Data Protection Officer

Costain Limited is a leading smart infrastructure solutions company, dedicated to shaping a sustainable future for the UK. Founded in 1865, we have established ourselves as a forward-thinking leader in the engineering and technology sectors, delivering innovative solutions that drive progress and enhance lives, and addressing critical challenges in a diverse range of industries, including transportation, energy, water, and defence. We focus on creating value for our clients through integrated solutions that combine digital technology, consultancy, and complex project delivery.

Guided by our core values of safety, integrity, collaboration, and innovation, Costain is committed to maintaining the highest standards in everything we do; our projects not only meet today’s needs but also contribute to a more resilient future. Our values underpin our approach to every project, ensuring we deliver impactful and reliable outcomes.

Central to our strategy is our collaborative approach. We frequently work in joint ventures with other industry leaders to leverage a broad spectrum of expertise and resources. This collaborative spirit allows us to address complex challenges effectively and deliver superior results for our clients.

Our people are the driving force behind our success, and we cultivate a collaborative and inclusive culture that empowers our teams to innovate and deliver exceptional results. By joining our team, you become part of an organisation committed to making a tangible difference and building a resilient and sustainable future.

We are seeking a strategic and principled individual with a passion for data protection, to develop Costain’s data protection strategy, enable Costain to continue to protect its data, and to support Costain to harness data as a strategic asset. The successful candidate will be pivotal in leading the expansion and implementation of data protection initiatives across the Costain Group and our joint venture partnerships, working closely with others across a matrix structure (including the Head of Cyber Insurance and the Group Information Security Manager), to ensure full compliance with data protection laws and regulations

The role involves collaborating with multiple stakeholders to seamlessly integrate data protection practices into business operations and decision-making processes. The ideal candidate will ensure that data protection initiatives effectively support Costain’s business objectives and address customer needs across the diverse sectors we serve (including the Defense sector).

#LI-JK1

Promote and embed a culture of compliance that embraces data protection by design;

Lead the development of internal personal data and information security champions, fostering a strong understanding of data protection principles across the business, and providing guidance, training, and support on data protection matters;

Develop and maintain processes for handling data subject requests in a timely manner, and maintain accurate records of requests and responses;

Act as the primary point of contact for data subjects, supervisory and regulatory authorities, and internal teams;

Review data protection agreements, monitor practices, and (if necessary) conduct data protection audit assessments, of third party vendors and sub-processors;

Conduct assessments of new and existing systems, processes and policies involving the collection, processing, transfer or storage of personal data and special category data across Costain Group and our joint venture partnerships. This includes mapping such data storage locations and processing activities, assessing privacy and data security risks, and proposing mitigation strategies;

Work with stakeholders to develop and maintain incident response plans; investigate and manage breaches, and execute corrective actions while ensuring timely compliance with legal reporting requirements;

Ensure that effective governance arrangements and documentation are in place to achieve and maintain compliance with all relevant legal, regulatory, and policy requirements governing the processing of personal data and special category data;

Conduct horizon scanning of developments in data protection law, regulations, and practices and take appropriate steps to ensure the business remains aligned with any changes; and

Ensure appropriate data protection certifications are in place and renewed on a timely basis.

Knowledge, Skills and Experience

Essential

Proven Data Protection Officer experience in a business environment;

An in-depth knowledge of UK and EU legislation, case law, codes of practice, and guidance from regulatory bodies (such as the ICO and EDPB), relevant to privacy and data protection, including the UK GDPR and the Data Protection Act 2018 (and related regulations such as the Privacy and Electronic Communications Regulations). Familiarity with the Human Rights Act is also required;

Exceptional leadership skills, and a proven track record in stakeholder management;

Experience of working in an audit/compliance/governance context and good knowledge of compliance audit best practice;

The ability to anticipate/evaluate potential privacy and data protection compliance challenges;

The ability to assimilate and interpret information quickly; and explain complex legal, regulatory, and policy requirements to stakeholders at all levels clearly and effectively;

Ability to handle confidential information with discretion and integrity;

Strong risk assessment and decision-making skills to support best decision-making for Costain on data protection issues (including work prioritisation);

Strong ethical standards, self-reflectiveness, and excellent communication skills;

Ability to remain impartial and to report non-compliances;

Exceptional organisational skills, attention to detail, and an effective team player;

Innovative, comfortable challenging the status quo, and always striving for continual improvement;

Familiarity with security systems; and

Knowledge of sector-specific data processing practices is preferrable.

Desirable

• Knowledge of how to deploy data analytics to proactively detect instances of fraud, bribery and corruption.