DfT Operator
TOC Data Protection Officer

How your CV stacks up
Upload your CV to see how well it fits this job role
?%
TOC Data Protection Officer
Statutory Data Protection Officer – Fixed Term Contract
**Join DFTO
DFTO is the government’s public sector rail owning group. Its purpose is to bring all currently privately-owned train operators into public ownership by 2027 and deliver Great British Railways’ transformational agenda today by unifying rail operations under common public ownership. DFTO supports 8,500+ daily passenger services, delivers 640+ million annual journeys, and employs over 30,000 staff. At present, our publicly owned TOCs (LNER, Northern, TPE, Southeastern, SWR, c2c, Greater Anglia, WM Trains) are already driving major improvements.
As a fast-paced, inclusive public organisation, we prioritise efficient, dependable rail services while operating independently—aligned with DfT but under our own governance.
Primary Purpose of the Role
As the statutory Data Protection Officer (DPO) for one or more TOCs, you will:
- Monitor and enforce compliance with UK GDPR, Data Protection Act 2018, and regulatory requirements.
- Provide expert guidance to foster a positive GDPR compliance culture.
- Ensure TOCs handle data subject rights, breaches, and audits independently and transparently.
Key Responsibilities
1. Statutory Data Protection Compliance
- Act as the mandatory DPO for assigned TOC(s), reporting to the respective Board and serving as the ICO liaison.
- Ensure compliance with minimum tasks under DPA 2018 (updated periodically).
2. Processing Data Subject Access Requests (DSARs) & Rights-Based Requests
- Guide, process, and meet legal deadlines for DSARs (rectification, erasure, temporary suspensions) with clear, compliant communications.
3. Privacy Impact Assessments (PIAs)
- Provide independent assessment of PIA risks and compliance with data protection by design.
Reasons to use Rodeo
I’m in my final year doing Economics and I don’t know whether to apply for grad schemes now or do a masters first. What do you think?
Honest answer — it depends on where you want to end up. A lot of top grad schemes (Big 4, civil service, banking) don’t need a masters. Let’s look at the ones you’d be competitive for now, and we can decide if a masters actually adds anything.
Also worth knowing: most autumn 2026 applications are open now. Timing matters more than you think.
Start with a chat, not a search bar
Grad scheme, placement, apprenticeship? Not sure what you want yet — that's fine. Your agent talks it through with you and turns "I have no idea" into a shortlist.
Graduate Consultant — 2026 Scheme
Why you're a good match
StrongYour economics background and your summer at a regional bank line up with what PwC looks for on the consulting scheme. Applications close in four weeks.
See breakdownIt searches the market for you
Every day your agent scans the market matching roles against what actually matters to you, not just keywords on a CV.
Why you're a good match
You’ve got the grades and the economics background, and your bank internship is exactly the experience this scheme looks for. Apply soon — deadlines close within the month.
Experience fit
Your summer at the bank plus your econometrics coursework map directly to the day-one responsibilities on this scheme — client modelling, market briefings, and deal support.
Only hits
No noise. No "maybe this fits." Just roles with a clear explanation of why they're right — and where to focus when applying.
4. Breach Monitoring & Response
- Directly advise on data breach responses, supporting containment and reporting exercises.
5. Training & Awareness
- Collaborate with the Senior TOC DPO to design (and periodically update) targeted training for all TOC employees, embedding compliance into daily operations.
6. Map Matters
- Act as the primary point of contact for employees seeking clarification on GDPR obligations, breach risks, and best practices.
- Escalate or supervise lower-risk DP/DSAR issues to ensure consistency in complex/multi-TOC cases.
7. Policy Alignment & Consistency
- Drive adoption of group-wide DP policies, templates, and procedures to standardise approaches across assigned TOCs.
8. Collaboration Across DFTO
- Engage with group-wide data protection specialists, share best practices, and contribute to ongoing improvements.
9. Stakeholder & Leadership Engagement
- Build relationships with TOC senior management to assess risks and prioritise priority actions that mitigate breaches.
10. Performance & Reporting
- Track compliance metrics and report trends, improvements, and breaches to the Senior TOC DPO.
- Contribute to and help deliver DFTO’s overarching data protection strategy, aligning with organisational and regulatory priorities.
11. Knowledge & Legal Vigilance
- Continuously stay up-to-date with evolving GDPR, PECR guidance, and operational technology advances to proactively advise the business.
12. Compliance Audits
- Conduct ongoing audits to ensure alignment with regulations and group policies, while identifying gaps and improvement opportunities.
Knowledge, Skills & Qualifications
Essential
- Deep UK GDPR, DPA 2018 and PECR expertise, with practical experience in managing large, multi-departmental organisations.
- Proven track record in shaping data protection frameworks across multiple business units.
- Ability to independently evaluate and address DSARs, DPIAs, and data breaches, ensuring compliance without bias.
- Strong legal influencing skills, with the ability to simplify complex regulations for team delivery.
- Exceptional analytical and problem-solving judgement—identifying risks and tailoring solutions.
- Demonstratable ability to manage cross-functional stakeholder collaboration (IT, Legal, Security, Operations teams).
- Commitment to ethical integrity and confidentiality management, extending to risk-aware professional judgement.


Get help with your application
Your very own career expert that helps elevate your application to the next level.
Desirable
- Relevant professional certifications (e.g., CIPP/E, BCS Practitioner).
Vacancy Details
Reporting to: Senior TOC Data Protection Officer Location: London Waterloo Contract: Fixed term and endable on 1st October 2027 (secondment or initial contract role). Salary: Up to £53,107.
Closing Date: 7th July 2026
About Our People & Recruitment
We are an inclusive employer of choice, welcoming candidates from all backgrounds. Our flexible-work arrangements—including job share, remote work, or hybrid options—are tailored to supported employee flexibility while maintaining productivity.
- Applications should be submitted via the official portal. CV inquiries must not be emailed directly to us during consideration.
Support & Contact
For questions or adaptability adjustments, contact: [amra.hurley@dftoperator.co.uk].
We’ll support you in securing the right working conditions. We welcome and encourage dialogue to make this opportunity work for you!
“It took my CV and asked me questions relevant to understanding what kind of jobs to suggest for me. Suggestions were almost perfect. Jobs were exactly what I’ve been looking for.”
Jessica, London
Skills
Location