• 0800 0862018
  • This email address is being protected from spambots. You need JavaScript enabled to view it.
  • Mon - Fri 8:00 - 17:00

Data Protection Competency Framework

Data Protection Education is pleased to issue this Data Protection Competency Framework. 

We commissioned this work from Miss IG Geek because we wanted another set of eyes on an important, but seemingly missing piece of the data protection jigsaw - that is the human element.

We often hear our colleagues, customers and ourselves say that "people are the biggest risk" and we see this daily - systems security in place, but defences and data breached through human error or deception. But the human factor goes beyond the risk of a phishing attack - it's about roles throughout the organisation. 

In data protection law the organisation has accountability, but organisations are made of people. Therefore, ensuring that your people understand their role and what it requires of them to ensure the organisation as a whole has an effective data protection programme is key. It isn't simply the role of the IT department or the office administrator - everyone has a role. 

That's why this framework is so valuable - it's not just a set of skills and attainments. Rather, it looks at what different roles exist in data processing and assigns the competency to that role, understanding that in different processing activity, people may be doing different things.

We commissioned this work because we wanted to map roles effectively in our record of processing activity tool and when conducting data protection impact assessments. This framework allows us to provide staff with a personalised report and learning plan based on what they actually do. After all, if people are the biggest risk, we have to put them at the heart of the data protection risk management framework.

We've made this data protection competency framework available under a creative commons licence because we want you to use it, benefit from it and develop it for your needs. 

We'd love to hear from you about how you use and adapt it in your organisation and industry. That means send us your ideas, suggestions for improvement and any adaptations that you make - we really want to see this grow across the community. 


James England
Data Protection Education Ltd.

We don't require your information or registration to access these resources.
But if you'd like to feedback, tell us how you use them, or to hear from us in our occasional newsletter when we have more great freebies available - then please:

Keep in touch


What's inside?

The framework is organised into three domains for data protection competency:

  • Business & Law
  • Technology and Tools
  • People and Values

These cover all aspects of data protection practice and management that an organisation needs to consider.

Each domain has an area of practice, and within these areas are particular focus topics.

Every competency is defined by a “You” statement, which describes behaviour that relates to good practice in data protection. The "You" depends on your role in that process, but broadly, there is an increasing level of sophistication from Information Handler to DPO.

To be helpful, we’ve identified some ways in which the behaviour can be demonstrated and supported with evidence, however these should not be viewed as exhaustive or prescriptive. Organisations and individuals are free to add their own ideas for demonstrating and measuring these competencies.


This framework is provided under a ‘CC-BY-NC’ Creative Commons license type, which means that anyone is free to reuse, re-mix, adapt and build on the original content in any format or medium, but only for non-commercial purposes, and only as long as Data Protection Education Ltd and Miss IG Geek Ltd are credited for the original content.

About this framework

What is this framework for?

The purpose of this framework is to establish an initial, baseline set of competencies for data protection which are industry- and sector-neutral, so that it can be adopted "as is", without requiring significant effort to map the competencies to specific role titles or functions.

It describes behaviours that support compliance and good practice in data protection so that individuals can acquire and demonstrate their maturity in this area; and organisations can build training programmes and performance metrics that relate to practical, real-world actions.

There is no "one size fits all" approach to data protection, as so much of its decision-making and activities are dependent on an organisation’s approach to risk, ethics or regulation; so this framework is designed to support foundational compliance efforts without dictating how specific activities should be carried out.

The framework

Business and Law

Vision, Mission, Strategy



Suggestions for demonstrating this competency

Info Handlers

You recognise and promote the benefits of good practice in data protection; for your organisation, data subjects and wider society.

  • Use positive language about data protection.
  • Acknowledge commercial and operational benefits of robust data protection.
  • Acknowledge individual and social benefits of data protection.

Business Process Owners

You play an active role in aligning business practices with data protection obligations.

  • Show that DPIAs are routinely considered/carried out for changes or new activities under your supervision.
  • Refer to data protection in terms of support for human rights and freedoms (not a barrier or burden to business).
  • Query/raise concerns when working practices are not aligned with data protection requirements.


You frame robust data protection practices as a strategic enabler when addressing your organisation’s compliance position and operational standards.

