JOB DESCRIPTION Data Protection Officer Responsible to: Director of Governance Key Relationships: Technology, Operations and Commercial teams Purpose of Role: The purpose of the role is to provide oversight and expert guidance on all matters relating to data protection and privacy compliance across the organisation. The postholder will ensure adherence to UK GDPR, the Data Protection Act 2018, and internal governance standards by monitoring compliance, advising on risks, and supporting the organisation’s accountability framework. The role exists to safeguard personal data, promote best practice, and ensure the organisation meets its statutory and regulatory obligations. Location: Hours: Hybrid 22 hours per week with flexibility to agree specific working patterns. About Preventx Preventx is a fast-growing technology company with more than 13 years’ experience as the market leader in online sexual health and STI sampling services. We work with over 60 local authority regions and NHS providers across the UK and are a trusted partner of the NHS. Our services have enabled around 1.7m people to test for STIs, improving public health whilst saving money. With recent investment, the company is committed to growth and continuous improvement. You will join a supportive team where you’ll be encouraged to do your best work and define the way we use data in the business. The Data Protection Officer (DPO) is responsible for overseeing the organisation’s data protection activities, ensuring compliance with UK GDPR, the Data Protection Act 2018, and related privacy legislation. The postholder will act as the key internal adviser on data protection matters, provide independent oversight, and serve as the primary contact for the Information Commissioner’s Office (ICO). The DPO will support the organisation in maintaining high standards of data governance, risk management, and accountability. Key Responsibilities Leadership & Strategy • Serve as the organisation’s senior authority on data protection, privacy, and AI governance, offering expert leadership across all business areas. • Provide clear, pragmatic and commercially informed advice on privacy risks, compliance obligations, and risk mitigation approaches. Governance, Risk & Compliance • Oversee and maintain core privacy governance documentation, including Records of Processing Activities (RoPA), DPIAs, risk registers, and policy frameworks. • Ensure sustained compliance with applicable data protection laws, standards, and regulatory frameworks. • Lead internal and external audits related to privacy, information governance, and relevant assurance schemes. • Strengthen and refine privacy governance structures, reporting mechanisms, and internal controls to support continuous improvement. • Manage data transfer requirements, in line with legal and regulatory expectations. Privacy by Design & Technology • Embed Privacy by Design and Security by Design principles across the organisation. • Identify opportunities to enhance, automate, and streamline privacy and security processes across the organisation’s platforms and operations. Incident Management & Assurance • Lead the organisational response to data protection and information security incidents, including assessment, investigation, containment, remediation, and regulatory liaison where necessary. • Manage and oversee the timely handling of Data Subject Access Requests (DSARs) and other data subject rights requests, ensuring compliance with statutory requirements and maintaining robust audit trails. • Oversee third party due diligence and review supplier contracts to ensure appropriate data protection and information security standards are met. • Support internal teams in responding to complex assurance requests, audits, and client security questionnaires. Training & Culture • Develop and deliver engaging training programmes and communications to strengthen organisational understanding of data protection and information security. • Promote and champion a strong culture of accountability, transparency, and continuous improvement across the business. Person Specification The preferred candidate will have the following experience, abilities, and aptitudes: Criteria Essential Qualification • Bachelor’s degree or equivalent experience. Knowledge and Experience • In depth understanding of UK GDPR, the Data Protection Act 2018, PECR, and relevant ICO guidance. • Strong working knowledge of data protection principles relating to digital health technologies and the processing of special category (health) data. • Significant experience in a data protection, information governance, or privacy focused role within a regulated or technology driven environment. • Proven experience conducting and reviewing DPIAs, RoPA, and data protection risk assessments. • Demonstrable experience managing Data Subject Access Requests (DSARs) and other data subject rights requests. • Experience overseeing data protection incidents, including investigation, documentation, and remediation. • Demonstrable experience with the NHS Data Security and Protection Toolkit (DSPT), including completion, assessment, or oversight of compliance activities. • Proven experience working with ISO 27001 frameworks, including implementation, maintenance, or auditing of information security controls. • Experience advising and influencing senior stakeholders, product teams, and technical colleagues. Skills • Strong analytical and problem solving skills, with the ability to interpret complex legislation and apply it in a practical, proportionate way. • Excellent written and verbal communication skills, capable of providing clear guidance to technical and non technical audiences. • Ability to work independently and act impartially, exercising sound judgement in high stakes or time sensitive situations. High attention to detail with strong organisational and record keeping skills. Personal Attributes • High level of integrity, professionalism and discretion when handling sensitive or confidential information. • Confidence to challenge decisions constructively and promote a culture of accountability. • Commitment to continuous improvement and staying up to date with regulatory changes and best practice. This job description is not exhaustive and serves only to highlight the main requirements of the post holder. The line manager may stipulate other reasonable requirements. The job description will be reviewed regularly and may be subject to change. Equity, Diversity & Inclusion at Preventx At Preventx, we believe diversity drives innovation and inclusion strengthens our impact. We’re committed to creating a workplace that values individual differences and fosters a culture of respect, belonging, and growth. We welcome applications from people of all backgrounds, identities, and experiences—including those from underrepresented communities. If you need any support with your application or adjustments during the recruitment process, we’re here to help.