Data Protection Competency Framework

This Framework is different.

It does not focus on arbitrary attainment levels for Articles of the GDPR or look for a single “compliance score.”

It asks staff 16 questions around behaviours supporting compliance and good practice in data protection.

  • Staff get asked about competencies relevant to their role: Information Handler; Business Process Owner; ICT Provider; Executive.
  • Staff can work on acquiring and demonstrate their maturity in the areas that matter most.

The Framework also provides a gap-analysis for organisational competency.

  • Organisation can build training programmes and performance metrics which relate to practical, real-world actions.

Webinar – January 2025 – Overview of the Framework – Part 1

Webinar – January 2025 – Overview of the Framework – Part 2

How it works

The Framework is organised into three domains for data protection competency:

Business and Law

Technology and Tools

People and Values

These cover all aspects of data protection practice and management that an organisation needs to consider.

The 3 domains each have 3 areas of practice. These 9 areas are:

Strategy | Data Protection Law | Risk Management

Accountability and governance | Culture | Communication

Technology | Assurance | Record keeping

Each area of practice has one or more related topic.

And it is these topics that provide the 16 competencies at the core of the Framework.

These are the 16 behaviours that support compliance and good practice in data protection.

The Framework is built around four core roles that staff play in processing personal data.

1. Information Handlers – most staff.

2. Business Process Owners – staff who decide how things should be done and why.

3. ICT Providers – staff who provide IT services, procure them, or maintain them.

4. Executives – the top tier of management who make the big decisions.

Staff are asked to say how competent they feel regarding each of the 16 competencies.

The Framework uses the “conscious competence” learning model for this.

The model has four stages to becoming competent in a skill.

How you define the four stages is up to you.

Two suggestions are outlined here.

Framework Domains Areas of Practice Competencies V3Download

Competency Cards

Download these free competency cards to begin putting the Framework into practice.

(1) Pick the card for the role (or roles) you fulfil (Information Handler; Business Process Owner; ICT Provider or Executive).

(2) Consider each of the 16 “you” statements.

(3) Rate how competent you feel about meeting what the statement says.

Repeat (1)-(3) if you fulfil more than one role (e.g. you handle information, and are also a Business Process Owner)

CompetencyCard – InfoHandlerDownload
CompetencyCard – ProcessOwnerDownload
CompetencyCard – ICTDownload
CompetencyCard – ExecDownload

The true power of the framework comes from rolling this out to all your staff. The anonymous results give a true picture of how staff feel when it comes to good practice in data protection in your organisation.

This gives you true insight into what is working, and what needs action. Your next steps can be focused on key data protection issues, teams or roles.

Put the Competency Framework to work

Want to discuss how to put the Competency Framework to work in your organisation?

Call: 0203 105 0848

Email: gary@dependsdataprotection.com

Original concept and work on the Framework: Rowenna Fielding – aka Miss IG Geek – commissioned by Data Protection Education Ltd.

Reproduced under Creative Commons licence.