UK Data Protection Officer in London

This job is with Beazley, an inclusive employer and a member of myGwork – the largest global platform for the LGBTQ+ business community.

Division: 2nd Line: Compliance

Reports To: Head of UK Compliance & Regulatory Affairs

Key Relationships:

• Head of UK Compliance & Regulatory Affairs
• Heads of Compliance for the EU and North America and their teams
• SMF16 for the BIdac UK branch
• Regional DPOs and their teams
• Group CRO and his SLT
• Group COO and his functions: Group CISO, Head of IT, Head of Data Management, Commercial Management
• People & Culture (Talent and HR Operations), Claims Operations, Underwriting: CUOs and Heads of product lines
• External suppliers and retainers

Key Committees & Groups:

• Group Data Privacy Sub-Committee (member)
• Information Security Committee
• AI Governance and Controls Committee
• Data Retention Steering Group
• Underwriting Data Working Group & TriFocus Review Group

SMCR Certification: This role is certified in the UK under the SM&CR.

Job Summary:

Through the effective day-to-day management of the UK Data Protection team, and collaborative engagement with other regional DPOs and their teams (or DPO equivalents):

• Enable the UK Compliance function to manage data protection risk and regulatory compliance with applicable data privacy and data protection laws and regulation across the UK entities’ global licensed footprint including through effective Horizon Scanning and Training.
• Ensure all UK entity, and any applicable global, controls for DP are fit for purpose and adhered to.
• Contribute to, and enable the embedding of, a global DP framework to include all relevant Data Protection/Privacy policies, notices, systems, processes and controls.
• Support the effective and consistent management of cross-border data protection activities in collaboration with the regional DPOs, including through the Group sub-committee for Data Protection.
• Contribute to the development and delivery of high-quality reporting including through the use of relevant KPIs and KRIs across all relevant formal committees and forums internally, either as stand-alone DP papers or as part of the broader UK Compliance agenda and reporting.

Key Responsibilities:

• Ensure that the UK entities’ legal and regulatory obligations for data privacy and protection across their licensed footprint are mapped to a comprehensive set of activities, processes and controls to enable compliance.
• Ensure that the global Horizon Scanning framework is embedded in the UK DP team’s BAU with appropriate contributions to formal UK Compliance reporting including to the Change Committee.
• Manage the UK DP team, tracking and monitoring the effectiveness of delivery against key activities, in line with internal SLAs, to ensure regulatory compliance (e.g. DPIAs/ ROPAs/ Policy, Notices and Marketing reviews/ Legitimate Interest Assessments/ Business Impact Assessments/Training/ Advisory requests/ relevant registrations).
• Keep workloads and resource needs under close observation and proactively identify problems or inhibitors and elevate where appropriate for resolution.
• Identify development opportunities for direct reports and support the team pastorally.
• Engage closely with internal stakeholders in Infosec, IT and co-sourcing relationships in Claims to support the effective and efficient delivery of DSARs, e-discovery requests, and subpoenaed information as required.
• Oversee any externally outsourced DP provision for the UK entities in jurisdictions where they operate, working with regional DPOs as required where resources are shared.
• Where appropriate and within your expertise, provide advice and guidance on technical DP matters including DP contract clauses where the contract is governed by English law.
• Ensure contracts and service agreements with, but not limited to, third party suppliers, cover holders, program administrators, etc meet information security, data security, privacy and breach notification requirements.
• Retain external advisors when needed to ensure appropriate levels of specialism are enlisted when required.
• Keep the UK Head of Compliance advised of accrued expenses.
• Ensure UK DP-owned actions arising from all applicable audit, assurance and testing activities are completed on time.
• Maintain a Privacy Incident Reporting and Response process to address any Privacy incidents that might occur in the UK or impacting UK data.
• This service should respond to alleged policy violations and complaints from external parties.
• Proactively escalates data breaches to the Boards of the relevant UK entity through the applicable Chair of the Risk Committee, ensuring it reaches the highest level of authority for the entity, while keeping the relevant CRO and Head of Compliance informed for potential notification to the UK regulators.
• Lead on required notifications to the ICO where required and participate in any relevant incident response activity and lessons learned.
• Work closely with Heads of Compliance, regional DPOs and their teams, European branch regulatory counsel, as well as other internal stakeholders, to create a global DP strategy and operating model, ensuring that global or cross-border activity is coordinated and our response to legal and regulatory requirements is consistent and clearly understood across the business.
• In collaboration with regional DPOs as required, perform information privacy risk analysis on cross-border and UK initiatives.
• Assist the IT department as required in the development of all system-related security plans throughout the organisation's network.
• Undertake consent audits to validate consent is being obtained and retained as required under UK laws.
• In collaboration with regional DPOs undertake records retention audits to ensure the organisation is retaining data as required.
• Attend and contribute to formal committees, working groups and steering committees as required.
• Oversee the production of insightful and thorough reporting on matters pertaining to the UK entities and their global footprint as part of standalone DP engagement with committees or the broader Compliance papers.

General:

• Adopt the Beazley culture of Professionalism, Integrity, Effectiveness and Dynamic attitude that contributes to an internal environment of teamwork and promotes a positive brand image to our external customers.
• Comply with Beazley procedures, policies and regulations relevant to your role.
• Undertake relevant training on Beazley policies and procedures as required by your line manager, the Talent Management development or assurance teams (compliance, risk, internal audit) either directly, via e-learning or the learning management system.
• Comply with any specific responsibilities necessary for your role as outlined by your line manager, the Talent Management development or assurance teams (compliance, risk, internal audit) and ensure you keep up to date with developments in these areas.
• This may include, amongst others, Beazley’s underwriting control standards, Beazley’s claims control standards, other Beazley standards and customer relationship management.
• Ensure that you uphold the Beazley principle of Treating Customers Fairly and Acting to Deliver Good Outcomes.
• Carry out additional responsibilities as individually notified, either through your objectives or through the learning management system.

Person Specification:

Essential Criteria:

• Proven experience in Privacy and Data Protection.
• Previous DPO experience.
• Degree level educated.

Education and Qualifications/Experience:

• Knowledge of information systems desirable.

Skills and Abilities:

• Excellent written and oral communications skills.
• The ability to prioritise work and deliver results in a pressurised environment, through tactical and strategic planning.
• The ability to manage significant client contact, providing expert advice which demonstrates judgement and an understanding of the business.
• A demonstrated ability to develop strong relationships with internal clients.
• The ability to provide support to more senior roles in developing key client relationships through the design of leading-edge technologies.
• Self-motivated, with an ability to work with high degree of autonomy and to be results-driven with a flexible approach to working.
• The ability to work collaboratively with a broad range of constituencies.
• A thorough understanding of UK Data Protection laws and regulations.
• An unblemished career history holding positions requiring trustworthiness and personal integrity.
• The ability to communicate technical and security-related concepts to a broad range of technical and non-technical staff and management.

Knowledge and Experience:

• Experience in financial services is highly desirable, but not required.
• Experience in the insurance industry is desirable but not required.
• Multi-country experience (i.e., beyond UK, and ideally including APac) is highly desirable, but not required.
• Experience with model contractual clauses for international data transfers is highly desirable, but not required.

Aptitude and Disposition:

• Outcome focused, self-motivated, flexible and enthusiastic.
• Professional approach to successfully interact with managers/colleagues/external suppliers.

Competencies:

• Technical expertise
• Conceptual thinking and problem solving
• Planning and managing resources effectively
• Delivery orientation, initiative and drive
• Purposeful communication and capacity to influence others
• Team player
• Customer focus