TOC Data Protection Officer

About DFT Operator

Join Our Team at DFTO

DFTO is the government’s public sector rail owning group. Its purpose is to bring all currently privately‑owned train operators into public ownership in advance of the creation of Great British Railways in 2027, and deliver improvements in the here and now by unifying and integrating train operations under common public ownership. DFTO has over 30,000 employees, runs over 8,500 services a day and delivers over 640 million customer journeys across its networks every year.

Major improvements are being delivered by DFTO train operators (TOCs) that are already under public ownership – LNER, Northern, TransPennine Express (TPE), Southeast, South Western Railway (SWR), c2c, Greater Anglia and WM Trains.

We work closely with the DfT but operate independently with our own governance and leadership teams. Our priority is ensuring efficient, dependable rail services for everyone.

Primary Purpose Of Job

As the statutory Data Protection Officer for assigned TOCs, monitor and drive compliance with an understanding of the UK General Data Protection Regulations (GDPR), Data Protection Act (DPA) 2018 and other legislative and regulatory requirements. Provide expert advice and embed a culture of compliance through proactive engagement and training.

Key Responsibilities

• Act as the statutory Data Protection Officer for assigned TOC(s), delivering all minimum tasks defined in the Data Protection Act 2018, reporting to relevant TOC Boards and acting as the designated contact for the ICO for relevant TOC(s).
• Manage complex Data Subject Access Requests (DSARs), rectifications, erasures, objections and other rights‑based requests, ensuring efficient processing in line with internal policies, statutory deadlines and DPO independence.
• Provide independent advice on the completion of DPIAs, including assessment of privacy risks, mitigations and compliance with the principles of data protection by design.
• Provide independent oversight and advice on personal data breaches for assigned TOCs.
• Work with the Senior TOC DPO to deliver targeted training and awareness sessions to employees of the assigned TOCs, embedding a culture of compliance.
• Provide expert support and advice on data protection issues to assigned TOCs, acting as a key point of contact for employees needing guidance on regulations and best practices.
• Where appropriate, provide guidance and supervision to data protection roles within the TOCs, acting as a point of escalation for complex and high‑risk data protection matters.
• Embed group policies, templates and processes within assigned TOCs to drive consistency and standardisation of approach as well as high quality.
• Engage in collaborative initiatives with other data protection and compliance specialists across the group, supporting joint efforts and driving a continuous improvement culture, participating in group‑wide projects to share and embed best practice across the Group.
• Establish and develop relationships with senior leadership groups across assigned TOCs, advising on data protection principles, risks and mitigations and processes to reduce breach risk.
• Track and report on data protection performance, identifying trends and recommending process improvements. Report key metrics to the Senior TOC DPO.
• Maintain knowledge of current data protection law, technologies and best practice to advise the business on compliance matters; disseminate key information across the data protection community so the assigned TOCs remain compliant and protected from regulatory action.
• Monitor data protection compliance across all assigned TOCs, conducting regular audits to identify risks, ensure compliance and drive improvements.
• Contribute to the development and delivery of DFTO’s overall data protection strategy, focusing on TOC activity, aligned with organisational objectives and regulatory requirements.

Knowledge, Skills, Experience & Technical Qualifications

• In-depth knowledge of UK GDPR, DPA 2018, PECR and ICO guidance, with a strong focus on practical application in complex organisations.
• Strong track record in developing and implementing data protection frameworks across multiple business units.
• Expertise in managing complex and high‑risk DSARs, DPIAs, and data breach responses.
• Excellent stakeholder engagement skills, with ability to influence at senior levels.
• Ability to interpret and communicate legal requirements in plain language to operational teams.
• Strong analytical and problem‑solving skills, able to identify risks and propose proportionate solutions.
• Ability to work collaboratively across legal, IT, security and operational teams to align privacy objectives.
• Commitment to continual learning and ethical standards, safeguarding confidentiality at all times.
• Desirable: Holds a recognised data protection certification (e.g., CIPP/E or BCS Practitioner).

Vacancy Details

Duration: Fixed‑term contract/secondment to October 2027

Reports to: Senior TOC Data Protection Officer

Location: London Waterloo

Salary: up to £53,107

Closing date: 26th April 2026

DFTO Benefits

• Annual leave – starting at 25 days and increasing by one day per year of service up to a maximum of 30 days.
• DC Pension Scheme – 10% employer contribution, 5% employee contribution.
• Opportunities to learn and network across the wider industry.

Contact

If you have any questions or reasonable adjustments, please contact [email protected].