Data Protection and Privacy provides the expert technical knowledge in data protection, with a range of methodologies to manage data risks on a day-to-day basis. These responsibilities include: 

• responding to data subject access requests 
• completing privacy assessments 
• managing fair processing notices for personal data. 

In a larger team, this specialism works with the Data Protection and Privacy lead or a departmental manager to promote best practice for data protection throughout the organisation.  

With more experience, a Data Protection and Privacy professional may lead a team, assisting the organisation in maintaining protection and privacy standards, ensuring compliance with the Data Protection Act and other relevant legislation. 

In Data Protection and Privacy, there is the opportunity to grow and take on responsibility from the first day in a challenging but rewarding environment. There is also the need to follow developments in data protection and privacy, maintaining a professional expertise and personal interest in these subjects. 

Data Protection and Privacy is dedicated to ensuring that the most important assets of an organisation are protected from theft or exposure to the wrong people, and that the organisation avoids the consequences of breaching data protection laws and regulations. 

In detail, you might: 

• provide support in designing and documenting the data privacy requirements 
• support the Head of Data Protection and Privacy in drafting and maintaining data privacy controls and measures 
• assist the Head of Data Protection and Privacy in handling data or privacy breaches in accordance with policies and procedures 

• submit data breach notifications to the Information Commissioner's Office (ICO) under Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act 
• support the creation and maintenance of mapping for all data flows 
• undertake information security and data and privacy risk compliance audits to provide recommendations on improving protection 

With more experience, you might also: 

• provide subject matter expertise input and guidance to help colleagues and suppliers achieve desired data protection controls 

• take a leading role in the organisation's incident response provision 
• promote and facilitate awareness of data protection requirements and the related risk across the organisation through generic and targeted training 

Job Titles 

For Data Protection and Privacy roles, titles include: 

• Information Security Analyst 

• Information Security Manager 
• Data Protection (or Privacy) Analyst  
• Data Protection Manager 
• Data Protection Consultant  

For more experienced Data Protection and Privacy roles, titles include: 

• Senior Data Protection (or Privacy) Consultant 
• Senior Data Protection Risk & Compliance Manager  
• Senior (or Lead) Data Protection (or Privacy) Officer 
• Senior InfoSec Architect Data  
• Senior IT Security & Risk Management Analyst  

• Senior Consultant/Manager (Cyber Risk, Data/Privacy, Risk Advisory) 

Salaries 

An apprentice starting in Data Protection and Privacy might earn between £14,000 and £22,000.  

A Data Protection and Privacy role could earn between £35,000 and £65,000. The median salary in March 2021 was £55,000. 

A senior Data Protection and Privacy role could earn between £62,000 and £74,000. The median salary in March 2021 was £65,000. 

The salary ranges are based on job vacancy advertisements published online in March 2021. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk. 

Each of the 16 specialisms are based on knowledge areas within CyBOK.  

More information on CyBOK knowledge areas can be found here. 

Here are the knowledge areas associated with Cyber Security Governance & Risk Management 

Core knowledge – you will need a very good understanding of these areas 

Privacy and Online Rights 

Techniques for protecting personal information, including communications, applications, and inferences from databases and data processing. It also includes other systems supporting online rights touching on censorship and circumvention, covertness, electronic elections, and privacy in payment and identity systems. 

Law and Regulations 

International and national statutory and regulatory requirements, compliance obligations, and security ethics, including data protection and developing doctrines on cyber warfare. 

Related knowledge – you will need a solid understanding of these areas 

Authentication, Authorisation & Accountability 

All aspects of identity management and authentication technologies, and architectures and tools to support authorisation and accountability in both isolated and distributed systems. 

Risk Management and Governance 

Security management systems and organisational security controls, including standards, best practices, and approaches to risk assessment and mitigation. 

Wider knowledge – these areas will help to provide context for your work 

Human Factors 

Usable security, social and behavioural factors impacting security, security culture and awareness as well as the impact of security controls on user behaviours. 

Skills 

Personal attributes 

• working autonomously and equally effectively in a team 
• analysis and problem-solving 
• self-management 

• ability to maintain confidentiality 
• assimilating information and identifying risks 
• attention to detail 
• evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action 

For a senior practitioner:   

• project management 
• challenging and influencing both internal and external stakeholders 
• experienced in assessing, reviewing and writing policy and procedures 
• developing training and awareness modules, digital strategy, consent management, information security disciplines and technologies.  

Specialist skills  

• implementing and managing within the organisation the Data Protection Act and relevant legislation in other jurisdictions where the organisation operates 
• implementing and managing within the organisation the Privacy and Electronic Communications Regulations (PECR), including submitting breach notifications to the regulator 
• information security audit and risk assessment techniques, such as ISO 27001 
• use of records management tools, such as SharePoint, TeamCenter and SAP 
• planning, administration, and management of information systems, operational and technical security controls 

• risk assessment and management in relation to data protection 

CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs) 

A6 – Legal and Regulatory Environment and Compliance 

Principles: 

• understands the legal and regulatory environment within which the business operates 

• ensures that Information Security Governance arrangements are appropriate 
• ensures that the organisation complies with legal and regulatory requirements 

G1 – Data Protection 

Principles: 

• directs, oversees, designs, implements, contributes to, or operates within the set of multi-disciplinary structures, policies, procedures, processes and controls to manage the protection of personal data at an enterprise level, supporting an organisation’s immediate and future regulatory, legal, risk, environmental and operational requirements, and ensuring compliance with those requirements 

G2 – Privacy 

Principles: 

• directs, oversees, designs, implements, contributes to, or operates within the set of multi-disciplinary structures, policies, procedures, processes and controls to ensure that privacy and human rights legislation and regulations are adhered to 
• within a corporate organisation, this applies to employees, contractors, customers and any individual for whom personal information is held 

*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec. 

Experience 

Any career or role in which there’s a demonstrated ability to reliably manage confidential information while applying complex standards (particularly legal ones) could, with additional specialist training, provide the basis for a role in this specialism. 

Examples of such careers or roles include: 

• police services: data management 
• Armed Forces: communication security, data management 
• finance, especially information management 
• healthcare records management 
• legal practice, especially family law 

Data Protection and Privacy 

• Identity and Access Management 
• Cryptography and Communications Security 
• Secure Operations 

• Data Protection and Privacy 

Moving On 

From a role in this specialism, you might move to a position in one of these cyber security specialisms: 

• Secure Operations 
• Incident Response 

• Cyber Security Governance & Risk Management 
• Identity & Access Management 
• Cyber Security Audit & Assurance 

Or, you might progress to take up a more senior role in Data Protection & Privacy, such as head of the team or department. 

Our certification framework can be accessed here. This framework allows you to see which certifications may be useful to you, within the different specialisms and at which point of your career.

Entry route information can be found here.

You can also visit the National Cyber Security Centre website at the links below:

NCSC Certified Degrees 

NCSC Certified Training