Department:   Group Legal
Type of position:  Management
Reports To:   Head of Legal

Introduction:

To be responsible for managing all data protection related matters within the Group.

Job Purpose:

To ensure compliance with data protection law, regulation and best practice whilst maximising the marketing opportunities available to the Group.

Duties & Responsibilities:

Data Protection:

To ensure that the Group maintains adequate technical and organisational means to ensure that all data processed by it (of staff, customers, prospects and others) is securely, fairly and lawfully processed;

Marketing:

To ensure that data collected for marketing purposes is fairly and lawfully processed; that it is segregated in order that it may be used in accordance with data subjects' wishes and that all of the Group's marketing on its own account and for clients is in accordance with the law and with the Group’s client contracts;

Data security:

To work with the Group’s data security officer to ensure that data protection matters are addressed properly in IT systems and processes;

International: 

Working with external advisers to provide advice on data protection to the International Division to ensure that data protection matters, marketing and data security are addressed in accordance with the laws of the countries in which the Group operates;

Notifications, Subject Access Requests and inquiries from ICO and other regulators:

To ensure prompt, accurate fulfilment of such notifications and requests; keeping notifications under review and up to date;

Ad hoc:

Providing advice on data protection matters to the business as requested;

Policies and culture:

To inculcate an awareness amongst management and staff of the importance of data protection to ensure that the Group maintains the highest standards of data protection; including responsibility for review and updating of policies, training materials and methods; increasing staff awareness via a variety of methods; working with internal audit to improve controls if necessary; to ensure that data protection is embedded in each department and within each project;

Liaison with internal and external lawyers:

To ensure that internal and external advice is taken when appropriate; to ensure that client contracts contain agreed data protection clauses; to ensure that key matters are agreed and documented with external lawyers;

To document key processes:

Monitoring:

To monitor and audit existing practice against the relevant law and monitoring future legislation and regulation for effects on existing practice and develop response to any changes.

People Management and People Development:

No direct reports but ability to influence at all levels to ensure that data protection matters are part of management's thinking.

Financial Responsibilities:

Responsible for managing expenditure on external advisers.

Performance Measures:

Results: No upheld complaints about data protection from Information Commissioner; maximising data available for marketing by methods desired by the business; minimising number of subject access requests and their impact; reducing data protection risk within the business; increasing data protection awareness amongst management and staff.  
Clients: To provide advice to business in their dealings with clients; to ensure that contracts provide sufficient safeguards to Group;   
Resources: Ability to work with other departments to achieve objectives: client services, marketing, IT, legal, training and development, internal audit. Improvements: Improve documentation within Group of how data protection is managed by working with departmental managers to ensure that their processes are correctly documented to include data protection matters; to conduct gap analysis (if required) to implement programme of improvements with departmental managers to reduce risk.

Qualifications/Experience:

Ideally a professional qualification as a Solicitor or Barrister, / or holding the ISEB Data Protection certificate, or similar qualification.

Essential Technical Competencies:

Extensive operational experience of establishing and managing Data Protection audits and Compliance, and remedial programmes, and ideally gained in a database marketing environment.
Experience of dealing with Subject Access Request.
Good understanding of data protection matters in a practical, commercial environment.
Experience of dealing with regulators, including Information Commissioner.
Willingness to provide constructive challenge to existing practice to improve processes.
Ability to influence directors, managers and staff at different levels of an organisation;
Critical Thinking: Can logically follow an analytical process to arrive at a correct understanding of the business need, by understanding business needs and constraints of both processes and systems and the law, and to develop the best commercial solutions.

Desirable criteria:

Experience of an FSA regulated environment – ideal but not essential.