What is this?
In early 2021, I accepted a commission from the lovely people at Data Protection for Education; to develop and supply a competency framework for data protection which could be used in any organisation of any industry and size, to identify and measure the individual behaviours on which effective data protection relies.
Doddle, I thought; I know loads about what effective data protection should look like – how hard can it be?
Ohohohoho, I had no idea.
So it was a bit harder than you’d thought then?
According to my research, a ‘competency’ is a behaviour which can be learned and demonstrated. I suspected that ‘don’t be a git’ probably wasn’t going to meet the brief, so some further thinking was evidently needed. What does competent data protection practice look like at the individual level? Who needs to do what? How can desirable behaviour be demonstrated and evidenced without turning the metric itself into the goal (and thereby sabotaging the original objective)?
It took me two months longer than I’d anticipated -four in total; a quarter of a year spent scribbling, crossing-out, drawing mindmaps, juggling Excel cells and reminding myself of the definition of a competency (not a quality of character, a mindset, or nugget of knowledge, but a behaviour).
Now I am jolly pleased to announce that the Data Protection Competency Framework is published and available to anyone who might care to use it.
What do I do with it?
Read it, work it, share it, design around it, build on it!
Use it to educate and empower the workforce, to identify gaps in organisational DP governance, to make change from the ground up at the same as the top down, to foster a data protection culture that’s based in quality and organisational capability.
Are there any training materials to go with it?
Not yet, but this is something I want to work on in the coming year. Watch this space.
Will using the framework make me compliant?
No single tool or measure or document can possibly deliver compliance on its own. But, in order to comply with data protection law, some things need to happen at the individual level – and upskilling is usually one of the most significant and the least invested-in. So, by implementing the framework, you will be closer to ‘compliance’ (or ‘quality’, or ‘ethics’, or whatever your particular motivation for doing this work is) than if you are just making people sit through half an hour of mandatory light-touch e-learning once a year….
Can I resell/white-label or otherwise monetise it?
DPE and I decided to release this under a Creative Commons license, which allows others to cite, build on and adapt the work for non-commercial purposes, as long as we get credit.
But I can just access and use it for free?
Yes, please do! I’m hoping that other DP professionals will find the framework useful, that organisations will consider adopting it, and that other geeks out there will find ways to further extend, develop and integrate it into the real world.
I KNOW, RIGHT?!