Job Purpose
Responsible for developing and managing policies and processes that apply across all Grafton brands to ensure they adhere to data protection laws. Responsible also for reducing the risk to Grafton’s sensitive and personal data by supporting the brands and reporting on compliance with key data protection and information security processes and standards.
Support responsibilities include advising brand leadership teams on their obligations under applicable data protection laws, encouraging implementation of Group standard processes and practices, and leading education and awareness campaigns to ensure that data protection and information security is embedded within the culture of the Group at all levels.
Advisory responsibilities include providing consultancy and support on DPIAs, DSARs, and third-party vendor risks, with the focus being on supporting the brands to manage these processes and risks by providing expert advice.
Statutory responsibilities include all formal aspects of the DPO role, assisting Grafton brands in both the controller and processor roles in all issues relating to the protection of personal data, and acting as the contact point for and cooperating with Data Protection Authorities on issues relating to data processing.
Compliance responsibilities include managing the groupwide data protection, ensuring the platform is kept up to date by brands and reporting brand compliance with processes, risk assessments and standards.
The role holder will be a resourceful, self-motivated individual who is comfortable getting things done in matrix structures. This is a proactive outreach role, and the role holder will be expected to help Grafton brands ensure that they are implementing data protection practices, behaviours, and processes in an appropriate and pragmatic fashion in line with risk and commercial needs.
Key Accountabilities
Liaison with Supervisory Authorities
* Serve as the primary point of contact and liaison for the Lead Supervisory Authority and other Data Protection Authorities on all data protection related matters under data protection laws.
Monitor Compliance
* Ensure the organisation complies with all regional and local data protection laws, such as GDPR and the UK Data Protection Act, including internal audits, reviews and risk assessments.
* Ensure that every brand updates the key information required in the data protection platform, including records of processing, third party vendors, assessments, domain names, and the associated records of data assets, vendors, processing activities and any other required information.
* Ensure the data protection platform is adopted in all brands and is configured in such a way as to make it usable and relevant for individual Grafton companies.
* Responsible for the Data Protection platform in terms of administration, data and template management to maintain compliance.
Inform, Consult and Advise
* Create and maintain all data protection policies and standards to apply across Grafton companies, including but not limited to the Data Protection policy, Data Retention policy and Schedules, and the Data Protection elements of the Information Security Framework.
* Publish and communicate all processes, policies, standards, and associated guidelines to appropriate people across Grafton brands, including where necessary arranging for material to be translated to local languages.
* Act as the Subject Matter Expert and provide guidance to brands on their responsibilities in respect of data protection processes. This will include being available to provide ad-hoc advice, running advisory sessions to communicate any relevant updates, and ensuring the brands have access to all guidance material necessary to fulfil their data protection responsibilities.
* Provide functional leadership to Data Protection Leads, meeting regularly with DP leads to check progress against initiatives and impart information relating to any changes to data protection regulation or processes.
* Present updates against data protection risks as required to the Group Risk Committee.
* With input from Group legal colleagues as required, provide ad-hoc advice on Data Protection aspects of a broad range of documents including commercial contracts and agreements, vendor contracts and transaction documents.
Training and Awareness
* Provide a programme of mandatory data protection training for all colleagues and brands including raising awareness on compliance issues.
DPIA’s, LIA’s, ROPA
* Work with key stakeholders in brands to identity processing activities and provide guidance on the correct methods of recording, maintaining and completion of risk assessing such as Data Privacy Impact Assessments (DPIA), Records of Processing Activities and Legitimate Interests Assessment (LIA).
Handle Data Subject Requests
* Act as contact point for escalations and ensure that all requests, across the organisation, from data subjects who wish to exercise their rights are responded to in compliance with the law.
Review Data Processing Activities
* Ensure that data processing activities are lawful, fair and transparent and that only necessary data is collected and processed across the organisation.
Incident Management
* Manage and report data breaches to the appropriate supervisory authority within legal timelines and coordinate internal responses to mitigate damage.
Documentation and Reporting
* Report on compliance with data protection standards and processes on a per business basis, supporting brands through any related self-assessment activities. This should include but not be limited to reporting on the compliance and performance of Group functions and business units in respect of records of data processing, records of third-party processors, data breach incidents, data processing impact assessments and legitimate interest assessments, complaints, claims or notifications, cookie compliance, and responding to subject access requests (SARs).
* Where necessary, provide data from group platforms to support DSARs or other information access requests.
Advise on Data Sharing
* With input from Group legal colleagues as required, provide guidance on data sharing agreements, transfers to third parties, and international data transfers to ensure legal compliance.
Qualifications/Knowledge/Skills/Experience
Essential
* Experience in data protection and legal compliance management in a publicly listed company.
* Demonstrable knowledge of the EU General Data Protection Regulation (GDPR).
* Solid knowledge of GDPR and local data protection laws.
* Knowledge of data processing operations within the industry sector (merchanting and retail).
* Ability to handle confidential information.
* Ethical, with the ability to remain impartial and report cases of non-compliance.
* Experience of embedded data protection processes in diverse and dispersed organisations.
* Solid organisational skills with strong attention to detail and multitasking skills.
* Excellent written and verbal communication skills.
* Excellent inter-personal and communications skills. Able to communicate equally well with technical and non-technical colleagues at all levels, getting the message across effectively in all cases.
* Matrix management and influencing capabilities – can evidence examples of delivering change through persuasion and influence outside of direct line control.
* A disciplined thinker and capable of working across organisational boundaries in a demanding, high-output environment.
Desirable
* Degree or equivalent industry qualification
* Achievement of or capability to achieve professional qualifications in data protection (e.g. GDPR-P, CDPO).
* Familiarity with computer security systems.
* Familiarity with ISO 27001 and ISO 27701 for securing and protecting information.
#J-18808-Ljbffr