Level 4 - Higher Technical Occupation

Business and administration

Data protection and information governance practitioner

View occupational standardexternallink iconView occupational progressionexternallink iconExplore courses linked to this occupationexternallink icon

Provide regulatory and technical advice providing assurance to key stakeholders and regulators.

Summary

This occupation is found in organisations of all sizes across all sectors where personal and commercial data is processed. Data protection and information governance practitioners work in varied environments including in an office, onsite, or remotely.

The broad purpose of the occupation is to provide regulatory and technical advice and guidance providing assurance to key stakeholders and regulators of compliance with information governance (IG) and data protection (DP) requirements. Organisations must comply with information governance legislation to protect the confidentiality, integrity and availability of its information assets. The data protection and information governance practitioner (DP&IGP) will contribute to the annual work plan and assist in the planning and organisation of IG, ethics and DP activities. The DP&IGP will also provide advice and training with regard to improving data management and will support the senior team in the development and delivery of operational and strategic information requirements. The role requires work to be undertaken under explicit and legally defined timeframes (for example, data breaches must be reported within 72 hours and Data Subject Access Requests must be fulfilled within one calendar month).

In their daily work, an employee in this occupation interacts with a range of internal stakeholders including members of their own team, other departments such as IT, legal, HR, marketing, senior management and the board of directors. They also interact with external stakeholders such as members of the public, customers, Supervisory Authorities, The Information Commissioner’s Office (ICO), technology vendors, academics, industry bodies, external legal departments, human rights organisations, consumer rights organisations and law enforcement.

An employee in this occupation will be responsible for assisting the organisation in its compliance with information governance and data protection best practice and associated laws and regulations. They will oversee and manage the day-to-day coordination of information requests such as data subject rights, freedom of information and environmental information regulations. In addition, they will oversee compliance with Information and Records Management for example the development and maintenance of retention schedules. They assist in the maintenance and administration of the organisations’ information and governance framework such as corporate information management, records of processing activity, developing privacy notices, conducting information audits and data breach investigations. On occasion the DP&IGP supports projects through ensuring privacy by design and default. They may also conduct a data protection impact assessment (DPIA) and third-party supplier due diligence. They analyse data and develop briefings for senior leadership on data protection and information governance controls. They may investigate information governance complaints and incidents from internal or external stakeholders. This role will work on their own and in a range of team settings. They work within agreed budgets and available resources. The DP&IGP work without high levels of supervision, usually reporting to senior stakeholders. They may occasionally be responsible for decision making, but more often will guide or influence the decisions of others.

Typical job titles include

  • Data protection lead | Data protection manager | Information compliance officer | Information governance lead | Information governance officer | Privacy officer

Knowledge, skills and behaviours (KSBs)

K1:

Relevant regulatory and legislative requirements such as data protection, GDPR, confidentiality, cyber security, for the handling and processing of data and its application.

K2:

Technology and software used to provide appropriate representation of data and manipulate them into formats (tables, graphs and portfolios) for publication.

K3:

The processing of data in technology and software and risks associated with it.

K4:

Risk assessment methodologies and approaches to risk treatment or mitigation pertaining to processing data and the impact to the business, recommending appropriate risk treatment or mitigation.

K5:

The roles of the key stakeholders in their organisation and how they interact with their own role.

K6:

Privacy by design principles and practices such as records of processing and data protection impact assessments (DPIAs).

K7:

Fundamental rights of information requests such as Freedom of Information (FOI), Individual Rights (IR), Environmental Information Regulation (EIR), Data Interoperability and Data Protection (DP).

K8:

Industry or regulatory toolkits and control frameworks or standards.

K9:

How their role fits into the organisation, its governance structures and escalation and the impact that it has.

K10:

How their role adds value and the benefit of it to the business

K11:

Communication techniques and approaches to interact with a range of key internal and external stakeholders in order to meet their requirements including using current and emerging technologies to support communication.

K12:

Role of the Regulators

K13:

The value of feedback from those they regulate, and the beneficiaries of regulation such as stakeholders in informing future activities.

K14:

The support requirements and training needs of their stakeholders.

K15:

The need for continuous improvement of systems and procedures to ensure that regulatory requirements are met.

K16:

The importance of horizon scanning for future changes and developments in relation to data legislation and case law interpretation.

Technical Educational Products

ST0967
ST0967: Data protection and information governance practitioner (Level 4) Approved for delivery
Reference:
OCC0967
Status:
Approved occupation imageApproved occupation
Average (median) salary:
£44,063 per year
SOC 2020 code:
2482 Quality assurance and regulatory professionals
  • SOC 2020 sub unit groups:
    • 2482/01 Compliance and regulatory professionals
    • 1137/01 Information security directors
    • 1171/01 Clinical governance and information managers
    • 2439/99 Business, research and administrative professionals n.e.c.
S1:

Use IT systems to manage, share and store information in accordance with data protection requirements and organisation policies.

S2:

Communicate complex subjects in simple terms through different media (such as face to face meetings, emails, reports and presentations) to enable key stakeholders to understand what is required.

S3:

Prepare documentation and materials for review and ratification.

S4:

Working at times under time pressure, prioritising their workloads in order to raise and resolve areas of concern such as individual rights, breach management, FOI requests and information sharing.

S5:

Being able to accept and deal with changing priorities related to both their own work and to the organisation, showing the flexibility to maintain high standards in a changing environment.

S6:

Undertake data collection, data analysis, data presentation and date storage such as data incidents.

S7:

Interpret regulation and legislation, share best practice and advise stakeholders on its application.

S8:

Identify organisation needs and how these are applied to enquiries.

S9:

Interpret and apply sector guidance appropriately.

S10:

Undertake investigations and interviews in order to assess a data breach.

S11:

Gather, analyse, use and share data to inform risk assessment and make judgements on actions to take.

S12:

Make decisions on data protection and information governance issues raised and ensure that any areas of concern are escalated to the stakeholders.

S13:

Provide day to day support, specialist advice, guidance and training across the organisation and external stakeholders for all matters regarding information governance and data protection.

S14:

Identify potential data solutions and evidence the way in which they could improve data management.

Technical Educational Products

ST0967 image
ST0967: Data protection and information governance practitioner (Level 4) Approved for delivery
Reference:
OCC0967
Status:
Approved occupation imageApproved occupation
Average (median) salary:
£44,063 per year
SOC 2020 code:
2482 Quality assurance and regulatory professionals
  • SOC 2020 sub unit groups:
    • 2482/01 Compliance and regulatory professionals
    • 1137/01 Information security directors
    • 1171/01 Clinical governance and information managers
    • 2439/99 Business, research and administrative professionals n.e.c.
B1:

Acts in a professional manner with integrity and confidentiality.

B2:

Works collaboratively with others across the organisation and external stakeholders.

B3:

Has accountability and ownership of their tasks and workload.

B4:

Seeks learning opportunities and continuous professional development.

B5:

Works flexibly and adapts to circumstances.

B6:

Takes responsibility, shows initiative and is organised.

Technical Educational Products

ST0967 image
ST0967: Data protection and information governance practitioner (Level 4) Approved for delivery
Reference:
OCC0967
Status:
Approved occupation imageApproved occupation
Average (median) salary:
£44,063 per year
SOC 2020 code:
2482 Quality assurance and regulatory professionals
  • SOC 2020 sub unit groups:
    • 2482/01 Compliance and regulatory professionals
    • 1137/01 Information security directors
    • 1171/01 Clinical governance and information managers
    • 2439/99 Business, research and administrative professionals n.e.c.