SFIA Skills: Personal data protection (PEDP)

Reviews and assists own organisation to maintain a privacy notice and record of processing activities (ROPA). Advises and, where necessary, assists on the application of data protection impact assessments (DPIA) and maintain records for compliance within regulatory access requirements.

Identifies the impact of any relevant statutory, internal or external regulations on the organisation’s use of personal information and develops strategies for compliance. Leads and plans activities to communicate and implement information management and privacy strategies. Monitors and advises on application of privacy notice, ROPA and application of DPIAs. Acts as contact point for regulatory authority (Commissioner) on issues relating to processing, prior consultations and other matters as appropriate.

Instigates and encourages cooperation where opportunities and requirements to work with subject matter experts exist to build effective relationships within the organisation. Demonstrates how collaborative working will increase the organisation’s effectiveness, reduce risk and create trust and resilience with the general public. Areas to work with should include legal, public relations, learning and development, procurement, information security, IT, security, data management and architecture.

Consults, collaborates and offers expert advice on developing organisational policies, procedures, best practice, privacy policies, standards and guidelines ensuring recognised data protection definitions and practices are applied throughout the organisation. Has due regard to the risk associated with processing operations, taking into account the nature, context and purpose of processing.

Assesses and manages the risk for any potential personal data breaches and cyber incidents. Sets in motion the agreed procedures to identify breach, including with third parties, works within statutory timeline, mitigates risk, and maintains communications with Data Protection Officer (DPO), or equivalent when not required, to comply with statutory notification to the regulatory authority (Commissioner) if breach confirmed.

Advises on information sharing requirements including agreements and ad hoc disclosures for example police requests.

Monitoring compliance with data protection and default through DPIAs and associated documentation.

Influencing culture through training and raising the awareness of staff.

Monitors compliance of the organisation (or its processors) in relation to the protection of personal data, including the assignment of responsibilities to manage functions under UK GDPR.

Principles, practices, tools and techniques of information governance auditing and the Data Security and Protection Toolkit.

Supports the processing of subject access requests in accordance with GDPR requirements.

Reviews and assists own organisation to maintain a privacy notice and record of processing activities (ROPA). Advises and, where necessary, assists on the application of data protection impact assessments (DPIA) and maintain records for compliance within regulatory access requirements.