Data Privacy Officer
The Compliance and Risk (C&R) Team is based in London and led by the firm’s General Counsel, to whom this role will report.
The C&R Team advises the firm on all aspects of its legal and regulatory duties, including financial crime compliance, SRA STaRS, risk management, client engagement terms, complaints and claims, internal investigations, insurance, governance, external vendor contracts and data privacy. The legal team currently comprises 9 lawyers and 2 paralegals.
As part of that team, this role would involve advising internally on the firm’s own data privacy compliance; it would not involve advising clients of the firm although it may require liaison with clients and former clients, e.g. in respect of DSAR and file transfer requests.
This post is being advertised in anticipation of the retirement of the firm’s current data privacy offer in spring 2024 and due to expanding demand for data privacy and data governance advice within the firm. It is anticipated that the data privacy officer will be assisted by a paralegal and by other members of the C&R Team on an ad hoc basis if required.
Roles and Responsibilities
- Providing timely, accurate, and practical legal advice on all aspects of data protection and privacy to the firm.
- Ensuring that data protection is built into all relevant activities relating to the processing of personal data (data protection by design)
- Maintaining and advising on a privacy governance framework to manage data use in compliance with:
- (1) UK and EU Data Protection Legislation, including maintaining and advising on the content and application of relevant data protection policies, developing templates for data collection, assisting with data mapping, and vendor management reviews; and
- (2) the firm’s regulatory obligations in respect of client confidentiality. Liaising with local counsel as required to implement effective data privacy compliance in the firm’s non-UK offices, especially in the Middle East and Asia.
- Working with key internal stakeholders in the review of projects and other relevant activities to ensure compliance with local data privacy laws, and where necessary, complete and advise on privacy impact assessments and other risk assessments.
- Maintaining a record of processing activities and with other stakeholders determining, justifying and documenting the lawful basis for the processing.
- Serving as the primary point of contact and liaison for the SRA, ICO and other Data Protection Authorities on all data protection related matters under the UK and EU GDPR.
- Ensuring that all necessary registrations are in place.
- Serving as the primary point of contact for dealing with:
- Data Subjects exercising their rights, including DSARs and erasure requests
- Incidents and data breaches
- Transfers of client data externally and/or internationally
- Advising on onward transfers of client files (e.g. with departing Partners) and client file access requests; supervising production of files to be sent externally for these purposes.
- Reviewing vendor contracts and consents needed to implement projects in partnership with the firm’s Procurement and Information Security functions.
- Developing strategies and initiatives to ensure engagement with key internal and external stakeholders and arrange audits as appropriate.
- Conducting comprehensive risk assessments to identify potential data protection vulnerabilities.
- Collaborating with the Information Security function to raise employee awareness of data privacy and security issues and providing training on the subject matter.
- Collaborating with the Information Security function to maintain records of all data assets and exports and maintaining a data security incident management plan to ensure timely remediation of incidents including impact assessments, security breach response, complaints, claims or notifications and responding to DSARs.
- Ensuring that the firm’s IT systems and procedures comply with all relevant data privacy and protection law, regulation and policy (including in relation to the retention and destruction of data) including in particular that appropriate technical and organisational security measures are in place to protect personal data of clients and others.
- Contributing to the mission of the wider C&R team to ensure we follow best practice and protect the firm from reputational and financial loss.
- Comply with all relevant legal and regulatory obligations including the Solicitors Regulation Authority (SRA) Standards and Regulations, and Principles.
Qualifications and Experience
- Qualified lawyer, ideally a UK solicitor but other common law jurisdictions or EU jurisdictions may be acceptable
- As a guide, 8+ years PQE experience with a significant part of that focused on data privacy
- Ideally, a data protection/privacy qualification such as CIPP
- Experience in advising on compliance policies, intra-group and international data transfers, contractual data protection requirements, data breach incidents and DSARs is essential
- Experience of data governance design and implementation
- Some line management experience as the role may involve supervising a paralegal
- Strong knowledge of UK and EU data privacy and data protection laws, and a reasonable understanding of other major privacy frameworks and evolving legislation worldwide.
- Understanding of SRA regulatory requirements with regard to client confidentiality and clients’ exercise of their data protection rights.
- Sufficient knowledge of information technology and data management systems.
- Well-developed and professional interpersonal skills; ability to interact effectively with people at all organisational levels of the firm.
- Ability to work unsupervised, exercise leadership, and influence change.
- Ability to remain calm under pressure and respond quickly, effectively and at short notice to unforeseen incidents
- Strong change and project management skills, including the ability to manage time well, prioritise effectively, and handle multiple deadlines.
- Ability to use independent judgment and discretion when making decisions.
- Ability to handle confidential and sensitive information with the appropriate discretion.
- Ability to apply professional knowledge into pragmatic, commercial solutions.
- Client service and focus on delivery
- Technical ability
- Interpersonal skills, including team-working, leadership and influencing
- Resilience and pragmatism
- Judgement and decision making
For a detailed specification please download the job description in the documents section of this page.
Clicking 'apply' will direct you to the application tracking system, hosted for us by Reach-ATS.com.