I had that job once
"Hardest job in the world, that, the old Data Security Officer game... "
Name on the ICO register as the ISO and everything. My fatal mistake was to take the time (my own time, naturally) to read up on the responsibilities I had in law, and then to make reasonable efforts to keep $employer on the straight and narrow. Talk about "How to lose friends an influence people"... when I pointed out that handing customer PII to an offshore (non-DPD compliant) territory was really not allowed, it was pointed out to me that , well, that's interesting, now haven't you got some flashing lights to go stare at? And they carried on regardless. They were probably right, really, the odds of getting caught were zero, and the odds of getting any serious bother if something bad happened at it blew up were low enough when amortised across the five centuries they reckoned it'd take for the bad thing to happen were also so low as to make anything more than token lipservice and auditor-friendly box-ticking the order of the day.