Data Protection Officer New Cardiff

We're Capital on Tap. Capital on Tap started because small businesses were underserved. Big banks were slow, their products weren't fit for purpose, and small business owners often couldn't access what they needed. We set out to fix that. Today we're a financial platform – not just a credit card company. We offer a best-in-class business credit card, SME-focused spend management platform, a savings product that hit £1 billion in funds within its first year, and a growing suite of tools and financial products that make running a small business easier. 1,000+ employees, £20 bn in annual card spend, 200,000+ customers, 17,000+ Trustpilot reviews averaging 4.7 stars, and we're profitable. We’ve done a pretty good job so far, but we’re just getting started!

Why Join Us? We empower you to be innovative and solve complex problems. Take ownership, make an impact, and thrive in our scaling and agile environment.

Hybrid role based in Cardiff This is a hybrid role based in Cardiff, requiring a minimum of 3 days in the office per week.

The Data Protection Team at Capital on Tap The Data Protection team plays a crucial role in enabling Capital on Tap's commercial objectives while ensuring full compliance with global data protection regulations. As our Data Protection Officer, you'll lead a team that includes Data Protection Analysts and Administrators, working at the intersection of technology, compliance, and business enablement.

The Role We are looking for an exceptional Data Protection Officer to join our FinTech in London. This is a strategic leadership role for someone who thrives on using cutting‑edge technology and AI to transform data protection from a compliance function into a business enabler. You'll protect the company by finding innovative ways to achieve commercial goals while maintaining the highest standards of data protection compliance.

What you'll be doing

• Strategic Leadership: Serve as the primary data protection authority (act as the designated DPO under Article 37 of the UK GDPR and UK data protection law), providing strategic guidance to senior leadership on privacy risks and opportunities across all business functions.
• Business Enablement: Work closely with Product, Engineering, Marketing, and Commercial teams to find compliant pathways for new initiatives, ensuring data protection accelerates rather than hinders business goals.
• Technology & Automation: Lead the implementation of state‑of‑the‑art AI technologies and automation tools to streamline data protection activities, from DPIA automation to intelligent data discovery and rights fulfillment.
• Regulatory Compliance: Ensure full compliance with UK GDPR, DPA 2018, PECR, Data Use and Access Act (DUAA), CCPA/CPRA and emerging regulations, while staying ahead of regulatory developments and their business implications.
• Risk Management: Conduct and oversee Data Protection Impact Assessments (DPIAs), manage data breach responses, and implement privacy‑by‑design principles across all technology platforms.
• Monitoring: Monitor and assess data processing activities to ensure ongoing compliance. Assessing the lawful basis for processing activities and ensuring appropriate documentation is in place. Maintain and regularly review the organisation’s Record of Processing Activities (ROPA) to ensure completeness and accuracy.
• Stakeholder Management: Act as the primary contact point for regulators (ICO), work closely with internal and external legal counsel, and represent the company in privacy‑related matters.
• Team Development: Build and lead a high‑performing data protection team, fostering a culture of innovation, urgency, and business partnership.
• International Expansion: Support the company's US operations and international growth by navigating complex cross‑border data transfer requirements and multi‑jurisdictional compliance.
• Vendor Management: Lead privacy due diligence for third‑party vendors and partnerships, ensuring contractual protections align with business risk appetite.
• Training & Culture: Drive privacy awareness across the organisation through targeted training programs and embed privacy considerations into business‑as‑usual processes.

We're looking for

• Deep Regulatory Expertise: Comprehensive knowledge and hands‑on experience with UK data protection regulations (GDPR, DPA 2018, PECR, DUAA), with the ability to interpret complex requirements and provide pragmatic business guidance.
• FinTech/Tech Background: Proven experience in financial services or technology companies, understanding the unique privacy challenges of regulated financial products (including an understanding of consumer duty and vulnerability) and high‑growth tech environments.
• Technical Fluency: Strong technical acumen with experience using data protection tools, privacy management platforms, and automation technologies to streamline compliance processes.
• AI & Innovation: Experience with or strong willingness to adopt cutting‑edge AI technologies for privacy operations, from automated risk assessments to intelligent data processing.
• Problem‑Solving Mindset: Pragmatic approach to complex privacy challenges, with a track record of finding creative solutions that balance compliance requirements with customer outcomes and business objectives.
• Urgency & Business Focus: Demonstrated ability to work at pace in fast‑moving environments, with a philosophy that compliance should enable rather than block business progress.
• Leadership Experience: Proven ability to lead cross‑functional initiatives, influence senior stakeholders, and build high‑performing teams.
• Strategic Thinking: Experience translating regulatory requirements into business strategy, with the ability to anticipate future privacy challenges and opportunities.
• Professional Qualifications: A recognised data protection qualification such as IAPP’s CIPP/E, CIPM, CIPT, C‑DPO, or a BCS Practitioners certificate in Data Protection.
• US Privacy Expertise: Knowledge of CCPA/CPRA, state‑level US privacy laws, and experience managing multi‑jurisdictional compliance programs.
• AIGP: A Certified AI Governance Professional would be highly desirable.
• Regulatory Relationships: Existing relationships with privacy regulators or experience managing regulatory inquiries.
• International Experience: Experience with international data transfers, adequacy decisions, and global privacy frameworks.
• Experience: Minimum of 2 years acting in a DPO capacity within a financial services or technology organisation.

Diversity & Inclusion We welcome, consider and encourage applications from anyone who shares our commitment to inclusivity. Join us in creating a space where authenticity thrives, and everyone can do their best work.

Great Work Deserves Great Perks

• Private Healthcare including dental and opticians services through Vitality
• Worldwide travel insurance through Vitality
• Anniversary Rewards (£250, £500, £750, 4‑week fully paid sabbatical)
• Salary Sacrifice Pension Scheme up to 7% match
• 28 days holiday (plus bank holidays)
• Annual Learning and Wellbeing Budget
• Enhanced Parental Leave
• Cycle to Work Scheme
• Season Ticket Loan
• 6 free therapy sessions per year
• Dog Friendly Offices
• Free drinks and snacks in our offices

Interview Process

• First stage: 30 minute intro and values call with Talent Partner (video call)
• Second stage: 60‑minute technical interview with senior stakeholders (video call)
• Final stage: 60‑minute leadership and strategic thinking interview with executive team (in person)

Excited to work here? If you'd like to lead data protection innovation at one of Europe's fastest‑growing FinTechs, apply and we will aim to get back to you within 3 working days.