Skip to content

Data Protection & Privacy

Data Protection & Privacy is the management of the protection of data, enabling an organisation to meet its contractual, legal and regulatory requirements.

Data Protection & Privacy icon

More about a career in Data Protection & Privacy

As a Data Protection & Privacy practitioner you'll have the opportunity to grow and take on responsibility from the first day in a challenging but rewarding environment.

In the main, you provide expert technical knowledge in data protection, deploying a range of methodologies to manage data risks on a day-to-day basis. If you're part of a larger team, you work with the Data Protection & Privacy Lead or a departmental manager to promote best practice for data protection throughout the organisation.  Your responsibilities may include responding to data subject access requests, completing privacy impact assessments and managing fair processing notices for personal data.

You follow developments in privacy and data protection, maintaining a professional expertise and personal interest in these subjects. 

With more experience, you may lead the data protection and privacy team, assisting the organisation in maintaining data protection and privacy standards and ensuring compliance with the Data Protection Act and other relevant legislation. You'll also contribute to the development of your team(s) through training and coaching.

Work in this specialism is dedicated to ensuring that the most important assets of an organisation - its information holdings - are protected from theft or exposure to the wrong people, and that the organisation avoids the consequences of breaching data protection laws and regulations.

At a practitioner level, you might:

  • provide support in designing and documenting the data privacy requirements
  • support the head of Data Protection and Privacy in drafting and maintaining data privacy controls and measures
  • assist the head of Data Protection and Privacy in handling data or privacy breaches in accordance with policies and procedures
  • submit data breach notifications to the Information Commissioner's Office (ICO) under Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act
  • support the creation and maintenance of mapping for all data flows
  • undertake information security and data and privacy risk compliance audits to provide recommendations on improving protection

At a senior practitioner level, you might:

  • provide subject matter expertise input and guidance to help colleagues and suppliers achieve desired data protection controls
  • take a leading role in the organisation's incident response provision
  • promote and facilitate awareness of data protection requirements and the related risk across the organisation through generic and targeted training

Organisations that keep large amounts of data, particularly those in regulated sectors such as banking and healthcare, usually have a data protection and privacy team. There are generally two levels of responsibility at such organisation: practitioner and senior practitioner. There may be a third, entry level: junior practitioner.

However, most organisations have only one or two people who are either focused on data protection and privacy or cover these responsibilities as part of a broader data management role. In these organisations, the specialists will normally be operating as senior practitioners.

A practitioner:

  • supports the team in all aspects of data protection and privacy for the organisation and/or its clients
  • gains experience and knowledge with a view to becoming a subject matter expert in Data Protection and Privacy 

A senior practitioner:

  • has overall professional responsibility for the organisation’s data protection and privacy policies and practice, including compliance with UK-relevant legislation and sector-specific regulation
  • lead the data protection team, if one exists

Personal attributes

  • working autonomously and equally effectively in a team
  • analysis and problem-solving
  • self-management
  • ability to maintain confidentiality
  • assimilating information and identifying risks
  • attention to detail
  • evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action

For a senior practitioner:  

  • project management
  • challenging and influencing both internal and external stakeholders
  • experienced in assessing, reviewing and writing policy and procedures
  • developing training and awareness modules, digital strategy, consent management, information security disciplines and technologies. 

Specialist skills 

  • implementing and managing within the organisation the Data Protection Act and relevant legislation in other jurisdictions where the organisation operates
  • implementing and managing within the organisation the Privacy and Electronic Communications Regulations (PECR), including submitting breach notifications to the regulator
  • information security audit and risk assessment techniques, such as ISO 27001
  • use of records management tools, such asSharePoint, TeamCenter and SAP
  • planning, administration, and management of information systems, operational and technical security controls
  • risk assessment and management in relation to data protection

CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs)

A6 – Legal and Regulatory Environment and Compliance


  • understands the legal and regulatory environment within which the business operates
  • ensures that Information Security Governance arrangements are appropriate
  • ensures that the organisation complies with legal and regulatory requirements

G1 – Data Protection


  • directs, oversees, designs, implements, contributes to, or operates within the set of multi-disciplinary structures, policies, procedures, processes and controls to manage the protection of personal data at an enterprise level, supporting an organisation’s immediate and future regulatory, legal, risk, environmental and operational requirements, and ensuring compliance with those requirements

G2 – Privacy


  • directs, oversees, designs, implements, contributes to, or operates within the set of multi-disciplinary structures, policies, procedures, processes and controls to ensure that privacy and human rights legislation and regulations are adhered to
  • within a corporate organisation, this applies to employees, contractors, customers and any individual for whom personal information is held


*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec.

