Yes, the SRI will absolutely have to understand all the organisation’s obligations under this Act and indeed other Acts. As with any senior person in any organisation responsible for compliance, they will need to understand the laws that they are complying with.
Amendment 84, tabled by the noble Lord, Lord Clement-Jones, is about the advice given to senior responsible individuals by the ICO. We believe that the commissioner should have full discretion to enforce data protection in an independent, flexible, risk-based and proportionate manner. The amendment would tie the hands of the regulator and force them to give binding advice and proactive assurance without full knowledge of the facts, undermining their regulatory enforcement role.
3.45 pm
Clause 18 deals with the new record-keeping requirements in the Bill. The Clause 18 stand part debate in the name of noble Lord, Lord Clement-Jones, would remove the clause in favour of retaining the existing requirements in new Article 30 of the UK GDPR. However, those provisions require most organisations to keep records of their processing activities and include a list of requirements that should be included in the record. That can lead to unnecessary paperwork, form-filling and cost, and to less focus on higher-risk processing. Although there is an exemption from these requirements in new Article 30 of the UK GDPR for small businesses, it has a limited impact because it does not apply to processing that is not “occasional”, where the processing poses risks to people or involves special categories of data.
Clause 18 will replace the record-keeping requirements under new Article 30. It will make it easier for data controllers to understand exactly what needs to be included in the record. Most importantly, organisations of any size will no longer have to keep records of processing, unless their activities are
“likely to result in a high risk to … individuals”.
That should help small businesses in particular, which have found the current small business exemption difficult to understand and apply in practice. Organisations will need to continue to comply with the data protection principles, even if they are no longer required to keep records of processing.
Amendments 85 and 86, put forward by the noble Baroness, Lady Kidron, would require any records kept by controllers to take account of the fact that a higher standard of protection is needed for children than adults. However, the clause already requires organisations to consider the context and nature of the processing and the likely risks arising to people of all ages when determining whether the record-keeping provisions apply. The ICO will be required to publish a document with a list of examples that it considers to be high-risk processing activities and we—