Develop and implement strategies for privacy and data protection compliance
Overview
This standard is about developing and implementing strategies to manage privacy and data protection.
This involves creating policies and procedures to deliver the required privacy and data protection assurances across the organisation and acting as the primary point of contact for regulators and relevant organisations. This also includes planning and leading data protection Impact assessments.
This standard is for those who need to develop and implement strategies for privacy and data protection compliance as part of their duties.
Performance criteria
You must be able to:
- Create, implement and maintain the organisational privacy and data protection policies and procedures related to gathering, storing, processing and disseminating information
Manage the ongoing organisational compliance with privacy and cyber security legislation
Report to senior stakeholders regarding privacy and data protection compliance, risks and issues
Monitor and evaluate changes to privacy and data protection laws and regulations to maintain compliance
Plan, manage and communicate Data Protection Impact Assessments (DPIA) for organisational information management projects
Manage responses to data subject access requests (SAR) and queries as required
Act as the primary point of contact for data protection regulators and relevant organisations
Manage Records of Processing Activities (ROPA) to document all processing of personal data
Lead the delivery of organisational advice and guidance for privacy obligations and ethical requirements of all employees
Knowledge and Understanding
You need to know and understand:
- How the General Data Protection Regulation (GDPR) and other data protection information privacy laws describe obligations toward the handling of personal identifying data
The organisational roles and responsibilities of those who manage data policies and procedures
What is meant by subject access requests (SAR), Data Protection Impact Assessments (DPIA), and Records of Processing Activities (ROPA)
How handling data ethically is an organisational-wide responsibility
How to identify the risks associated with misuse of personal data
- How to draft and implement privacy and data protection policies and procedures
- The need to define an organisational commitment to handling data that protects individuals and defines the responsibilities of data ownership
- The principles of privacy by design and how to implement them
- The need to educate all employees about privacy and data protection practices
- How to implement data protection metrics
- How metadata can help optimise data protection and guide business data usage in processing and storage
- The importance of maintaining records of processing operations
- The need to identify the location of all sensitive information, to enable effective data protection strategies to be developed
- The need to continuously monitor data management procedures and compliance within the organisation
- The importance of identifying the role of contact point for regulators data and the Information Commissioner's Office (ICO)
- The importance of delivering proactive and pragmatic advice to maximise compliance and minimise disruption and costs to the business
- The need to provide guidance and data protection training across the organisation
- The importance of ensuring that the organisation addresses all queries and subject access requests within legal timeframes
Scope/range
Scope Performance
Scope Knowledge
Values
Behaviours
Skills
Glossary
Subject Access Requests (SAR)
A Subject Access Request (SAR) is the right of access allowing an individual to obtain records on their personal information, held by an organisation.
Record of Data Processing Activities (ROPA)
Records of Processing Activities (ROPA) is an internal record that contains the information of all personal data processing activities carried out.
*Data Protection Impact Assessments (DPIAs) *
A Data Protection Impact Assessment (DPIA) is a process to help identify and minimise the data protection risks of an information systems project.