Can a SIRO and DPO Be the Same Person?

Although both roles contribute to information governance, the SIRO and Data Protection Officer (DPO) must remain separate to preserve impartiality.

The SIRO reports to senior management on organisational risks, including data risks, while the DPO independently monitors compliance and may report non-compliance to the board or ICO.

If one person holds both positions, it undermines the DPO’s independence and objectivity, creating a conflict of interest. For public bodies and data-intensive organisations, maintaining distinct and well-defined roles ensures integrity and robust oversight.