Privacy Officer - London

London, Greater London
70,000 to 80,000 Per Annum
20 Mar 2023
17 Apr 2023
Full Time
Privacy Officer - London

About us:

We're The Restaurant Group (TRG for short) and we're one of the UK's biggest hospitality businesses. Were a significant player in the UK casual dining market, operating over 400 restaurants and pubs including Wagamama, Frankie and Benny's, Chiquito, and Brunning & Price. Our diverse portfolio of brands provides something for everyone, and we are proud to be TRG.

The Role:

TRG is looking to fill the full-time position of a Privacy Officer. This position covers all countries and all industries in which TRG and its divisions operates.

Working independently, the role of the Privacy Officer is to build and manage TRG and its business divisions privacy programme, to develop privacy policies for internal use and privacy statements for internal and external use, and to describe privacy requirements for business partners and service providers. The Privacy Officer will facilitate regulatory compliance by establishing and coordinating TRG's Privacy Council. Knowing how to persuade and enable the business, while maintaining integrity, the Privacy Officer closely collaborates with business stakeholders to control risk from potential procedural or technology changes that affect privacy. In addition, the Privacy Officer represents TRG and its business divisions toward internal and external stakeholders (e.g., employees, customers and regulatory authorities including the Information Commissioners Office (ICO)).

The Privacy Officer conducts privacy risk assessments, focused on specific business processes or applications. They identify and suggest prioritization of privacy risk treatment for the organisation, and determines how to maintain and improve adherence to regulatory requirements and corporate policies. The Privacy Officer will develop and maintain privacy training and awareness programmes, and set up a personal data breach response plan.

As the internal representation of regulatory authorities on the matter of privacy, the Privacy Officer is a neutral position. As a result, the role will have dual reporting into the Director of Technology and the Legal team.

The Privacy Officer may not have any conflict of interest, e.g., be responsible for business outcomes, simultaneous to the privacy officer function. It may also not be responsible for executing (parts of) the privacy programme, as such impacts the privacy officer's neutrality.

Key Responsibilities:

The Privacy Officer is responsible for the following tasks:

  • Maintain, develop and implement TRG and its business divisions privacy programme and the resulting privacy policies, procedures and documentation for the processing of personal data in coordination with appropriate members of the organisation (e.g., business process owners, legal, information security, the works council, risk management, and the ethics and compliance officers).
  • Devise and update policies and procedures for customers, employees and data breach incident responses, ensuring alignment with the actual implementation of personal data processing activities.
  • Monitor continuous adherence to the privacy programme's requirements
  • Establish and manage a TRG Privacy Council with cross-divisional membership and responsibilities for personal and corporate data.
  • Work to ensure the organisation maintains the appropriate privacy and confidentiality consent procedures, authorisation forms, and information notices.
  • Establish and work with a multidisciplinary team, including audit and risk, compliance, HR, legal, business process owners, IT, Cyber Security and other internal stakeholders to ensure enterprise-wide coverage of the privacy discipline.
  • Work with procurement, supplier management and the legal department to ensure that third-party suppliers' contracts and operating-level agreements meet [international] privacy requirements.
  • Implement and maintain an internal reporting mechanism for intended (new or changed) personal data processing activities, to which business unit/process owners must adhere.
  • Notify data protection authorities of the organisation's processing activities and/or obtain guidance where required.
  • Lead the TRG's response to privacy-related emergencies and other potentially damaging events.
  • Communicate with regulatory authorities and the public concerning privacy issues (for example, answering data subject access related questions and requests).
Privacy Impact Assessments
  • Determine TRG's specific privacy-related requirements and potential vulnerabilities.
  • Receive and manage internal reports from business stakeholders to maintain control over all project and innovative initiatives, including change management, to ensure timely attention for privacy bottlenecks and hiatuses.
  • Develop, improve and manage the privacy impact assessment process, in close collaboration with business stakeholders.
  • Conduct regular privacy policy compliance assessments to ensure that TRG's privacy policies are being adhered to.
Compliance Monitoring
  • Ensure that business units, technology teams and third parties (service providers) follow TRG's privacy programme, implement measuring procedures to verify the extent in which these stakeholders meet privacy policy requirements and address privacy concerns.
  • Collaborate with and assist business units and technology areas to develop corrective action plans for identified privacy compliance issues.
  • Continuously monitor the status and effectiveness of privacy controls across service offerings, ensuring that privacy-related key risk indicators are effectively monitored to prevent an unacceptable impact on business objectives and reputation.
  • Conduct frequent compliance report monitoring activities on collaborating partners, third-party service providers' and other data processors' levels of privacy compliance.
  • Report findings in a structural, transparent and business-relevant manner to the members of the Board, allowing the business to decide and instruct on adequate and appropriate mitigating measures.
Personal Data Inventory and Usage
  • Support the creation of an inventory that documents how and why TRG collects, shares and uses personal data.
  • Continuously update and re-evaluate the extent to which customer and employee information is collected and shared internally and externally.
  • Monitor the data request and usage processes, purpose-based authorised use and prevention mechanisms' effectiveness against unauthorised use, and cross-border data transfer matters for personal data across TRG.
  • Maintain TRG's registry of all personal data stores and processing activities.
  • Influence TRG's retention programme to facilitate deletion or anonymisation of personal data that is no longer needed for identified purpose(s), and in accordance with applicable requirements.
Information Technology                                           
  • Serve as the internal advisor to the CIO and Technology Director to interpret privacy-policy-related questions.
  • Ensure that data security practices - in particular, logging, monitoring and auditing practices - do not conflict with privacy requirements.
  • Work closely with the technology service teams to anticipate potential privacy problems embedded in the use of emerging technologies.
  • Liaise with the Head of Service Operations and the Infrastructure and Cyber Security Manager in matters relating to data breaches (including preparedness, prevention, impact mitigation and integral management of breaches).
  • Work to integrate controls within specific People and CRM business and IT processes.
Awareness, Training, and Other Communications
  • Conduct or oversee privacy awareness campaigns, training and orientation for all employees - in particular, application developers, People and Marketing.
  • Identify trends in privacy and regulatory requirements and compliance enforcement, and account for the necessary changes in the privacy program, updating information only to the stakeholder audiences affected in their respective activities.
  • Develop new and innovative strategies to address privacy and regulatory standards and requirements in new computing paradigms, such as the Internet of Things (IoT) or the cloud.
  • Work with third-party stakeholders (including business partners, suppliers, service providers and IT product vendors) to ensure that they clearly understand and comply with TRG's privacy requirements.
  • Liaise and communicate effectively with external entities, such as supervisory and regulatory authorities and the public, on relevant occasions.

A successful Privacy Officer candidate will have the expertise and skills described below.

Education and Training
  • Bachelor's degree or higher in business administration, law, finance, accounting, computer science or a related discipline is required.
  • An advanced degree in law, business (M.B.A.), information science (MIS), information security or a related field is preferred.
  • The ideal candidate will have a combination of a legal or business degree with a technical or computer science degree.
  • The candidate has obtained two or more of the following certifications for the relevant region(s): one or more of: Certified Information Privacy Professional (CIPP), Certified Information Privacy Management (CIPM), and/or Certified Information Privacy Technologist (CIPT), and one or more of: Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM) and Certified Information Systems Auditor (CISA).