Head of Information Governance and Data Protection

**SUMMARY**

The Head of Information Governance and Data Protection Officer (DPO) role is the professional lead for Information Governance at Veezu Group. The role will provide expert Information Governance advice and guidance to the Veezu management team and key partners; to ensure that all parties are processing information in accordance with legislation, guidance, while meeting their legal and regulatory obligations.

The Data Protection Officer is an essential role in facilitating ‘accountability’ and the organisations’ ability to demonstrate ongoing compliance with GDPR, where the DPO performs another role or roles there must be no conflict of interest. While this role reports to the IT Director, direct access to the Veezu Executive Board is assured in the fulfilment of their DPO duties. Ensuring that the DPO can effectively carry out their responsibilities and have their concerns and recommendations heard at the highest level of the organisation.

**ROLE DUTIES AND EXPERIENCE REQUIRED**
- Act as the appointed statutory Data Protection Officer as defined by the General Data
- Protection Regulation 2016 for Veezu Group.
- Be the lead source of information and expertise on information governance and data protection, including but not limited to: The Data Protection Act 1998, The UK and EU General Data Protection Regulation, ISO27001 Information Security Standard, PCI-DSS Card Payment regulation, The Freedom of Information Act 2000, Environmental Information Regulations 2004, The Common Law Duty of Confidence, The Computer Misuse Act, The Office of the Information Commissioner and its associated powers, Information Commissioner Directives/Guidance
- Lead the development of strategies, policies, and guidelines that ensure organisational compliance with information governance and data protection regulations across all departments. This will require making decisions in unprecedented situations.
- Co-operate with and be the first point of contact for the Information Commissioner.
- Develop Information Governance policies that address: Organisational accountability, DPO reporting arrangements, Timely involvement of the DPO in all data protection issues, Compliance assurance: privacy by design/default, When and where data protection impact assessments are required and subsequent reporting on performance, The DPO’s role in incident management
- Have sufficient understanding of the processing operations carried out, as well as the information systems and data security and data protection needs of the organisation.
- Monitor the effectiveness of policies and procedures and the organisations’ compliance with them through a proactive program of audit and review, in conjunction with all functions across the operating model and other stakeholders and bodies.
- Have senior responsibility for the development of a robust Information Risk Assurance function which includes Cyber Security, System Failure and GDPR.
- Provide a single point of knowledge to senior management and staff with clear policies and procedures that ensure Veezu meets both its statutory and legal obligations.
- Maintain an awareness of evolving legislation and national guidance relating to all areas of responsibilities.
- Promote an effective information governance and risk culture that embeds information governance across the Veezu organisation.
- Lead on the development of training, awareness and communications programmes aimed at
- informing and advising Veezu staff (at all levels) to promote understanding of their obligations to comply with information governance requirements.
- Ensure the Data Security and Protection Toolkit (DSPT) and other IG related audit submissions are made correctly, within timescales and are signed off by the Veezu Exec/Board where applicable and that evidence is available to support the attainment levels submitted. This includes overseeing the delivery of action plans and improvement programmes to support compliance with legislation and national Information Governance requirements. This will require liaison with senior managers throughout the organisation.
- Develop/enforce organisational trigger-points for mandatory input from the DPO providing advice on Data Protection Impact Assessments (DPIA) to offer a balanced independent review of activities such as business improvements, system requests for change, large scale business development and introduction of new systems and services, to: Give consideration of the business needs against GDPR and other information governance / security requirements, Provision of advice and guidance on changes required to meet/maintain GDPR/IG compliance, Identification of system change requirements to support GDPR/IG compliance, Consult with the Information Commissioner’s Office (ICO) where proposed processing poses a high risk in the absence of proposed mitigations, Provide expert input for commercial contracts, invitations to tender, etc, whilst ensuring robust information secu