Iain Garfield, Partner and Head of Commercial at BPE Solicitors, looks at the proposed changes to the role of data protection officers and what impact the government’s consultation might have on businesses.
Just when businesses were starting to get the hang of complying with the UK GDPR and the Data Protection Act 2018, the UK Government issues a new consultation on changing parts of the current legislation. Ignoring the fact that changing the law will result in the UK diverging from the rest of the European Union, thus potentially putting at risk the current ability to seamlessly transfer data from the EU into the UK, there are nevertheless a number of interesting proposals in the consultation paper.
One of the more interesting is the proposal to remove the requirement for certain businesses to appoint data protection officers.
Under articles 37 to 39 of the UK GDPR, the following types of organisations are required to appoint a data protection officer:
Other businesses are entitled to appoint data protection officers if they wish, but it is not mandatory.
A data protection officer can be an individual employee, or it can be an outsourced service provider, but in either case the officer must have “expert knowledge of data protection law and practices”. In addition, the officer must:
The Government recognises that some businesses may struggle to appoint an officer with the requisite skills, and who is sufficiently independent. As a result, if the proposed new laws are adopted, businesses will not have to appoint data protection officers any longer.
Instead, each business will be expected to designate one or more “responsible individual(s)”. But is this simply a data protection officer by another name?
Maybe.
Whilst those individuals would still be expected to oversee that business’s data protection compliance, it would be for the business to decide what skills, experience and qualifications those individuals should have. Each business would have more freedom in how it instructed those individuals to carry out their tasks but, most noticeably, the phrase “responsible individual(s)” seems to suggest that outsourcing responsibility to external consultancies would not be acceptable.
Therefore, reports of the death of data protection officers may be somewhat premature and, even if the Government’s proposals do find their way into law in the future, there is unlikely to be a significant change insofar as businesses still needing to ensure that one or more individuals are tasked with ensuring compliance with the law. Same job, different job title?
The consultation period is due to end in mid-November, and the industry looks forward to reading the Government’s response whenever it is published thereafter.
Twitter @BPE_Solicitors
LinkedIn: BPE Solicitors LLP
Property law firms play a pivotal role in facilitating smooth real estate transactions and resolving…
Henley Festival and Henley Royal Regatta are set to continue their partnership after signing a…
Everrati, a Bicester manufacturer of electric vehicle powertrains, has entered into a strategic partnership with…
Merlin Entertainments, which oversees 140 global attractions across 23 countries from its base in Poole,…
A Bracknell business looking to make freshly roasted coffee accessible to a wider market has…
Wealth management and professional services group Evelyn Partners has appointed Danielle Pearce as a financial…