Group Data Protection Officer (2014)
- Location: Gloucester
- Duration: Permanent
- Working hours: 35 hours per week, Monday to Friday
- Application end date: 10/04/20
About the role
Ecclesiastical is looking to recruit an experienced and dedicated Data Protection Officer (DPO) to meet its obligations under data protection law. Reporting to the Group Chief Risk and Compliance Officer, the statutory DPO will monitor and advise on compliance and data practices internally to ensure the Group and its strategic business functions comply with the applicable requirements under the GDPR and all relevant national legislation. The DPO will be responsible for leading and promoting data protection compliance across the Group and will serve as the primary contact for supervisory authorities and individuals whose data is processed by the organisation. The role will require the selected individual to bring data protection to life in the context of Ecclesiastical’s values, in particular being passionate about our customers.
Essential Duties and Responsibilities
- Serving as the primary point of contact and liaison with the Information Commissioner’s Office and other EEA Data Protection Authorities on all data protection related matters under the GDPR and relevant national legislation.
- Serving as the primary point of contact for data protection queries in the business.
- Developing standards, policies and procedures applicable to the Group’s businesses and ensuring continuing compliance with relevant national legislation and GDPR where applicable.
- Developing and delivering privacy training to business functions to raise employee awareness of data privacy and security issues and to ensure data protection knowledge remains up to date, understood and tailored to business needs.
- Chairing the Group’s Security & Data Governance Committee.
- Managing and conducting ongoing reviews of the Group’s privacy governance framework and regular and ad hoc reporting on data privacy compliance within the organisation, including an annual report to the Ecclesiastical Board.
- Ensuring business critical data privacy risks and incidents are appropriately escalated in accordance with the Group’s governance framework.
- Working with key internal stakeholders in the review of projects and related data to ensure compliance with data privacy laws, and where necessary, advising on and leading data protection privacy impact assessments.
- Leading on breach response, management and resolution of data privacy incidents and data breaches.
- Monitoring and supporting the business in the fulfilment of Data Subject Access Requests and other data subject rights, including triaging the exercise of such rights and the performance of quality control checks on DSAR disclosure material.
- Ensuring that the Group’s IT systems and procedures comply with all relevant data privacy and protection law, regulation and policy (including in relation to the retention and destruction of data).
- Working collaboratively with designated Data Champions across the Group’s offices to help implement data privacy best practice.
- Identification, interpretation and application of current and emerging data privacy laws, including national and European Data Protection Board Guidance.
- Leading as subject matter expert on Privacy Impact Assessments design, process, contents and high-risk review, also for Legitimate Interests Assessments and other legal bases for processing and the exercise of individuals’ rights under data protection laws.
- Coordinating, conducting and monitoring data privacy audits.
- Working continuously to ensure that data protection becomes fully embedded as a part of business as usual at Ecclesiastical, through the development of an extensive range of relationships.
- Fostering a culture of data protection at Ecclesiastical by raising awareness and advocating privacy-by-design including in the procurement of IT systems.
Qualifications and Experience
- The successful candidate will either:
- Be a qualified solicitor with proven PQE experience in data protection law; or
- Be an individual educated to degree level holding at least one data protection and/or privacy certification (such as CIPP, CIPT, CIPM, ISEB, PCdp) with proven experience advising as a DPO or as a data privacy compliance officer.
- You will have experience in developing policy and compliance training.
- You will ideally have experience working in a regulated industry. Prior knowledge of insurance is advantageous.
Knowledge, skills and abilities
- Strong knowledge of EU data protection laws and practices and national data protection regulation
- Sufficient knowledge of information technology and data management systems required.
- Well-developed and professional interpersonal skills; ability to interact effectively with people at all organisational levels including senior stakeholders to Board level.
- Understanding of the processing operations carried out by financial services providers, with a particular emphasis on insurance and broking.
- Ability to work unsupervised, exercise leadership and influence change.
- Excellent writing and presentation skills.
- Strong change and project management skills, including the ability to manage time well, prioritise effectively and handle multiple deadlines.
- Ability to use independent judgement and discretion when making majority of decisions.
- Detail-oriented approach needed to recommend and implement strategic improvements on a range of data privacy and data protection issues.
- Ability to handle confidential and sensitive information with the appropriate discretion.
- Proven track record in working in partnership with regulators and operational areas.