  • Set thresholds for data protection strategy above ‘cosmetic compliance’ or ‘bare minimum’.
  • Articulate the benefits of good practice to your organisation, society and individual rights and freedoms.


You advise on where and how good data protection practices can support the delivery of the organisation’s vision, mission and strategy.

  • Provide advice, guidance and steering without hijacking business decisions.
  • Contribute your expertise to finding solutions, as well as identifying problems.
  • Build a reputation for being the Department of Doing This Safely, (not the Department of ‘No’).


You seek to align and balance conflicts of interest between ICT objectives and data protection compliance.

  • Be able to explain describe, in basic terms, the differences and overlaps between data protection and information security.
  • Avoid positioning privacy and security, or privacy and functionality as antagonists when discussing protective measures.

Tech & Tools

Assurance: Quality & Monitoring



Suggestions for demonstrating this competency

Info Handler

You keep an eye out for potential data protection problems and resolve or escalate issues when you notice them.

  • Check the quality and accuracy of personal data you work with as part of your routine activities. 

Business Process Owner

You foster a fair and consistent approach to risk and problem reporting.

  • Accept risk or problem reports that relate to your business processes, and focus on solutions, without seeking to silence, discredit or retaliate against the person reporting.
  • Seek to identify and resolve systemic aspects of risks and problems that arise.
  • Give preference to sustainable, effective actions to resolve risks or problems, even when superficial cosmetic changes are quicker, cheaper or easier.  


You seek to mitigate systemic factors which present barriers to data protection quality and compliance.

  • Acknowledge and mitigate environmental conditions which prompt or enable risky behaviour, without seeking to silence, discredit or retaliate against individuals.
  • Identify and correct systemic, structural barriers to good data protection practice before apportioning culpability to individuals’ actions.


You use data protection monitoring and reporting as intelligence-gathering tools to help the organisation manage risk.

  • Set or recommend metrics for measuring the uptake and effectiveness of data protection measures.
  • Provide regular reporting to senior management on the organisation’s data protection compliance status, maturity level, (potential) trouble spots and effectiveness of data protection controls.
  • Identify issues that undermine the organisation’s ability to keep data protection risk within acceptable limits.


Where you provide ICT support and/or services for measurement, tracking and reporting of performance or quality; you do so without excessive surveillance or unwarranted intrusion on individual privacy.

  • Require a DPIA to be conducted for any implementation of compliance monitoring which involves automated surveillance of employees.
  • Advise on the assumptions and limitations of tools used to track and report risk and compliance, so that their output can be evaluated in context.
  • Distinguish between information security tools and privacy compliance tools to prevent inappropriate use.

People and Values

Accountability & Governance: Decision-Making



Suggestions for demonstrating this competency

Info Handler

You obtain advice from the DPO to inform your own decision-making, rather than expecting them to make decisions on your behalf.

  • Know and reference organisational policy and guidance on data protection when making decisions.
  • Seek input and recommendations (not sign-off, or authorisation) for your decisions.

Business Process Owner

You make decisions with data protection as a key aspect from the start, rather than attempting to add it on later.

  • Consult data protection guidance or the DPO early on in decision-making so that "data protection by design and by default" can be incorporated effectively.
  • Record and justify decisions where data protection requirements have been discounted or superseded.


You accept accountability for making business decisions that have data protection implications.

  • Frame data protection as a contribution to decisions, not an antagonist (eg "how do we do this safely and legally?", not "is this against data protection rules?").
  • Where you have over-ruled or declined the DPO’s recommendations, account for this decision in writing so that it is reflected in organisational records.


You balance your organisation’s support needs with your professional obligations, including the need to avoid conflicts of interest with your DPO role.

  • Describe options, explanations and recommendations for meeting data protection requirements in day-to-day working as well as plans or strategies.
  • Inform, rather than usurp, colleagues’ decision-making.
  • Communicate clearly that your role is to guide, monitor and advise on data protection risk; not to dictate business operations.


You consider the "bigger picture" of the organisation’s data protection obligations and goals when making ICT decisions.

  • Seek to align (not "win victory over") data protection requirements with those of ICT security and functionality.

Contact us today with any questions or for a

Free Consultation

Call us with any questions

0800 0862018

or email us on