Senior Data Protection Compliance Specialist

We’re on a mission to make migration easy. We started building Marshmallow in 2017. Since then, we’ve grown from 3 to 700+ people, gained unicorn status, raised ~£140M over three funding rounds, turned profitable, insured millions of drivers and lent millions in car loans. But we’re only just getting started. Our goal is to become one of the largest financial services providers in the world. Over the next 10 years we’ll grow exponentially, not only by scaling our existing products, but also by building new ones.

To achieve our goals we need incredibly ambitious, commercially driven people who never settle for ‘good enough’. Marshmallowers are hungry for autonomy and ownership, and would rather improve than coast. Everyone raises standards and has an impact, with a focus on collective success over self‑interest. We’ve created an environment where curious, tenacious people win and grow together. If that sounds motivating, this could be the place for you.

About the Role

We are looking for a skilled and experienced Senior Data Protection Compliance Specialist to strengthen our data protection function. Working closely with our designated Data Protection Officer (DPO) and wider Legal, Risk, Compliance and Technology teams, you will play a central role in driving and embedding a robust culture of data protection compliance across the organisation. This is a senior hands‑on role with significant scope and visibility. You will be a subject matter expert and trusted partner to the business — shaping policies, managing complex compliance workstreams, and supporting the DPO in meeting the organisation's obligations under UK GDPR and the Data Protection Act 2018. Whilst you will not hold the formal DPO designation, you will operate at a high level of autonomy and expertise.

What you’ll be doing

• Data Protection Compliance: Support and deputise for the DPO across day-to-day compliance activities, acting as a senior point of expertise for the business. Lead the organisation's DPIA programme, conducting and reviewing assessments for new and changed processing activities and presenting outcomes to senior stakeholders. Own and maintain the organisation's Record of Processing Activities (RoPA), ensuring accuracy, completeness, and regular review. Manage the end‑to‑end handling of Data Subject Access Requests (DSARs) and other data subject rights requests, ensuring timely and legally compliant responses. Lead on personal data breach management: triage, investigation, remediation tracking, and advising on ICO notification decisions in conjunction with the DPO. Advise business functions on lawful bases for processing, consent management, data retention, and data minimisation.
• Policy, Training & Governance: Develop, maintain, and implement data protection policies, procedures, and guidance documents, keeping them current with legislative and regulatory changes. Design and deliver engaging data protection training and awareness programmes for staff across all business areas, including tailored sessions for high‑risk teams. Support the embedding of privacy‑by‑design and privacy‑by‑default principles in new projects, products, and systems.
• Third Parties & Transfers: Review and negotiate data processing agreements (DPAs) and data sharing agreements, working closely with Legal and Procurement colleagues. Advise on international data transfer mechanisms including IDTAs, Transfer Risk Assessments (TRAs), and Binding Corporate Rules. Manage the organisation's supplier due diligence process from a data protection perspective.
• Monitoring & Horizon Scanning: Monitor the regulatory landscape, including ICO guidance, enforcement action, and relevant case law, and translate developments into actionable organisational recommendations. Assist in preparing for and managing ICO audits, investigations, or engagement as required.

Your Expertise

• Essential: Substantial experience (typically 5+ years) in a data protection compliance role, with a track record of managing complex workstreams independently. Expert knowledge of UK GDPR, the Data Protection Act 2018, and PECR, and their practical application in a business context. Hands‑on experience conducting DPIAs, managing DSARs, and handling data breach responses. Recognised data protection qualification such as CIPP/E, BCS Practitioner Certificate in Data Protection, or equivalent. Strong communication and influencing skills — able to engage credibly with senior stakeholders and translate complex requirements clearly. Ability to work with significant autonomy and manage competing priorities in a fast‑paced environment.
• Desirable: Experience in financial services (ideally within a fintech startup or scaleup environment). Familiarity with cyber security frameworks (e.g. ISO 27001, NCSC guidance) and their relationship to data protection. Exposure to EU GDPR compliance and cross‑border data flow requirements. Experience providing data protection guidance on AI, machine learning, or emerging technology.

Perks & benefits

• Bonus scheme designed to reward high performance
• Private medical insurance with Vitality, mental health support with Oliva
• Personal learning budget and 2 dedicated L&D days a year
• Monthly flexible benefits budget to spend as you choose
• 25 days holiday plus bank holidays
• 4 weeks Work From Anywhere per year

Diversity of thought: We know the best ideas come from having different perspectives in the room – and we’re committed to hiring fairly, regardless of background, identity or experience. If you see yourself in this role, we’d encourage you to apply.