About DFTO DFTO is the government’s public sector rail owning group. Its purpose is to bring all currently privately-owned train operators into public ownership in advance of the creation of Great British Railways in 2027 – and deliver improvements in the here and now by unifying and integrating train operations under common public ownership. DFTO has over 30,000 employees, runs over 8,500 services a day and delivers over 640 million customer journeys across its networks every year. 7,000 people joined the railway family in the last year. Major improvements are being delivered by DFTO train operators (TOCs) that are already under public ownership — these are LNER, Northern, TransPennine Express (TPE), Southeastern, South Western Railway (SWR), c2c, Greater Anglia and WM Trains. We work closely with the DfT but operate independently with our own governance and leadership teams. Our priority is ensuring efficient, dependable rail services for everyone. Primary Purpose Of Job Oversee and monitor data protection compliance across all TOCs within the DFTO Group. Act as the senior authority on data privacy across TOCs, aligning policies and practices, managing a team of TOC Data Protection Officers and embedding best practice to drive consistent compliance with UK General Data Protection Regulations (GDPR), Data Protection Act (DPA) 2018 and other legislative and regulatory requirements. Contribute to DFTO’s overall data protection strategy and act as the statutory DPO for selected TOCs. Key Responsibilities

Lead and line‑manage TOC Data Protection Officers, providing guidance, coaching and performance oversight to build a high‑performing team that drives compliance across the Group. Act as the statutory Data Protection Officer for selected TOCs, delivering on all minimum tasks defined in the Data Protection Act 2018, reporting into relevant TOC Boards and acting as the designated contact for the ICO for relevant TOCs. Manage complex Data Subject Access Requests (DSARs), rectifications, erasures, objections and other rights‑based requests, so they are processed efficiently, in line with internal policies and statutory deadlines, and in a manner that does not compromise the DPO’s independence. Ensure TOCs can respond to such requests with clear, accurate and legally compliant responses which avoid regulatory action. Provide independent advice on the completion of DPIAs, including assessment of privacy risks and mitigations and compliance with the principles of data protection by design. Provide independent oversight and advice in relation to personal data breaches for assigned TOCs. Align data protection policies, templates and processes across all Group TOCs, working closely with TOC DPOs to drive consistency and standardisation of approach as well as high quality. Drive a continuous improvement culture among TOC data protection professionals, collating, sharing and embedding best practice across TOCs, reviewing lessons learned and implementing improvements to strengthen compliance culture. Establish and develop relationships with senior leadership groups across assigned TOCs, advising on data protection principles, risks, and mitigations and processes that should be put in place to reduce the risk of breaches. Oversee and direct delivery of training and awareness programmes across all TOCs, embedding a culture of compliance and delivering materials that enable staff to understand their data protection responsibilities. Provide expert support and advice on data protection issue to assigned TOC(s), acting as a key point of contact for employees needing guidance on regulations and best practices. Work closely with TOC DPOs to monitor data protection compliance across all TOCs, conducting audits and assessments to identify risks and improvement opportunities and challenge non‑compliant processes. Report compliance performance, risks and trends across all DFTO TOCs to the Head of Data Protection, providing clear insights and recommendations for strategic decision‑making.

Knowledge, Skills, Experience & Technical Qualifications

Demonstrable practical knowledge of data protection with experience of taking a lead role in a data protection and information governance environment. In-depth knowledge of UK GDPR, DPA 2018, Privacy and Electronic Communications Regulations (PECR) and ICO guidance, with a strong focus on practical application in complex organisations. Degree level education or equivalent experience in law, data protection, information governance or a related discipline. Strong track record in developing and implementing data protection frameworks across multiple business units. Expertise in managing complex and high‑risk DSARs, DPIAs and data breach responses. Excellent leadership and stakeholder engagement skills, with ability to influence at senior levels. Demonstrable ability to interpret and communicate legal requirements in plain language to operational teams. Strong analytical and problem‑solving skills – able to identify risks and propose proportionate solutions. Ability to work collaboratively across legal, IT, security and operational teams to align privacy objectives. Commitment to continual learning and ethical standards, safeguarding confidentiality at all times. Desirable: Experience of line managing a team. Desirable: Holds a recognised data protection certification (e.g., CIPP/E or BCS Practitioner).

Vacancy Details Duration: Fixed Term contract/secondment to October 2027 Reports to: Group Head of Data Protection Location: London Waterloo Salary: up to £67,067 Closing date: 26th April 2026 DFTO Benefits

Annual Leave: Starting at 25 days and rising to an additional day per year of service completed within the first 5 years up to a maximum of 5 additional (30 days) DC Pension Scheme: 10% Employer contribution, 5% Employee contribution Opportunities to learn and network across the wider industry

#J-18808-Ljbffr