Information Assurance and Security: Data Compliance

Find out about the job roles that comprise the Information Assurance and Security - Data Compliance job family practice.

This document is part of a collection

Head of Data Compliance

Role summary

The Head of Data Compliance is responsible for reviewing and mapping out the compliance activities, taking account of what best practice exists, any ICT, operational and business risks and the benefits of using different approaches (e.g. technology, alignment of Legislative/Regulatory requirements). 

Typical role level expectations

  • They provide assurance to the Scottish Government across the wider cyber security standards, as well as supporting strategic aims, objectives and alignment to Digital Strategies.
  • They develop appropriate assurance policy, implement and operate processes to monitor the effectiveness of the information security control environments
  • They coordinate the planning and executing audit activities within a defined scope and report on these, ensuring that previous audit recommendations are addressed and implemented.  
  • They are responsible for compliance and monitoring of cyber security, development and assurance of specific Standards policy to support open digital platforms, and development of guiding principles to support Design Assurance for technology.

Entry route

Internal: Suitable for an individual from the Government Security Profession, Digital Data and Technology Profession or other relevant profession (e.g.  Science and Engineering Profession)

External: Suitable for an individual who has worked in the private sector in both a managerial and a technical capacity, especially from the information technology sector

Skills required to be a head of data compliance

  • Compliance monitoring and controls testing. Compliance monitoring and controls testing refers to the implementations and processes used to verify ongoing conformance to security and/or legal and regulatory requirements against technical, physical, procedural and personnel controls. The principles of the skill are to define and implement processes to verify ongoing conformance to security and/or legal and regulatory requirements, and carry out security compliance checks in accordance with an appropriate methodology. Compliance monitoring and controls testing covers compliance checks and tests against technical, physical, procedural and personnel controls.
  • Information risk assessment and risk management. Information risk assessment and risk management identifies and evaluates security risks to information, systems, and processes owned by the organisation, and proactively provides appropriate advice, drawing on a wide variety of sources, to stakeholders across the organisation and at a variety of levels.
  • Relationship management. Identifies, analyses, manages and monitors relationships with and between stakeholders. Clarifies mutual needs and commitments through consultation and consideration of impacts. For example, the coordination of all promotional activities to one or more customers to achieve satisfaction for the customer and an acceptable return for the supplier; assistance to the customer to ensure that maximum benefit is gained from products and services supplied.
  • Business analysis (IT Operations). Able to visualise, articulate, solve complex problems and concepts, and make disciplined decisions based on available information. Such skills include: demonstration of the ability to apply logical thinking, gathering and analysing information using comprehensive tools and techniques, the use of data to formulate both short term day-to-day and longer term strategic plans, and the ability to identify and analyse options and assess feasibility and operational impact. Ensures that the business solution aligns with the vision, mission, objectives, strategy, business and user needs and can identify and recognise a viable solution or control.
  • Ownership and initiative. Takes ownership of problems and proactively resolves technical problems, ensuring that technical solutions continue to meet business requirements. Takes full accountability for actions taken and decisions made.
  • Strategic thinking. Able to have an overall perspective on business issues, events, activities and an understanding of their wider implications and long-term impact. This could include determining patterns, standards, policies, roadmaps and vision statements. Can focus on outcomes rather than solutions and activities.
  • Business improvement process. Identifies and explores opportunities for service and business improvement. Drives the analysis, identification, prioritisation and implementation of improvements and efficiencies, thereby ensuring that the organisation derives maximum value from services. This includes, but is not linked to, recognising the potential for automation of processes, determining costs and benefits of new approaches and managing change or assisting implementation where needed.
  • Innovation. Ability to identify and pinpoint business opportunities to allow organisations to perform more effectively. This allows businesses to look at new ways of tackling business processes or to establish new services from scratch.
  • Requirements definition and management. Identifies, defines and manages the objectives of a business. Must be able to specify requirements from both a business and user perspective to enable agreed changes to be implemented effectively.
  • Planning. Able to take a continuous approach to planning, forecasting, estimating, managing uncertainty, metrics and measurements, contingency planning and roadmapping. Able to communicate the plan, planning assumptions and progress to a range of stakeholders. Maintains the cadence of delivery and manages the relationships between different people within and across teams.
  • Communicating between the technical and non-technical. Is able to communicate effectively across organisational, technical and political boundaries, understanding the context. Makes complex and technical information and language simple and accessible for non-technical audiences. Is able to advocate and communicate what a team does to create trust and authenticity, and can respond to challenge.
  • Making the process work. Focuses on the outcome. Able to challenge and improve disproportionate organisational processes where it impacts the pace of the team. Able to identify what works best for the team and when to utilise certain processes. Understands that all steps in a process must add value. Able to influence and make positive changes to the organisation.

