Role Profile Role Details Role Title GDPR Compliance Delivery Manager - GPS Pay band Business unit Compliance Advice & Delivery Reporting to Head of Compliance Date produced or updated March 2018 Purpose of Role The role is an interim role, primarily to: Lead the work stream to manage and oversee delivery of data controller responsibilities under the General Data Protection Regulations for NS&I GPS accounts where NS&I is joint data controller. To contribute to the identification of NS&I GPS compliance risks (to the Client and NS&I Governance), ensuring that they are captured in the relevant risk registers for monitoring by the risk policy owners Work closely with the NS&I B2B Compliance Manager to ensure that the GDPR compliance delivery work stream is aligned to Scheme rules and other relevant laws and guidelines Work with the NS&I Commercial team to amend the relevant NS&I GPS Memoranda of Understanding to reflect NS&I s joint data controller responsibilities Work with the B2B Compliance Manager and NS&I GPS clients to align risk appetites in respect of matters pertaining to data protection compliance Key responsibilities Ensure that Atos understand the implications of joint data controllership accounts and their associated responsibilities Ensure Clients understand the implications and activities required in the undertaking of a joint data controllership and their associated accountabilities Bid management and client set up support Represent compliance as a Data Protection SME for all joint data controller bid positions Contribute to Memorandum of Understanding (MoU) clauses for new accounts, reflecting agreed requirements throughout the bid process. Data Protection To establish the new data protection legal framework for NS&I GPS accounts where there Role Profile - page 1
has been a finding of joint data controller. Working with the DPO and the NS&I B2B Compliance Manager, contributing to a new data protection strategy for the B2B compliance offering under NS&I GPS and ensuring compliance for existing accounts. This will require indepth work with the applicable Clients to establish alignments in risk, process and policy, where achievable, whilst ensuring delivery of outsourced provisions can meet agreed compliance standards. Responsibilities will include; Be business manager for the implementation of joint data controller requirements under GDPR for NS&I GPS accounts. Work with the NS&I Compliance Manager (B2B) to formulate the B2B Data Protection and Records Management Policy suite and best practice documentation. Report directly to the DPO on a monthly basis at the Risk Management Committee (RMC) highlighting and escalating any issues or concerns relating to delivering GDPR compliance. Design and embed procedures within NS&I, delivery partner, third party contractors and supply chain to ensure compliance with data protection legislation. Advising the delivery project on complex issues of law in context of obligations under GDPR. Amend relevant manuals and ensuring information and training for staff is updated in line with the current data protection legislation. Delegated authority from the Head of Compliance/DPO to advise and make decisions on the projects to enable the resolution of complex operational challenges arising from a conflict between project requirements and/or operational processes and the DPA. Ensure data protection SOPs and process maps are updated to enable compliance with data protection legislation and any resultant amendments to the MOU requirements, ensuring adequate training for staff so matters are identified and dealt with compliantly. Drafting of the technical clauses required for the operation of the client service in respect of data protection, e.g. Data Sharing Agreements Reporting Provide periodic reports to the Executive Committee and the B2B Committee on the progress of the joint data controllership GDPR implementation project. Providing input to the monthly Data Protection risk reporting to NS&I Risk Management Committee Relationships Please list the jobs and areas with which the post interacts. This should show internal and external relationships. Internal Reports to the Head of Compliance Advice & Delivery NS&I Management Board (including nonexecutive Directors and HM Treasury representatives) NS&I Audit Committee Team members External Government Legal Department Ministry of Justice Atos HM Treasury Cabinet Office Office of Accountant General (OAG) Role Profile - page 2
Members of Governance Committees and working groups Internal Auditors B2B Account Management NS&I Project Management Office NS&I Executive Committee NS&I Senior Management team HMRC Home Office External outside Government Information Commissioner s Office External legal advisers Courts of law Person specification Essential qualifications, experience and technical knowledge Essential qualification Qualified in Data Protection Essential experience Substantial experience which has included the following aspects: Reviewing and analysing legislation and translating it into policies and procedures Specifying requirements for projects in respect of compliance and regulatory matters Understanding privacy law, information rights (data protection legislation & FOI) and its implementation in a financial services business Understanding joint data controller duties under data protection legislation Gathering research from a wide range of areas and sources Writing and presenting management reports Good understanding of general law Experience of working with legal teams including giving instructions. Essential technical knowledge and skills Extensive knowledge and practical application of data protection legislation Extensive knowledge of legal and regulatory matters Excellent communication (both written and verbal) skills. Ability to undertake detailed analysis of complex data, industry consultation papers and new and pending legislation. Ability to translate and summarise such documents Informing compliance policies and procedures. Managing and negotiating legal positioning with third parties, defining accountabilities and responsibilities. Desirable qualifications, experience and technical knowledge and skills Extensive knowledge of the legislative environment within which government departments operate. Effective resource management skills and the ability to work well under pressure Quick thinker and fast learner. Good organisational skills. Financial services industry qualifications, ICA advanced certificate/diploma Competencies and values Role Profile - page 3
Please read in conjunction with the NS&I Behavioural Based Competency Framework and give examples relevant to the role. Communication Communicating the impact of changes in the compliance landscape and explaining the risks and consequences to the business. Providing written and oral updates to the Head of Compliance Advice & Delivery and NS&I Governance Committees Escalating and communicating material issues of non- compliance. Maintain a strong working relationship with all Client, NS&I and Atos staff. Customer Focus Provide an effective and timely service when dealing with customers, suppliers and stakeholders Maintain customer focus including adhering to TCF principles Help ensure that all guidance and support meets the business need and strategic direction of all key stakeholders/partner. Achievement orientation Plan and organise time and activities so as to: Lead on data protection projects as subject matter expert to specific (and tight) timetables, monitoring progress and taking corrective actions where necessary. Monitor own and team plans and performance against targets, milestones and deadlines. Managing third party relationships Demonstrate understanding of, and work effectively in the commercial and political environment in which NS&I operates, and consider the impact on NS&I GPS. Demonstrate empathy for the needs and interests of third parties to NS&I Manage working relationships with third parties assertively to achieve mutually satisfactory outcomes and commercial focus Demonstrate awareness of third party changing circumstances, needs and interests Create new solutions to meet opportunities, risks and challenges within the environment within which NS&I operates Develop external focus in others. Improving business performance Role Profile - page
Anticipating and responding to changes in the regulatory or business practices within risk appetites. Take every opportunity to develop and nurture a compliance culture within the organisation Speak and act positively about change and innovation and encourage others to do the same Seek a balance in time versus quality to ensure that change is delivered with pace and confidence. Leading others Use personal knowledge and skills to develop others members of the compliance team and the wider business. Champion issues and lead initiatives and work streams to ensure problems areas are overcome Head the Compliance B2B team Making decisions Analyse processes and where necessary identify areas for improvement Ensure that all problem and issues are identified and managed in a timely and effective manner, seeking guidance and input from Head of Compliance Advice & Delivery or other appropriate person, where necessary Develop solutions to issues that are effective and meet the needs of the business Assess the impact of any new and forthcoming rules, regulations and guidance on the NS&I GPS offering; make recommendations for appropriate action. Team working Achieve effective team working across the business through development of relationships with other business areas Proactively support other members of the compliance B2B team Develop effective team working culture within the compliance team to provide an effective and efficient service to the wider business Role Profile - page 5