Associate Director - Data Protection

Provide independent assurance to the DPO that Foundry use cases remain compliant and risks are effectively managed.

Lead efforts to build privacy capability and embed a privacy-conscious culture within Foundry teams.

Act as the embedded data protection lead for the Foundry platform programme, ensuring all use cases are designed and implemented in full alignment with the DH Data Protection Framework, applicable laws, and privacy by design principles.

Provide proactive oversight of all Foundry use cases to ensure they are compliant, risk-assessed, and well-documented prior to go-live.

Oversee and support the handling of data subject requests and incident response within the Foundry environment.

Embed privacy by design and data protection principles at the earliest stages of project design and development.

• Ensure that use cases are supported by appropriate risk assessments, privacy notices, and legal bases, with clear records of approval and stakeholder engagement.
• Maintain an up-to-date risk register for Foundry processing activities, ensuring clear accountability and timelines for mitigation.
• Oversee the data ingestion process to verify all controls are in place before data is introduced into the platform, mitigating risks early.
• Deliver targeted training and practical workshops tailored for business owners, developers, and analysts involved with the platform.
• Planning and Organising
• Maintain oversight of processing activities to ensure Records of Processing Activities (ROPAs) for Foundry are accurate, comprehensive, and regularly updated.
• Work closely with business owners to identify data protection risks early, including those arising from AI capabilities and cross-border data flows.
• Support business owners in complying with all required processes and artefacts (e.g., DPIAs, TIAs, ROPAs, LIAs, data maps) relevant to their use cases.
• Develop role-specific guides and quick-reference materials to help teams navigate complex data protection and AI requirements.
• Identify use cases that may trigger obligations under the EU AI Act or other applicable AI regulations, escalating them for further review as appropriate.
• Promote consistent and practical application of the framework by providing guidance and clarity on how requirements apply specifically to the Foundry platform.
• Apply the Group’s data protection framework to projects in scope, ensuring policies, procedures, and templates are clearly understood and adopted by relevant teams.
• Advise on Data Protection Impact Assessments (DPIAs) and AI Impact Assessments for relevant use cases.
• Work with stakeholders to close gaps and drive continuous improvement.
• Drive awareness and understanding during sign-off processes to ensure stakeholders fully appreciate the data protection implications of their projects.
• Support investigations of data incidents and embed lessons learned into ongoing processes to prevent recurrence.
• Ensure project documentation clearly captures decision rationales, risk mitigations, and alignment with privacy by design/default policies.
• Ensure requests are identified, tracked, and fulfilled within statutory timeframes.
• Serve as a trusted point of contact for data protection queries, ensuring timely escalation and resolution of issues.
• Ensure that evolving regulatory requirements—including emerging AI regulations such as the EU AI Act—are reflected in project documentation, controls, and workflows.
• Collaborate with Legal to address complex or emerging regulatory issues.
• Conduct targeted assurance reviews of high-risk or AI-related use cases.
• For use cases that present data protection risks which are non-compliant but commercially compelling, lead the preparation of detailed risk assessments outlining likelihood, impact, and residual risk. This assessment is communicated to the DPO to support executive-level decision-making regarding risk acceptance.
• Collaborate with technical teams to enable accurate extraction, correction, or deletion of data from the platform.

• Adaptability & Resilience
• Comprehensive knowledge of data protection laws, privacy risk frameworks, and compliance management, including experience with DPIAs, Records of Processing Activities (ROPAs), and data subject rights processes.
• Proficiency with compliance and privacy management tools such as OneTrust, TrustArc, or similar platforms to automate and monitor governance processes.
• Business Acumen
• Ability to interpret complex regulatory requirements and translate them into actionable operational controls and policies.
• Familiarity with data processing architectures and controls, particularly related to large-scale data platforms and AI/ML systems.
• Experience in vendor risk management, including conducting privacy due diligence and managing third-party compliance risks.
• Sense of Urgency
• Working knowledge of data governance principles and practices to support effective data management and compliance across complex data ecosystems.
• Proven track record of collaborating with cross-functional teams (legal, IT, business) to embed privacy by design and AI risk management into operational processes.
• Analytical Problem Solving & Sound Decision Making
• Clear and Influential Communication
• Minimum 8-10 years with at least 6 years of relevant experience in data protection, privacy, or compliance roles within multinational organisations, ideally including experience as a Data Protection Officer or senior privacy advisor.
• Experience implementing and managing privacy and AI governance frameworks aligned with recognised industry standards such as NIST, ISO 27001, ISO 27701, and AI-specific guidelines.
• Strong expertise in AI governance principles, covering AI risk assessments, ethical AI implementation, transparency requirements, and alignment with regulations such as the EU AI Act.
• Demonstrated expertise in EU GDPR compliance, with working knowledge of China PIPL, KSA PDPL, and emerging AI regulations including the EU AI Act.

• Collaborative Teamwork