Data Protection Officer in Oxford

The Role

Reporting to the General Counsel, the successful candidate will be responsible for maintaining and developing Oxford Nanopore’s data protection and privacy compliance framework. The DPM works to ensure that ONT understands and complies with all relevant data protection legislation and regulations in all countries where the company operates. Current key regulatory regimes are UK, GDPR, US, Canada, Australia, and Singapore. This is a hands‑on operational role responsible for directly executing core privacy compliance activities, managing assessments, completing records, and coordinating end‑to‑end data protection processes across the business. The role works closely with Legal, Information Security, HR, Commercial, Clinical/Regulatory and R&D teams, to provide support and guidance to the business, to maintain necessary policies, processes and records, and to help embed privacy‑by‑design principles across the organisation.

Responsibilities

• Be the first and main point of contact within the company for all day‑to‑day data protection and privacy matters, and work with the company’s external Data Protection Officer as required to address more complex matters;
• Conduct Data Protection Impact Assessments for new and changing processes and systems, and review DPIAs for higher risk processing on a rolling three‑year basis; conduct Legitimate Interest Assessments, Transfer Risk Assessments as required;
• Maintain data protection and privacy documents and records (data protection and retention policies, privacy notices, RoPA, data breach log, register of data rights requests, etc.);
• Work with Commercial and other colleagues to implement Data Sharing Agreements with partner organisations;
• Lead and manage responses to individuals seeking to exercise their personal data rights (data subject access requests, requests to erase or correct personal data, etc.);
• Lead the company’s response to incidents involving the loss or breach of personal data, and work closely with IT, Information Security, and other colleagues on the personal data breach aspects of wider cybersecurity incidents;
• Monitor, review and respond to any data protection queries raised by internal or external stakeholders, including matters sent directly to the DPO email account;
• Define and deliver regular and relevant staff awareness training on data protection and privacy via ONT’s internal training platform and in person where required;
• Maintain and develop appropriate content (guidance, FAQs, etc.) on the Data Protection subsite of the company’s resource centre;
• Provide data protection input and guidance to the company’s internal supplier management and assurance processes;
• Monitor changes to data protection and privacy laws, and healthcare information governance policies and other emerging trends of relevance to the business;
• Maintain and update appropriate registrations with the regulatory authorities, including ICO;
• Engage and manage specialist external consultants or privacy advisors to support complex assessments, DPIAs, TRAs, international transfer analysis, cloud architecture reviews or emerging regulatory requirements;
• Periodically commission independent external assessments to validate ONT’s privacy posture and benchmark against industry standards;
• Review and assist in responding to customer questionnaires;
• Lead initiative towards HIPAA compliance;

Key Requirements

• Degree‑level education or equivalent relevant experience;
• Strong working knowledge of UK GDPR and international data protection frameworks;
• Proven experience in a data protection, privacy or compliance role within a multinational organisation;
• Experience within life sciences, biotechnology, healthcare or technology sectors;
• Experience supporting international data transfers and global compliance programmes;
• Experience interacting with regulators (e.g., ICO or EU supervisory authorities);
• Experience conducting DPIAs and advising on privacy risk mitigation;
• Experience managing data subject rights requests and breach processes;
• Experience reviewing and negotiating data protection clauses in commercial agreements;
• Ability to translate regulatory requirements into pragmatic business guidance.

Other Requirements

• Passion for data protection and privacy;
• Strong communication skills with ability to engage stakeholders at all levels;
• Pragmatic, commercially aware and solutions‑focused;
• Strong organisational skills and attention to detail;
• Ability to work autonomously in a fast‑paced environment;
• Collaborative approach with strong influencing skills.

Please note that no terminology in this advert is intended to discriminate on the grounds of a person’s gender, marital status, race, religion, colour, age, disability or sexual orientation. Every candidate will be assessed only in accordance with their merits, qualifications and abilities to perform the duties of the job.