Data Protection Officer
Job Title: Data Protection Officer
Department/Division/Faculty: Legal Services Office, Central Secretariat
Salary: £54,880 - £62,980 per annum
Campus: South Kensington
Imperial College London (the College) is a science-based institution with a reputation for excellence in teaching and research. Imperial College is currently ranked 3rd in Europe and 8th in the world in the Times Higher Education World University Rankings 2016 – 2017. It is ranked 1st in the UK and 5th in the world in The Times Higher Education World's Most International Universities 2017.
The Data Protection Officer (or DPO in short) is required to be appointed under the EU General Data Protection Regulation (GDPR) which takes effect on 25 May 2018.
The DPO has to be dedicated to the role and suitably qualified and will have responsibility for ensuring the College’s compliance with the GDPR (note that this is a more senior role than what organisations (including the College) currently label as a Data Protection Officer). The DPO will be expected to be proficient at managing data security and other critical business continuity issues around the holding and processing of personal and sensitive data. The skill set required of the DPO stretches beyond understanding legal compliance with data protection laws and regulations; the DPO will report directly to the highest management level of the College and will have sufficient authority to be able to act independently of senior management when required in carrying out his/her regulatory responsibilities. The DPO will be monitored by the Information Commissioner’s Office; in effect, the DPO must act as a ‘mini-regulator’.
The DPO will sit in the Central Secretariat of the College and will report to the Head of Legal Services in respect of day-to-day management responsibilities and to the College Secretary in respect of the post’s regulatory responsibilities. The current Legal Services Officer will have a dotted reporting line to the DPO in relation to the handling of subject access requests.
The DPO will have the following key responsibilities:
Data protection management & compliance
- Be the focal point for all activity within the College relating to data protection.
- Support and promote a culture of awareness of data security throughout the College.
- Oversee the College’s systems and controls in relation to data protection.
- Implement systems and controls to procure compliance with the GDPR and any other relevant data protection legislation and regulation, to include drafting, maintaining and implementing data protection policies and procedures, systems and controls.
- Advise on and implement procedures to ensure compliance with any requirements in relation to cross-border data transfers.
- Oversee and advise on procedures to deal with subject access requests.
- Undertake periodic data protection audits and ensure any deficiencies identified as a result of an audit are addressed.
- Advise and train staff on the requirements of the data protection regime and the handling of personal data.
- To be the first point of contact for all communications with the Information Commissioner in relation to the processing of personal data, and to respond promptly to any request for information made by the Information Commissioner or any other relevant regulator or law enforcement agency.
- Ensure data processing agreements are in place with third parties handling personal data.
- Design templates for, advise on and approve (where required) privacy impact assessments and monitor their effectiveness.
- Monitor compliance with data protection requirements and with the College’s policies and procedures.
- Liaise, as required, with (among others) the College’s Secretary, the College’s Chief Information Officer, the Director of ICT, the Head of Operations, the Head of Governance, Information and Communication Technologies, the Head of Legal Services Office to ensure appropriate sharing of information and consistency of approach.
Advice and guidance
- Advise on the appointment and use of data processors and ensure appropriate contracts terms are included in any data processing agreement.
- Inform and advise the College and any employees who process personal data of their obligations pursuant to the data protection legislation.
- Advise the College on any transfers of personal data outside the UK.
- As required, provide input on the data protection implications of the College’s strategy and projects
- Provide advice and guidance to College staff in respect of any data protection questions, issues or developments that may arise from time to time including (among others) drafting data protection notices and obtaining consent from data subjects.
- Provide advice and guidance on subject access requests.
- Prepare suitable templates and guidance in relation to data protection and oversee and update from time to time the College’s data protection web pages.
- Prepare and submit from time to time (as regularly as may be agreed or requested) a report to the College’s senior management team which assesses the effectiveness of the College’s data protection arrangements, and makes appropriate recommendations for improvement.
Incident & risk management
- Devise and implement an internal system for reporting actual or suspected data security breaches (data security reports).
- Respond to and manage (including liaising with the ICO and any other regulator) any:
- data security breaches
- data security reports
- communications received from or enforcement action initiated by the ICO or any other relevant regulator
- complaints or communications relating to data protection
- Maintain a central register of data security reports in a form that allows the DPO and the College to:
- monitor and assess the effectiveness of the College’s data protection systems
- identify any data security report that may be linked
- adequately respond to requests for information
- identify any training needs within the College
- Actively participate in the College’s Information Governance Steering Group (and any other similar groups that may be set up from time to time).
- Keep abreast of any regulatory or other changes relating to data protection that may affect the College and, as necessary:
- inform the College in good time of any actions that need to be taken
- amend existing policies and processes and/or devise and implement new policies and processes
- train staff
- Monitor ICO guidance, enforcement actions and policies.
- Network with data protection and information security professionals outside the College to gain insight into good practice across the higher education sector.
Undertake any other duties as may reasonably be assigned within the general scope of the appointment.
Candidates must have a degree or equivalent in English law or another recognised legal or similar data protection qualification and must be able to demonstrate the following:
- Recent experience of advising on data protection issues in a large and diverse higher education organisation or other service organisation (essential requirement)
- Experience in dealing professionally with people at the highest level (essential requirement)
- Experience of dealing with sensitive and confidential information (essential requirement)
- Proven ability to provide practical, outcome-focused advice and support on data protection (essential requirement)
- Governance experience (desirable)
- Comprehensive knowledge of UK and EU data protection legislation and related guidance including in-depth knowledge of the GDPR (essential requirement)
- Knowledge of recent ICO guidance, consultations and published timetables in relation to the GDPR (essential requirement)
- Practical knowledge of data breach incident management processes and best practices (essential requirement)
Skills & Abilities
- The ability to influence, persuade and communicate effectively and self-confidently with a wide range of different people, including senior members of the College academic and administrative staff and Governors and members of the Court (essential requirement)
- A high standard of written and spoken English to enable drafting of key documentation (minutes, reports and presentations) and ability to produce clear, concise and very well-expressed written briefs and reports (essential requirement)
- A self-starter, capable of building strong working relationships within the team and at all levels across the College (essential requirement)
- Ability to manage and prioritise own workload and to meet deadlines (essential requirement)
- Practical approach to problem solving (essential requirement)
- Excellent organisational skills and an eye for detail (essential requirement)
- General computer literacy, with a good degree of ‘hands on’ proficiency in word processing, spreadsheet and database applications (preferably those in MS Office) (essential requirement)
- An understanding of, and sensitivity to, the ethos and objectives of a high-profile academic institution (desirable)
Closing date: 29 October 2017
Should you have any queries please contact:
Milena Radoycheva - 020 7594 3251, firstname.lastname@example.org
Our preferred method of application is online via our website http://www.imperial.ac.uk/job-applicants/ Please select “Job Search” then enter the job title or vacancy reference number SS 2017 277 HY into “Keywords”. Please complete and upload an application form as directed. CVs will not be accepted.
Committed to equality and valuing diversity, we are also an Athena SWAN Silver Award winner, a Stonewall Diversity Champion, a Disability Confident Employer and are working in partnership with GIRES to promote respect for trans people.
The College is a proud signatory to the San-Francisco Declaration on Research Assessment (DORA), which means that in hiring and promotion decisions, we evaluate applicants on the quality of their work, not the journal impact factor where it is published. For more information, see https://www.imperial.ac.uk/research-and-innovation/about-imperial-research/research-evaluation/