Data compliance is not a peripheral function here — it sits at the heart of the product and the business model. As the company matures and invests in its legal and governance infrastructure, this role has been created to lead and embed a privacy function that is genuinely robust, not just defensible on paper.
The Role
Reporting to the CLO, this is a hands-on leadership role with real scope and immediate impact. You will be the primary privacy resource in-house, leading and driving core privacy workstreams across the business, from policy and governance through to privacy by design, AI governance, and training.
This is an opportunity to build something. You will shape the privacy function around genuine business need, working directly with product, engineering, sales, marketing and HR. You will be expected to lead workstreams, not just support them.
What You Will Do
* Privacy governance and policy - own the full suite of privacy policies, frameworks and governance documentation; build and operationalise a data retention framework; maintain the ROPA and privacy notices; support internal and external audits; manage the subject rights process and privacy incidents end-to-end.
* Privacy by design - embed a privacy by design programme across product and engineering; develop practical frameworks that allow fast-moving teams to build compliantly; act as the primary legal voice in product development cycles; work directly with engineering to translate legal requirements into implemented solutions.
* AI strategy and implementation - lead the development of an AI governance framework; advise on privacy implications of AI tools and features; lead DPIAs for AI-related processing; keep the business ahead of regulatory change in this space.
* Global data complexity - progress Transfer Impact Assessments for non-EEA transfers; support jurisdiction-specific compliance requirements; work with engineering on data dictionary and field-level mapping.
* Vendor governance - refine the DDQ process; manage vendor audit cadence; review and negotiate DPAs.
* Training and engagement - design and deliver a refreshed privacy training programme across the business; build genuine privacy literacy, not tick-box compliance; be the adviser people actually want to call.
* Commercial support - advise on data protection aspects of contracts and supplier arrangements; support the wider legal team on matters with a data dimension.
* Advise and influence senior leadership, including at C-suite level, on privacy risk, strategy and business impact; translate complex privacy issues into clear, actionable guidance that executives can act on
About You
You are a qualified solicitor with 5–8 years' PQE and a strong privacy specialism. You have genuine in-house experience and have owned and delivered privacy workstreams, not just advised on them. You are ready to lead a function, and you want the platform to build something properly rather than inherit someone else's structure.
You are comfortable working with engineering and product teams, and you understand that implementation matters as much as the legal analysis behind it. You bring sound judgment, a commercial mindset, and the ability to work autonomously in a complex, fast-moving environment. You are calm and structured under pressure.
Essential:
- Qualified solicitor (England & Wales or equivalent)
- 5–8 years' PQE in data protection / privacy law
- In-house experience owning and delivering privacy programmes end-to-end
- Practical grounding in UK GDPR, EU GDPR, CCPA, EU AI Act and international transfers
- Experience working directly with engineering or product teams
- AI governance experience - essential, not desirable
- Ready to step into a leadership role and build a function
**Desirable:**
- Background in B2B data, adtech or a business where data is the product
- Experience with DSAR automation tooling
- International privacy experience beyond UK/EU
- Direct ICO or DPA engagement
- CIPP/E or equivalent qualification
What This Role Is and Isn't
✅A leadership role with genuine scope to build a privacy function from a strong foundation
✅ Suited to someone stepping into their first Head of Function role who wants to own something, not inherit it
✅ Execution-focused — you will lead workstreams hands-on, not manage others doing them
🚫 Not a DPO role
🚫 Not a large-team leadership position
🚫 Not a role for someone who advises but does not implement