Data Protection Senior Associate L2 - Risk Management - Manchester

At Ernst provides advice on complex matters; delivers training and awareness; and monitors the application of global and local policies. The team sits within Central UK Risk Management alongside other specialist risk and compliance functions.

This role supports EY’s compliance with data protection and privacy legislation, including UK GDPR and Data Protection Act 2018. It is suited to an experienced compliance or risk professional who operates with independence, accountability and commercial judgement. As a Senior Associate, you will take ownership of complex data protection matters, progressing work with limited supervision and acting as a trusted escalation point for the business. You will exercise confident decision‑making, provide clear and pragmatic advice, and influence stakeholders across the firm.

Your Key Responsibilities

• Act as the first point of contact for the business on data protection queries, providing clear, pragmatic advice while balancing regulatory requirements with commercial realities.
• Independently manage data subject rights requests, determining appropriate actions and escalating only when necessary.
• Lead investigations into data incidents and breaches, taking ownership of fact‑finding, containment and mitigation, and coordinating with stakeholders to drive timely resolution.
• Lead and coordinate the review of Privacy and Confidentiality Impact Assessments (PIAs) for EY products, applications, tools, technologies and suppliers, providing risk‑based assessment and guidance to product owners on required controls and mitigations.
• Draft, review and update internal data protection policies, procedures and training materials, ensuring they are practical, current and aligned to regulatory expectations.
• Manage personal workload and competing priorities autonomously, ensuring work queues progress efficiently and service standards are met without day‑to‑day direction.
• Proactively identify opportunities to improve and streamline data protection processes, taking responsibility for driving enhancements rather than merely supporting them.
• Support wider Data Protection initiatives and projects, contributing expertise and leadership as required, with minimal supervision from Managers or the Data Protection Officer.

Behaviours, skills and attributes for success

• Operate with confidence and independence, progressing work and making informed decisions without detailed instruction.
• Demonstrate an “ownership” mindset — seeing issues through from identification to resolution.
• Provide credible challenge and clear messaging to senior stakeholders, including delivery of difficult or risk‑based advice.
• Remain resilient and effective in a fast‑paced, ambiguous environment, adapting quickly as priorities change.
• Have a strong ability to plan, prioritise and execute work independently, managing complexity with minimal oversight.
• Exhibit excellent judgement and problem‑solving skills, confidently taking responsibility for decisions.
• Communicate authoritatively, able to influence and advise stakeholders at all levels of the firm.
• Maintain a calm, professional, positive and resilient approach under pressure, with a pragmatic and solutions‑focused mindset.
• Maintain high levels of accuracy and attention to detail.
• Work collaboratively within a high‑performing team, contributing to wider objectives and supporting colleagues where needed.

To qualify for the role you must have:

• At least two years of professional work experience in a relevant role such as complaints handling, incident management, quality control/assurance, risk management, legal or compliance.
• An interest in understanding UK data protection and privacy legislation and a risk‑based approach to compliance.
• While full training will be provided, ideally, you’ll also have one of the following:
• Familiarity and practical experience with the application of data protection law and/or policies.
• Experience working in financial/professional services or a regulated environment.
• Certified courses or qualifications in data protection or privacy, e.g., CIPP/E.