Provide privacy and data protection compliance services

URN: TECDT80641
Business Sectors (Suites): IT and Telecoms Professional (procom)
Developed by: e-skills
Approved on: 30 Mar 2022

Overview

This standard is about providing privacy and data protection services within an organisation.

This involves providing data protection and privacy guidance and appraisals for a wide range of projects. This includes planning privacy and data protection audits, managing subject access requests and conducting data protection impact assessments.

This standard is for those who need to provide privacy and data protection services as part of their duties.


Performance criteria

You must be able to:

  1. Plan data protection audits of systems and processes to identify areas of non-compliance and recommend improvements
  2. Manage Subject Access Requests (SAR) including the liaison with data owners and completion of SAR responses
  3. Manage the Record of Data Processing Activities (ROPA) and monitor these activities for compliance with privacy and data protection requirements
  4. Investigate potential personal data breaches in a timely manner in line with organisational procedures
  5. Identify and monitor new system and process development activities for privacy and data compliance
  6. Conduct Data Protection Impact Assessments (DPIA), ensuring evaluation of all personal data processing activities
  7. Supervise privacy and data protection reporting activities in line with organisational requirements

  8. Evaluate data protection risks identified through assessments and undertake mitigations as required

  9. Manage data mapping exercises to identify where personal data is processed and stored
  10. Collaborate with stakeholders across cybersecurity, IT, HR and legal functions to ensure privacy and data protection compliance across all levels of the organisation
  11. Contribute to reviews of organisational privacy and data protection policies in light of changes to laws, regulations, and organisational practices

Knowledge and Understanding

You need to know and understand:

  1. The importance of ensuring the privacy and confidentiality of all stakeholder data
  2. The privacy and data protection regulations that cover the processing of data about people
  3. How to maintain protection of personal information and exercise respect for the privacy of individuals
  4. That personal data must be collected for specified, explicit, and legitimate purposes, and not processed in a manner that is incompatible with those purposes
  5. How to manage Subject Access Requests (SAR) to provide timely and accurate responses  

  6. That personal data needs to be processed lawfully, fairly, and in a transparent manner in relation to the data subject

  7. The need to perform audits to determine whether organisational policies and procedures continue to comply with regulations
  8. The need to implement appropriate processing and storage of data to maintain privacy and confidentiality
  9. How to deal with inappropriate access  and data privacy breaches
  10. The need to identify and evaluate the compliance of the organisations data processing activities
  11. The importance of monitoring new system developments for privacy and data compliance
  12. The need to maintain traceability of which data subjects [employees] have associations with personal data and that all processing activities are recorded and auditable

  13. How to manage and monitor the Record of Data Processing Activities (ROPA) for compliance with privacy and data protection requirements and the need for these

  14. What is meant by a Data Protection Impact Assessments (DPIAs) and how to conduct them

  15. The steps involved in data mapping

  16. The importance of collaborating with stakeholders across the organisation to ensure a culture of privacy and data protection compliance
  17. The need to conduct periodic reviews of organisational privacy and data protection policies

Scope/range


Scope Performance


Scope Knowledge


Values


Behaviours


Skills


Glossary

​Subject Access Requests (SAR)

A Subject Access Request (SAR) is the right of access allowing an individual to obtain records on their personal information, held by an organisation. 

Record of Data Processing Activities (ROPA)

Records of Processing Activities (ROPA) is an internal record that contains the information of all personal data processing activities carried out.

*Data Protection Impact Assessments (DPIAs) *

A Data Protection Impact Assessment (DPIA) is a process to help identify and minimise the data protection risks of an information systems project.


Links To Other NOS


External Links


Version Number

1

Indicative Review Date

30 Mar 2025

Validity

Current

Status

Original

Originating Organisation

ODAG Consultants Ltd.

Original URN

TECDT80641

Relevant Occupations

Information and Communication Technology Professionals

SOC Code

3539

Keywords

Data management, data protection