Head of Information Governance and Data Protection

cardiff, wales, United Kingdom

SUMMARY

The Head of Information Governance and Data Protection Officer (DPO) role is the professional lead for Information Governance at Veezu Group. The role will provide expert Information Governance advice and guidance to the Veezu management team and key partners; to ensure that all parties are processing information in accordance with legislation, guidance, while meeting their legal and regulatory obligations.

The Data Protection Officer is an essential role in facilitating ‘accountability’ and the organisations’ ability to demonstrate ongoing compliance with GDPR, where the DPO performs another role or roles there must be no conflict of interest. While this role reports to the IT Director, direct access to the Veezu Executive Board is assured in the fulfilment of their DPO duties. Ensuring that the DPO can effectively carry out their responsibilities and have their concerns and recommendations heard at the highest level of the organisation.

ROLE DUTIES AND EXPERIENCE REQUIRED

Act as the appointed statutory Data Protection Officer as defined by the General Data

Protection Regulation 2016 for Veezu Group.

Be the lead source of information and expertise on information governance and data protection, including but not limited to: The Data Protection Act 1998, The UK and EU General Data Protection Regulation, ISO27001 Information Security Standard, PCI-DSS Card Payment regulation, The Freedom of Information Act 2000, Environmental Information Regulations 2004, The Common Law Duty of Confidence, The Computer Misuse Act, The Office of the Information Commissioner and its associated powers, Information Commissioner Directives/Guidance

Lead the development of strategies, policies, and guidelines that ensure organisational compliance with information governance and data protection regulations across all departments. This will require making decisions in unprecedented situations.

Co-operate with and be the first point of contact for the Information Commissioner.

Be available to be contacted directly by data subjects.

Develop Information Governance policies that address: Organisational accountability, DPO reporting arrangements, Timely involvement of the DPO in all data protection issues, Compliance assurance: privacy by design/default, When and where data protection impact assessments are required and subsequent reporting on performance, The DPO’s role in incident management

Have sufficient understanding of the processing operations carried out, as well as the information systems and data security and data protection needs of the organisation.

Monitor the effectiveness of policies and procedures and the organisations’ compliance with them through a proactive program of audit and review, in conjunction with all functions across the operating model and other stakeholders and bodies.

Have senior responsibility for the development of a robust Information Risk Assurance function which includes Cyber Security, System Failure and GDPR.

Provide a single point of knowledge to senior management and staff with clear policies and procedures that ensure Veezu meets both its statutory and legal obligations.

Maintain an awareness of evolving legislation and national guidance relating to all areas of responsibilities.

Promote an effective information governance and risk culture that embeds information governance across the Veezu organisation.

Lead on the development of training, awareness and communications programmes aimed at

informing and advising Veezu staff (at all levels) to promote understanding of their obligations to comply with information governance requirements.

Proactively disseminate complex and contentious information governance principles to a wide audience through regular communications briefings using e-mail, intranet and bulletins and other communications media, where there may be resistance to compliance.

Ensure the Data Security and Protection Toolkit (DSPT) and other IG related audit submissions are made correctly, within timescales and are signed off by the Veezu Exec/Board where applicable and that evidence is available to support the attainment levels submitted. This includes overseeing the delivery of action plans and improvement programmes to support compliance with legislation and national Information Governance requirements. This will require liaison with senior managers throughout the organisation.

Develop/enforce organisational trigger-points for mandatory input from the DPO providing advice on Data Protection Impact Assessments (DPIA) to offer a balanced independent review of activities such as business improvements, system requests for change, large scale business development and introduction of new systems and services, to: Give consideration of the business needs against GDPR and other information governance / security requirements, Provision of advice and guidance on changes required to meet/maintain GDPR/IG compliance, Identification of system change requirements to support GDPR/IG compliance, Consult with the Information Commissioner’s Office (ICO) where proposed processing poses a high risk in the absence of proposed mitigations, Provide expert input for commercial contracts, invitations to tender, etc, whilst ensuring robust information security and governance is maintained.

Lead and support specific groups such as Information Asset Owners, System Administrators through effective networking structures sharing of relevant experience and provision of appropriate advice.

Ensure information breaches (e.g., security, confidentiality) including serious incidents and breaches are investigated and where necessary escalated in a professional manner and reported on in accordance with process and procedure.

Provide guidance on operational and procedural improvements arising from lessons learned.

Be organisations expert on information sharing, ensuring organisations approaches are compliant with law and best practice.

Proactively and strategically ensure organisations are able to share information effectively and appropriately where multi agency or partnership working exists.

Take the lead in developing, managing and reviewing information sharing protocols and third-party access and Data Processing Agreements with other organisations including local authorities and voluntary organisations.

PERSONAL COMPETENCIES

Planning; exhibit exceptional organisational acumen.

Communication Proficiency; possess the ability to articulate thoughts with clarity, at all levels of the organisation.

Proactive Adaptability; embody a proactive ethos, taking initiative when appropriate, pinpointing areas for improvement or transformation.

Collaborative Spirit; commit to the broader organisations vision, actively collaborating to achieve overarching goals.

Approach; take a calm and collegial approach when working with the team and wider business.

Result-Oriented Approach; Display intrinsic motivation and an aptitude to autonomously define, manage, and achieve key milestones and objectives.