TOC Data Protection Officer

TOC Data Protection Officer

About DFT Operator

Join Our Team at DFTO

DFTO is the government’s public sector rail owning group. Its purpose is to bring all currently privately-owned train operators into public ownership in advance of the creation of Great British Railways in 2027 – and deliver improvements in the here and now by unifying and integrating train operations under common public ownership.

DFTO has over 30,000 employees, runs over 8,500 services a day and delivers over 640 million customer journeys across its networks every year. 7,000 people joined the railway family in the last year

Major improvements are being delivered by DFTO train operators (TOCs) that are already under public ownership – these are LNER, Northern, TransPennine Express (TPE), Southeastern, South Western Railway (SWR), c2c, Greater Anglia and WM Trains.

We work closely with the DfT but operate independently with our own governance and leadership teams. Our priority is ensuring efficient, dependable rail services for everyone.

Primary Purpose of Job:

As the statutory Data Protection Officer for assigned TOCs, monitor and drive compliance with an understanding of the UK General Data Protection Regulations (GDPR), Data Protection Act (DPA) 2018 and other legislative and regulatory requirements. Provide expert advice, and embed a culture of compliance through proactive engagement and training.

Key Responsibilities:

• Act as the statutory Data Protection Officer for assigned TOC(s), delivering on all minimum tasks defined in the Data Protection Act 2018 (as may be updated from time to time), reporting into relevant TOC Boards and acting as the designated contact for the ICO for relevant TOC(s).
• Manage complex Data Subject Access Requests (DSARs), rectifications, erasures, objections and other rights-based requests, so they are processed efficiently, in line with internal policies and statutory deadlines, and in a manner that does not compromise the DPO’s independence. Ensure TOCs can respond to such requests with clear, accurate and legally compliant responses which avoid regulatory action.
• Provide independent advice on the completion of DPIAs, including assessment of privacy risks and mitigations and compliance with the principles of data protection by design.
• Provide independent oversight and advice in relation to personal data breaches for assigned TOCs.
• Work with the Senior TOC DPO to deliver targeted training and awareness sessions to employees of the assigned TOC(s), embedding a culture of compliance.
• Provide expert support and advice on data protection issues to assigned TOC(s), acting as a key point of contact for employees needing guidance on regulations and best practises.
• Where appropriate, provide guidance and supervision to data protection roles within the TOCS, acting as a point of escalation for complex and high-risk Data Protection matters.
• Embed group policies, templates and process within assigned TOCs to drive consistency and standardisation of approach as well as high quality.
• Engage in collaborative initiatives with other data protection and compliance specialists across the group, supporting joint efforts and driving a continuous improvement culture, participating in group wide projects to share and embed best practise across the Group.
• Establish and develop relationships with senior leadership groups across assigned TOCs, advising on data protection principles, risks, and mitigations and processes that should be put in place to reduce the risk of breaches
• Track and report on data protection performance, identifying trends and recommending process improvements. Report key metrics to the Senior TOC DPO.
• Maintain knowledge of current data protection law, technologies and best practice to be able to advise the business on compliance matters; disseminating key information across the data protection community, so the assigned TOC(s) are compliant and protected from regulatory action.
• Monitor data protection compliance across all assigned TOCs, conducting regular audits to identify risks, ensure compliance and drive improvements.
• Contribute to the development and delivery of DFTO’s overall data protection strategy, with a focus on TOC activity, that is aligned with organisational objectives and regulatory requirements.

Knowledge, Skills, Experience Technical Qualifications:

• In-depth knowledge of UK GDPR, DPA 2018, Privacy and Electronic Communications Regulations (PECR) and ICO guidance, with a strong focus on practical application in complex organisations.
• Strong track record in developing and implementing data protection frameworks across multiple business units.
• Expertise in managing complex and high risk DSARs, DPIAs, and data breach responses.
• Excellent stakeholder engagement skills, with ability to influence at senior levels.
• Demonstrable ability to interpret and communicate legal requirements in plain language to operational teams.
• Strong analytical and problem-solving skills – able to identify risks and propose proportionate solutions.
• Ability to work collaboratively across legal, IT, security, and operational teams to align privacy objectives.
• Commitment to continual learning and ethical standards, safeguarding confidentiality at all times.
• Desirable: Holds a recognised data protection certification (e.g., CIPP/E or BCS Practitioner)

Vacancy Details:

Duration: Fixed Term contract/secondment to October 2027

Reports to Senior TOC Data Protection Officer
Location: London Waterloo
Salary: up to £53,107
Closing date: 26th April 2026

DFTO Benefits:

Annual Leave: Starting at 25 days and rising to an additional day per year of service completed within the first 5 completed years up to a maximum of 5 additional (30 days)

DC Pension Scheme: 10% Employer contribution, 5% Employee contribution

Opportunities to learn and network across the wider industry

Additional Information…

Disclaimer: Candidates applying for this position on a secondment basis must inform their line manager prior to submitting their application. This is to ensure transparency and facilitate any necessary discussions regarding workload and responsibilities.

About our people and the recruitment process – We’re an inclusive employer of choice and we welcome applications from everyone! We encourage our colleagues to work flexibly, as we know traditional working patterns don’t always fit. If you want to consider working flexibly, just let us know and we’ll do our best to help and invest in your career with us, whilst you have a healthy work life balance.

Contact: If you have any questions or reasonable adjustments, please contact [email protected]

Please do not email any CV’s to us, your application must be made by clicking the ‘Apply’ button.