Skills needed for this role

  • Compliance monitoring and controls testing (Relevant skill level: expert). At this level you:
    • Lead compliance monitoring and controls testing activities for an organisation
    • Champion opportunities that regulation and compliance can provide to an organisation at senior manager or board level
    • Promote compliance or regulation within the security function
    • Report significant non-compliance issues to senior management
  • Information risk assessment and risk management (Relevant skill level: expert). At this level you:
    • Enable the organisation to deliver balanced and cost-effective risk management decisions on situations with complex scope or significant risk. Ensures that risk is embedded into corporate governance processes
    • Integrate risk management processes into appropriate business activities such as system development, security architecture or procurement
    • Develop approaches to effectively report risk (including through system life cycles) to management who are responsible for risk to a given system or capability. This includes the ability to interpret management risk direction to others (such as developers or other security professionals)
    • Deliver comprehensive risk assessments for complicated or novel scenarios, using methodologies appropriate to the situation. Understands in detail how the risk assessment output dovetails into the risk management process
    • Determine and understand the security characteristics of complicated or novel systems
  • Relationship management (Relevant skill level: expert). At this level you:
    • Determine the strategic vision and direction.
    • Positively influence key senior stakeholders.
    • Provide an arbitration function.
  • Business analysis (IT Operations) (Relevant skill level: working). At this level you:
    • Investigate problems and opportunities in existing processes and contributes to recommending solutions to these.
    • Work with stakeholders to identify objectives and potential benefits available.
  • Ownership and initiative (Relevant skill level: practitioner). At this level you:
    • Take accountability of issues that occur and is proactive in searching for potential problems.
    • Achieve excellent user outcomes.
  • Strategic thinking (Relevant skill level: working). At this level you:
    • Are able to work within a strategic context and communicate how activities meet strategic goals.
    • Contribute to the development of strategy and policies.
  • Business improvement process (Relevant skill level: practitioner). At this level you:
    • Are able to analyse current services and processes, and identify and implement opportunities to optimise these.
    • Help to evaluate and establish requirements using relevant techniques such as gap analysis.
  • Innovation (Relevant skill level: working). At this level you:
    • Have awareness of innovation and are able to apply this to your own work.
  • Requirement definition and management (Relevant skill level: working). At this level you:
    • Are responsible for elicitation of requirements.
    • Facilitate setting of business priorities for change initiatives of medium complexity.
    • Manage and implement requests for changes to baseline requirements.
  • Planning (Relevant skill level: expert). At this level you:
    • Are able to lead a continual planning process in a very complex environment.
    • Are able to plan beyond product delivery. Able to identify dependencies in plans across services and coordinate delivery.
    • Coach other teams as the central point of expertise
  • Communicating between the technical and non-technical (Relevant skill level: expert). At this level you:
    • Are able to mediate and mend relationships, communicating with stakeholders at all levels.
    • Are able to manage stakeholders’ expectations and facilitate discussions across high risk or complex topics, or under constrained timescales.
    • Are able to speak and represent the community to large audiences inside and outside of government.
  • Making the process work (Relevant skill level: expert). At this level you:
    • Are able to identify and challenge organisational processes of increasing complexity and those processes that are unnecessarily complicated.
    • Are able to add value and can coach the organisation to inspect and adapt processes.
    • Guide teams through the implementation of a new process.


Back to top