SUMMARY:
Responsible for managing the organisation’s data protection and privacy compliance in an SME environment with fewer than 250 employees operating across the UK EU and Switzerland. This role provides pragmatic, proportionate GDPR compliance. The focus is on practical risk management, operational compliance and acting as the internal point of contact for data protection matters.

MAIN DUTIES AND RESPONSIBILITIES:

Responsible for the following activities, including but not limited to:

GDPR Compliance & Governance

• Maintain proportionate GDPR policies, notices, and procedures suitable for an SME.
• Maintain Records of Processing Activities (RoPA) in line with Article 30 requirements applicable to SMEs.
• Support privacy-by-design principles in new projects and systems.
• Conduct and document low-risk DPIAs where required; escalate higher-risk matters for external advice.

Data Subject Rights

• Act as the primary contact for data subject rights requests (including DSARs).
• Coordinate responses across HR, IT, and business teams.
• Ensure statutory deadlines are met under UK GDPR, EU GDPR and Swiss data protection law (FADP).

Incident & Breach Management

• Maintain a personal data breach register.
• Coordinate initial assessment and response to suspected data breaches.
• Support notification decisions and documentation, seeking external advice where appropriate.

Third-Party & International Transfers

• Conduct GDPR due diligence on key suppliers and processors.
• Ensure appropriate Article 28 processor agreements are in place.
• Maintain oversight of EU,UK and Swiss data transfers and reliance on UK adequacy.
• Identify and escalate any onward transfers outside the UK/EU/Switzerland

Training & Awareness

• Deliver practical GDPR awareness training for staff.
• Act as a day-to-day point of contact for data protection queries.

Monitoring & Reporting

• Monitor compliance with internal controls and policies.
• Provide concise updates to senior management on GDPR risks and compliance status.

QUALIFICATIONS & REQUIREMENTS:

• Practical working knowledge of UK GDPR and EU GDPR
• Knowledge of Swiss data protection law an advantage
• Experience managing DSARs, basic DPIAs, and data breach response
• Ability to apply GDPR proportionately in a commercial SME environment
• Strong organisational and stakeholder management skills
• Experience operating across UK and EU jurisdictions
• Familiarity with processor management and international data transfers
• Privacy, compliance, or risk management certification (or equivalent experience)
• Experience managing and maintaining an ISO9001:2015 aligned QMS desirable

KEY COMPETENCIES:

• Achieving Results
• Communication
• Self-Awareness
• Risk Management
• Data Subject Rights
• Influencer
• Organisational Skills