Provide privacy and data protection compliance services
Overview
This standard is about providing privacy and data protection services within an organisation.
This involves providing data protection and privacy guidance and appraisals for a wide range of projects. This includes planning privacy and data protection audits, managing subject access requests and conducting data protection impact assessments.
This standard is for those who need to provide privacy and data protection services as part of their duties.
Performance criteria
You must be able to:
- Plan data protection audits of systems and processes to identify areas of non-compliance and recommend improvements
- Manage Subject Access Requests (SAR) including the liaison with data owners and completion of SAR responses
- Manage the Record of Data Processing Activities (ROPA) and monitor these activities for compliance with privacy and data protection requirements
- Investigate potential personal data breaches in a timely manner in line with organisational procedures
- Identify and monitor new system and process development activities for privacy and data compliance
- Conduct Data Protection Impact Assessments (DPIA), ensuring evaluation of all personal data processing activities
Supervise privacy and data protection reporting activities in line with organisational requirements
Evaluate data protection risks identified through assessments and undertake mitigations as required
- Manage data mapping exercises to identify where personal data is processed and stored
- Collaborate with stakeholders across cybersecurity, IT, HR and legal functions to ensure privacy and data protection compliance across all levels of the organisation
- Contribute to reviews of organisational privacy and data protection policies in light of changes to laws, regulations, and organisational practices
Knowledge and Understanding
You need to know and understand:
- The importance of ensuring the privacy and confidentiality of all stakeholder data
- The privacy and data protection regulations that cover the processing of data about people
- How to maintain protection of personal information and exercise respect for the privacy of individuals
- That personal data must be collected for specified, explicit, and legitimate purposes, and not processed in a manner that is incompatible with those purposes
How to manage Subject Access Requests (SAR) to provide timely and accurate responses
That personal data needs to be processed lawfully, fairly, and in a transparent manner in relation to the data subject
- The need to perform audits to determine whether organisational policies and procedures continue to comply with regulations
- The need to implement appropriate processing and storage of data to maintain privacy and confidentiality
- How to deal with inappropriate access and data privacy breaches
- The need to identify and evaluate the compliance of the organisations data processing activities
- The importance of monitoring new system developments for privacy and data compliance
The need to maintain traceability of which data subjects [employees] have associations with personal data and that all processing activities are recorded and auditable
How to manage and monitor the Record of Data Processing Activities (ROPA) for compliance with privacy and data protection requirements and the need for these
What is meant by a Data Protection Impact Assessments (DPIAs) and how to conduct them
The steps involved in data mapping
- The importance of collaborating with stakeholders across the organisation to ensure a culture of privacy and data protection compliance
- The need to conduct periodic reviews of organisational privacy and data protection policies
Scope/range
Scope Performance
Scope Knowledge
Values
Behaviours
Skills
Glossary
Subject Access Requests (SAR)
A Subject Access Request (SAR) is the right of access allowing an individual to obtain records on their personal information, held by an organisation.
Record of Data Processing Activities (ROPA)
Records of Processing Activities (ROPA) is an internal record that contains the information of all personal data processing activities carried out.
*Data Protection Impact Assessments (DPIAs) *
A Data Protection Impact Assessment (DPIA) is a process to help identify and minimise the data protection risks of an information systems project.