Rodeo
ResourcesPartnersSign in

DfT Operator

TOC Data Protection Officer

London
£53.1k/yr
Posted 2 days ago
Sign up to applySee more jobs like this

How your CV stacks up

1Upload CV
2Analyse CV
3Improve CV

Upload your CV to see how well it fits this job role

?%

TOC Data Protection Officer

Statutory Data Protection Officer – Fixed Term Contract

**Join DFTO

DFTO is the government’s public sector rail owning group. Its purpose is to bring all currently privately-owned train operators into public ownership by 2027 and deliver Great British Railways’ transformational agenda today by unifying rail operations under common public ownership. DFTO supports 8,500+ daily passenger services, delivers 640+ million annual journeys, and employs over 30,000 staff. At present, our publicly owned TOCs (LNER, Northern, TPE, Southeastern, SWR, c2c, Greater Anglia, WM Trains) are already driving major improvements.

As a fast-paced, inclusive public organisation, we prioritise efficient, dependable rail services while operating independently—aligned with DfT but under our own governance.


Primary Purpose of the Role

As the statutory Data Protection Officer (DPO) for one or more TOCs, you will:

  • Monitor and enforce compliance with UK GDPR, Data Protection Act 2018, and regulatory requirements.
  • Provide expert guidance to foster a positive GDPR compliance culture.
  • Ensure TOCs handle data subject rights, breaches, and audits independently and transparently.

Key Responsibilities

1. Statutory Data Protection Compliance

  • Act as the mandatory DPO for assigned TOC(s), reporting to the respective Board and serving as the ICO liaison.
  • Ensure compliance with minimum tasks under DPA 2018 (updated periodically).

2. Processing Data Subject Access Requests (DSARs) & Rights-Based Requests

  • Guide, process, and meet legal deadlines for DSARs (rectification, erasure, temporary suspensions) with clear, compliant communications.

3. Privacy Impact Assessments (PIAs)

  • Provide independent assessment of PIA risks and compliance with data protection by design.

Reasons to use Rodeo

I’m in my final year doing Economics and I don’t know whether to apply for grad schemes now or do a masters first. What do you think?

Honest answer — it depends on where you want to end up. A lot of top grad schemes (Big 4, civil service, banking) don’t need a masters. Let’s look at the ones you’d be competitive for now, and we can decide if a masters actually adds anything.

Also worth knowing: most autumn 2026 applications are open now. Timing matters more than you think.

Start with a chat, not a search bar

Grad scheme, placement, apprenticeship? Not sure what you want yet — that's fine. Your agent talks it through with you and turns "I have no idea" into a shortlist.

P

Graduate Consultant — 2026 Scheme

PwC·London, UK
£35,000/yr

Why you're a good match

Strong

Your economics background and your summer at a regional bank line up with what PwC looks for on the consulting scheme. Applications close in four weeks.

See breakdown
Save jobNot relevant
View details

It searches the market for you

Every day your agent scans the market matching roles against what actually matters to you, not just keywords on a CV.

Why you're a good match

You’ve got the grades and the economics background, and your bank internship is exactly the experience this scheme looks for. Apply soon — deadlines close within the month.

See breakdown
Strong

Experience fit

Your summer at the bank plus your econometrics coursework map directly to the day-one responsibilities on this scheme — client modelling, market briefings, and deal support.

See breakdown
Strong

Only hits

No noise. No "maybe this fits." Just roles with a clear explanation of why they're right — and where to focus when applying.

4. Breach Monitoring & Response

  • Directly advise on data breach responses, supporting containment and reporting exercises.

5. Training & Awareness

  • Collaborate with the Senior TOC DPO to design (and periodically update) targeted training for all TOC employees, embedding compliance into daily operations.

6. Map Matters

  • Act as the primary point of contact for employees seeking clarification on GDPR obligations, breach risks, and best practices.
  • Escalate or supervise lower-risk DP/DSAR issues to ensure consistency in complex/multi-TOC cases.

7. Policy Alignment & Consistency

  • Drive adoption of group-wide DP policies, templates, and procedures to standardise approaches across assigned TOCs.

8. Collaboration Across DFTO

  • Engage with group-wide data protection specialists, share best practices, and contribute to ongoing improvements.

9. Stakeholder & Leadership Engagement

  • Build relationships with TOC senior management to assess risks and prioritise priority actions that mitigate breaches.

10. Performance & Reporting

  • Track compliance metrics and report trends, improvements, and breaches to the Senior TOC DPO.
  • Contribute to and help deliver DFTO’s overarching data protection strategy, aligning with organisational and regulatory priorities.

11. Knowledge & Legal Vigilance

  • Continuously stay up-to-date with evolving GDPR, PECR guidance, and operational technology advances to proactively advise the business.

12. Compliance Audits

  • Conduct ongoing audits to ensure alignment with regulations and group policies, while identifying gaps and improvement opportunities.

Knowledge, Skills & Qualifications

Essential

  • Deep UK GDPR, DPA 2018 and PECR expertise, with practical experience in managing large, multi-departmental organisations.
  • Proven track record in shaping data protection frameworks across multiple business units.
  • Ability to independently evaluate and address DSARs, DPIAs, and data breaches, ensuring compliance without bias.
  • Strong legal influencing skills, with the ability to simplify complex regulations for team delivery.
  • Exceptional analytical and problem-solving judgement—identifying risks and tailoring solutions.
  • Demonstratable ability to manage cross-functional stakeholder collaboration (IT, Legal, Security, Operations teams).
  • Commitment to ethical integrity and confidentiality management, extending to risk-aware professional judgement.

Get help with your application

Your very own career expert that helps elevate your application to the next level.

Get help applying for this job

Desirable

  • Relevant professional certifications (e.g., CIPP/E, BCS Practitioner).

Vacancy Details

Reporting to: Senior TOC Data Protection Officer Location: London Waterloo Contract: Fixed term and endable on 1st October 2027 (secondment or initial contract role). Salary: Up to £53,107.

Closing Date: 7th July 2026


About Our People & Recruitment

We are an inclusive employer of choice, welcoming candidates from all backgrounds. Our flexible-work arrangements—including job share, remote work, or hybrid options—are tailored to supported employee flexibility while maintaining productivity.

  • Applications should be submitted via the official portal. CV inquiries must not be emailed directly to us during consideration.

Support & Contact

For questions or adaptability adjustments, contact: [amra.hurley@dftoperator.co.uk].

We’ll support you in securing the right working conditions. We welcome and encourage dialogue to make this opportunity work for you!

Trusted by 25,000+ job seekers

“It took my CV and asked me questions relevant to understanding what kind of jobs to suggest for me. Suggestions were almost perfect. Jobs were exactly what I’ve been looking for.”

Jessica, London

Get help applying for this job

Skills

Data Protection
GDPR
DPA 2018
Compliance
Stakeholder Engagement
Data Breach Management
Risk Assessment
Training
Privacy Impact Assessments
Analytical Skills
Problem Solving
Collaboration
Communication
Legal Interpretation
Continuous Learning
Ethical Standards

Location

London, England, United Kingdom

Sign up to applySee more jobs like this