TOC Data Protection Officer
About DFT Operator
Join Our Team at DFTO
DFTO is the government’s public sector rail owning group. Its purpose is to bring all currently privately‑owned train operators into public ownership in advance of the creation of Great British Railways in 2027 - and deliver improvements in the here and now by unifying and integrating train operations under common public ownership.
DFTO has over 30,000 employees, runs over 8,500 services a day and delivers over 640 million customer journeys across its networks every year. 7,000 people joined the railway family in the last year.
Major improvements are being delivered by DFTO train operators (TOCs) that are already under public ownership - these are LNER, Northern, TransPennine Express (TPE), southeastern, South Western Railway (SWR), c2c, Greater Anglia and WM Trains.
We work closely with the DfT but operate independently with our own governance and leadership teams. Our priority is ensuring efficient, dependable rail services for everyone.
Primary Purpose of Job:
As the statutory Data Protection Officer for assigned TOCs, monitor and drive compliance with an understanding of the UK General Data Protection Regulations (GDPR), Data Protection Act (DPA) 2018 and other legislative and regulatory requirements. Provide expert advice, and embed a culture of compliance through proactive engagement and training.
Key Responsibilities:
* Act as the statutory Data Protection Officer for assigned TOC(s), delivering on all minimum tasks defined in the Data Protection Act 2018 (as may be updated from time to time), reporting into relevant TOC Boards and acting as the designated contact for the ICO for relevant TOC(s).
* Manage complex Data Subject Access Requests (DSARs), rectifications, erasures, objections and other rights‑based requests, so they are processed efficiently, in line with internal policies and statutory deadlines, and in a manner that does not compromise the DPO’s independence. Ensure TOCs can respond to such requests with clear, accurate and legally compliant responses which avoid regulatory action.
* Provide independent advice on the completion of DPIAs, including assessment of privacy risks and mitigations and compliance with the principles of data protection by design.
* Provide independent oversight and advice in relation to personal data breaches for assigned TOCs.
* Work with the Senior TOC DPO to deliver targeted training and awareness sessions to employees of the assigned TOC(s), embedding a culture of compliance.
* Provide expert support and advice on data protection issues to assigned TOC(s), acting as a key point of contact for employees needing guidance on regulations and best practises.
* Where appropriate, provide guidance and supervision to data protection roles within the TOCS, acting as a point of escalation for complex and high‑risk Data Protection matters.
* Embed group policies, templates and process within assigned TOCs to drive consistency and standardisation of approach as well as high quality.
* Engage in collaborative initiatives with other data protection and compliance specialists across the group, supporting joint efforts and driving a continuous improvement culture, participating in group wide projects to share and embed best practise across the Group.
* Establish and develop relationships with senior leadership groups across assigned TOCs, advising on data protection principles, risks, and mitigations and processes that should be put in place to reduce the risk of breaches.
* Track and report on data protection performance, identifying trends and recommending process improvements. Report key metrics to the Senior TOC DPO.
* Maintain knowledge of current data protection law, technologies and best practice to be able to advise the business on compliance matters; disseminating key information across the data protection community, so the assigned TOC(s) are compliant and protected from regulatory action.
* Monitor data protection compliance across all assigned TOCs, conducting regular audits to identify risks, ensure compliance and drive improvements.
* Contribute to the development and delivery of DFTO’s overall data protection strategy, with a focus on TOC activity, that is aligned with organisational objectives and regulatory requirements.
Knowledge, Skills, Experience & Technical Qualifications:
* In‑depth knowledge of UK GDPR, DPA 2018, Privacy and Electronic Communications Regulations (PECR) and ICO guidance, with a strong focus on practical application in complex organisations.
* Strong track record in developing and implementing data protection frameworks across multiple business units.
* Expertise in managing complex and high risk DSARs, DPIAs, and data breach responses.
* Excellent stakeholder engagement skills, with ability to influence at senior levels.
* Demonstrable ability to interpret and communicate legal requirements in plain language to operational teams.
* Strong analytical and problem‑solving skills – able to identify risks and propose proportionate solutions.
* Ability to work collaboratively across legal, IT, security, and operational teams to align privacy objectives.
* Commitment to continual learning and ethical standards, safeguarding confidentiality at all times.
* Desirable: Holds a recognised data protection certification (e.g. CIPP/E or BCS Practitioner)
Vacancy Details:
Duration: Fixed Term contract/secondment to October 2027
Reports to: Senior TOC Data Protection Officer
Location: London Waterloo
Salary: up to £53,107
Closing date: 26th April 2026
DFTO Benefits:
Annual Leave: Starting at 25 days and rising to an additional day per year of service completed within the first 5 completed years up to a maximum of 5 additional (30 days)
DC Pension Scheme: 10% Employer contribution, 5% Employee contribution
Opportunities to learn and network across the wider industry
Contact: If you have any questions or reasonable adjustments, please contact amra.hurley@dftoperator.co.uk
J-18808-Ljbffr