Job Description
About us:
We're The Restaurant Group (TRG for short) and we're one of the UK's biggest hospitality businesses. Were a significant player in the UK casual dining market, operating over 400 restaurants and pubs including Wagamama,Barburrito + Brunning & Price. Our diverse portfolio of brands provides something for everyone, and we are proud to be TRG.
The Role
Working independently, the role of the Privacy Officer is to build and manage TRG and its business divisions privacy programme, to develop privacy policies for internal use and privacy statements for internal and external use, and to describe privacy requirements for business partners and service providers. The Privacy Officer will facilitate regulatory compliance by establishing and coordinating TRG’s Privacy Council. Knowing how to persuade and enable the business, while maintaining integrity, the Privacy Officer closely collaborates with business stakeholders to control risk from potential procedural or technology changes that affect privacy.
The Privacy Officer conducts privacy risk assessments, focused on specific business processes or applications. They identify and suggest prioritization of privacy risk treatment for the organisation, and determines how to maintain and improve adherence to regulatory requirements and corporate policies. The Privacy Officer will develop and maintain privacy training and awareness programmes, and set up a personal data breach response plan.
As the internal representation of regulatory authorities on the matter of privacy, the Privacy Officer is a neutral position. As a result, the role will have dual reporting into the Director of Technology and the Legal team.
The Privacy Officer may not have any conflict of interest, e.g., be responsible for business outcomes, simultaneous to the privacy officer function. It may also not be responsible for executing (parts of) the privacy programme, as such impacts the privacy officer’s neutrality.
Key Responsibilities:
* Governance: Maintain, develop and implement TRG and its business divisions privacy programme and the resulting privacy policies, procedures and documentation for the processing of personal data in coordination with appropriate members of the organisation
* Monitor continuous adherence to the privacy programme’s requirements
* Establish and work with a multidisciplinary team, including audit and risk, compliance, HR, legal, business process owners, IT, Cyber Security and other internal stakeholders to ensure enterprise-wide coverage of the privacy discipline.
* Work with procurement, supplier management and the legal department to ensure that third-party suppliers' contracts and operating-level agreements meet [international] privacy requirements.
* Implement and maintain an internal reporting mechanism for intended (new or changed) personal data processing activities, to which business unit/process owners must adhere.
* Notify data protection authorities of the organisation's processing activities and/or obtain guidance where required.
* Lead the TRG's response to privacy-related emergencies and other potentially damaging events.
* Communicate with regulatory authorities and the public concerning privacy issues (for example, answering data subject access related questions and requests).
* Determine TRG’s specific privacy-related requirements and potential vulnerabilities.
* Develop, improve and manage the privacy impact assessment process, in close collaboration with business stakeholders.
* Conduct regular privacy policy compliance assessments to ensure that TRG’s privacy policies are being adhered to.
* Ensure that business units, technology teams and third parties (service providers) follow TRG's privacy programme, implement measuring procedures to verify the extent in which these stakeholders meet privacy policy requirements and address privacy concerns.
* Collaborate with and assist business units and technology areas to develop corrective action plans for identified privacy compliance issues..
* Conduct frequent compliance report monitoring activities on collaborating partners, third-party service providers' and other data processors' levels of privacy compliance.
* Support the creation of an inventory that documents how and why TRG collects, shares and uses personal data.
* Influence TRG’s retention programme to facilitate deletion or anonymisation of personal data that is no longer needed for identified purpose(s), and in accordance with applicable requirements.
* Serve as the internal advisor to the CIO and Technology Director to interpret privacy-policy-related questions.
* Work closely with the technology service teams to anticipate potential privacy problems embedded in the use of emerging technologies.
* Liaise with the Head of Service Operations and the Infrastructure and Cyber Security Manager in matters relating to data breaches
* Conduct or oversee privacy awareness campaigns, training and orientation for all employees
Requirements
A successful Privacy Officer candidate will have the expertise and skills described below.
Education and Training
Bachelor's degree or higher in business administration, law, finance, accounting, computer science or a related discipline is required.
An advanced degree in law, business (M.B.A.), information science (MIS), information security or a related field is preferred.
The ideal candidate will have a combination of a legal or business degree with a technical or computer science degree.
The candidate has obtained two or more of the following certifications for the relevant region(s): one or more of: Certified Information Privacy Professional (CIPP), Certified Information Privacy Management (CIPM), and/or Certified Information Privacy Technologist (CIPT), and one or more of: Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM) and Certified Information Systems Auditor (CISA).