Coming soon

Any career or role in which you've demonstrated an ability to reliably manage confidential information while applying complex standards (particularly legal ones) could, with additional specialist training, provide the basis for a role in this specialism.

Examples of such careers or roles include:

  • police services: data management
  • Armed Forces: communication security, data management
  • finance, especially information management
  • healthcare records management
  • legal practice, especially family law

Working in a cyber security role requires specialist knowledge, and some roles require a lot. Such knowledge can be acquired in several ways and, although the requirements for any given role are described here in terms of Knowledge Areas (KAs) from the Cyber Security Body of Knowledge (CyBOK), this doesn't mean that a cyber security specialist must read the relevant sections of CyBOK.

Increasingly, however, cyber security qualifications, training and skills definitions are being mapped to CyBOK - so the KAs are a good way of describing the knowledge associated with a specialism.

As an experienced practitioner in a Data Protection & Privacy role role, you'll typically use the knowledge in the KAs listed below, although not always to the same level of detail. You're most likely to have a very good understanding of the Core Knowledge, which is essential to performing the role. You may still need a good understanding of the Related Knowledge but not to quite the same degree. You may need a much less detailed understanding of the elements of Wider Knowledge, which provides context for your work.

Coming into such a role, you will not be expected to have all his knowledge initially.

Core knowledge 

Privacy and Online Rights

Techniques for protecting personal information, including communications, applications, and inferences from databases and data processing. It also includes other systems supporting online rights touching on censorship and circumvention, covertness, electronic elections, and privacy in payment and identity systems.

Law and Regulations

International and national statutory and regulatory requirements, compliance obligations, and security ethics, including data protection and developing doctrines on cyber warfare.

Related knowledge

Authentication, Authorisation & Accountability

All aspects of identity management and authentication technologies, and architectures and tools to support authorisation and accountability in both isolated and distributed systems.

Risk Management and Governance

Security management systems and organisational security controls, including standards, best practices, and approaches to risk assessment and mitigation.

Wider knowledge

Human Factors

Usable security, social and behavioural factors impacting security, security culture and awareness as well as the impact of security controls on user behaviours.

You might start in this specialism as an apprentice.

Alternatively, you may start as a graduate, with a degree in:

  • cyber security or information security
  • information technology
  • information management
  • business management
  • data analytics or data science
  • finance analytics
  • law

Or, you might move into this specialism from another role in IT or another cyber security specialism: 

From a role in this specialism, you might move to a position in one of these cyber security specialisms:

Or, you might progress to take up a more senior role in Data Protection & Privacy, such as head of the team or department.

For practitioner roles, titles include:

  • Information Security Analyst
  • Information Security Manager
  • Data Protection (or Privacy) Analyst 
  • Data Protection Manager
  • Data Protection Consultant 

For senior practitioner roles, titles include:

  • Senior Data Protection (or Privacy) Consultant
  • Senior Data Protection Risk & Compliance Manager 
  • Senior (or Lead) Data Protection (or Privacy) Officer
  • Senior InfoSec Architect Data 
  • Senior IT Security & Risk Management Analyst 
  • Senior Consultant/Manager (Cyber Risk, Data/Privacy, Risk Advisory)

An apprentice starting in Data Protection & Privacy might earn between £14,000 and £22,000. With more experience, a practitioner might earn between £35,000 and £65,000. The median salary in March 2021 was £55,000.

A senior practitioner might earn between £62,000 and £74,000. The median salary in March 2021 was £65,000.

The salary ranges are based on job vacancy advertisements published online in March 2021. Median salary figures are taken from calculations performed by