRIs cannot be appointed externally whereas the DPO may be a member of staff or externally appointed.