Group Head of Data Protection (Data Protection Unit)

Group Head of Data Protection:

About DFT Operator

Join Our Team at DFTO

DFTO is the government's public sector rail owning group. Its purpose is to bring all currently privately owned train operators into public ownership in advance of the creation of Great British Railways in 2027 - and deliver improvements in the here and now by unifying and integrating train operations under common public ownership.

DFTO has over 23,000 employees, runs over 6,000 services a day and delivers over 450 million customer journeys across its networks every year. This accounts for 26% of total UK passenger journeys and 30% of passenger miles.

Major improvements are being delivered by DFTO train operators (TOCs) that are already under public ownership - these are LNER, Northern, TransPennine Express (TPE), Southeast, South Western Railway (SWR), c2c and Greater Anglia.

Primary Purpose of Job:

Provide leadership, direction and advice at a strategic level to promote data protection awareness and compliance across the DFTO group, integrating the data protection strategy across the organisation. Drive cultural change, manage risk, and deliver consistent pragmatic compliance during a transitionary period for the organisation and the railway. Act as the statutory Data Protection Officer for DFTO.

Key Responsibilities:

• Shape, steer and provide expert advice to senior leadership on DFTO's privacy strategy and governance model, setting the group wide privacy vision and the standards that will be applied across DFTO and all the Train Operating Companies (TOCs).
• Monitor and advise on a strategy that is compliant with relevant legislation, regulatory requirements and ICO guidance, reduces risk for the organisation and is aligned with wider business objectives and digital transformation plans.
• Provide strategic advice to the DFTO Board, and other senior executives and stakeholders, on privacy risks and recommended actions (including advising on risks around emerging technologies and regulatory trends) to deliver group wide best practise data protection solutions.
• Engage with external regulators and stakeholders, acting as DFTO's lead contact with the ICO and industry bodies to maintain constructive relationships, influence policy, and achieve timely, compliant outcomes.
• Act as the statutory DPO for DFTO, delivering on all minimum tasks defined in the Data Protection Act 2018 (as may be updated from time to time), reporting into the DFTO Board and acting as DFTO's designated contact for the ICO.
• Lead and develop a high performing team of data protection professionals, setting clear priorities and standards, whilst fostering alignment and peer support amongst data privacy employees in TOCs to achieve consistent compliance and a unified privacy culture
• Advise on the handling of complex or high risk Data Protection Impact Assessments (DPIAs), Data Subject Access Requests (DSARs) and breach investigations, approving and reviewing documentation where necessary, and acting as an escalation point to achieve legally compliant outcomes and maintain consistent standards.
• Collaborate with IT and cybersecurity teams to embed privacy controls into system architecture and introduce data systems that strengthen compliance, improve risk management, and support privacy by design across DFTO and TOCs.
• Influence and shape the long term evolution of DFTO's data protection operating model and resourcing plan that supports an efficient service across the group. Also, work collaboratively with Network Rail's Data Protection Office and cross industry partners to shape future data protection strategy and governance in preparation for Great British Railways.
• Oversee data protection mobilisation and transition activities for new TOCs joining DFTO, driving standardisation of group artefacts, policies and strategy in order to embed best practice and maintain consistency and quality across the group.
• Champion a privacy culture, embedding awareness of data protection through communications and development of a comprehensive training strategy, so that all individuals across the group are up to date with data protection requirements relevant to the role.
• Provide oversight of key Group wide documents - including the privacy risk register, the group record of processing activities, the breach log and DPIA register. Monitor data protection compliance (including through regular audits), maintain accurate, up to date records, track compliance trends, and use insights to inform risk management, compliance reporting, and drive continuous improvement across DFTO and TOCs.
• Provide independent oversight and advice on major breach responses at group level, including coordinating regulatory liaison and managing reputational risk. Establish and regularly test privacy crisis plans integrated with DFTO's business continuity framework so the organisation is prepared for major incidents and can maintain resilience and protect personal data during disruptions.

Knowledge, Skills, Experience & Technical Qualifications:

• In-depth knowledge of UK GDPR, DPA 2018, PECR, and sector specific obligations with significant experience of the practical application of these regulations, including the development and implementation of privacy frameworks at an organisation level.
• Understanding of public sector governance and legal accountability models
• Familiarity with information security, data sharing, records management and digital
• Proven ability to carry out the statutory tasks of a data protection officer in of a large, devolved organisation with group companies, including a track record of engaging with the ICO and leading high risk privacy work.
• An excellent communicator (both verbal and written), confident interpreting and explaining complex requirements to a range of audiences and excellent drafting skills.
• Experience of leading a team to deliver performance improvement in a data protection or other compliance related field in a complex environment.
• Able to achieve results through persuading and influencing others at all levels of the organisation.
• Sound judgement, strong commercial acumen, resilience and a balanced attitude to risk
• Comfortable working at pace, with ability to effectively prioritise competing demands and to manage ambiguity during organisational change
• Desirable: Professional privacy qualification strongly preferred (e.g. CIPP/E, BCS)
• Desirable: Legal qualification helpful but not essential

Vacancy Details:

Duration: 2 year Fixed Term contract/secondment

Reports to: Deputy Group General Counsel

Location: London Waterloo

Salary: £67,956 - £79,011

Closing date: 25th February 2026

DFTO Benefits:

Annual Leave: Starting at 25 days and rising to an additional day per year of service completed within the first 5 completed years up to a maximum of 5 additional (30 days)

DC Pension Scheme: 10% Employer contribution, 5% Employee contribution

Opportunities to learn and network across the wider industry

Additional Information

Disclaimer: Candidates applying for this position on a secondment basis must inform their line manager prior to submitting their application. This is to ensure transparency and facilitate any necessary discussions regarding workload and responsibilities.

About our people and the recruitment process - We're an inclusive employer of choice and we welcome applications from everyone! We encourage our colleagues to work flexibly, as we know traditional working patterns don't always fit. If you want to consider working flexibly, just let us know and we'll do our best to help and invest in your career with us, whilst you have a healthy work life balance.

Contact: If you have any questions or reasonable adjustments, please contact .

Please do not email any CV's to us, your application must be made by clicking the 'Apply' button.