Deputy Data Protections Officer

Organisation: The National Trust for Scotland

Salary: £37,253 - £41,043 pro-rata, per annum

Location: Edinburgh


With increasing risks associated with data protection and cyber security and the need to ensure we regularly monitor, advise on, and remain resilient in our data protection activities; this role exists to support the Data Protection Officer in advising the Trust and monitoring compliance with UK and EU privacy legislation including the UK GDPR, EU GDPR, Data Protection Act 2018 and the Privacy and Electronic Communications Regulations. The Deputy DPO will also act as the Trust’s Data Protection Officer (DPO), in their absence.


• Support colleagues across the organisation with specialist advice and practical guidance on the implementation of privacy management policies and procedures.
• Assist in the recording, monitoring, and reporting of risks associated with data processing activities and identify actions that can be taken to mitigate risk.
• Assist in the preparation of reports to the Trust’s Board and Executive Committee through the collation of key management information, including case management statistics and updates on the delivery of training.
• Support the annual review of all privacy management policies and procedures in line with legislative changes and organisational requirements.
• Plan for legislative changes and their impact on Trust activities, identifying risk associated with the changes and managing workload to address such changes.
• Support the delivery of mandatory training in data protection, cyber security, and PCI DSS – including the delivery of refresher training to volunteers and employees.
• Process data subject rights requests, including Subject Access Requests, Erasure Requests and Objections to Processing, in line with the legislative timescales.
• Support the development of an annual auditing framework for data processors to ensure they continue to meet our expectations in the handling of Trust data.
• Manage workload and resources required to respond to data subject’s rights requests in line with legislative timescales.
• Work with the DPO to advise on possible solutions to challenges with systems and processes in order to mitigate risk.
• Coordinate and record quarterly meetings with the data champions’ network.
• Oversee the production of a quarterly newsletter with support of the data champions.
• Lead on the review of the data inventory and ensure it remains up to date.
• Promote and advise on the application of data protection by design and default when developing new systems and processes across the organisation.
• Support the DPIA process, including supplier due diligence and review of third-party contracts, including those involving international data transfers.
• Work alongside internal stakeholders to contain, recover and respond to data breaches and cyber security incidents – acting as the key contact for external stakeholders, including the Information Commissioner’s Office, OSCR and Police Scotland, in the absence of the DPO.
• Support the delivery of data protection and cyber security projects as required.
• Deputise for the Trust’s DPO in their absence.
• Report on risk, incidents and vulnerabilities to the Chief Operating Officer and Trust Solicitor, in the absence of the DPO.



 Postgraduate information management / compliance / data protection qualification or demonstrable practical experience in an information management / compliance / data protection role
 Educated to degree level or equivalent

 Qualified data protection practitioner


 Excellent knowledge of data protection legislation, including those relating to direct marketing
 Experience of handling complex information management / compliance / data protection queries
 Excellent planning, organisational and communication skills
 Excellent time management, decision-making and problem-solving skills
 Experience of managing multiple projects and tasks with changing priorities
 Experience of influencing others through the provision of expert advice and analysis of data
 Ability to respond to complex and varied privacy management queries, working on own initiative and with minimal supervision

 Experience of an information compliance/data protection role within a charity environment
 Experience of developing and delivering information compliance training
 Experience of supporting internal stakeholders with high quality advice and guidance
 Experience of risk management frameworks
 Experience of people management
 Experience of Microsoft SharePoint
 Knowledge of financial services compliance requirements where there is an impact on data protection (e.g., PSD2, PCI DSS)


 Trust-wide role, collaborating with and supporting colleagues across Scotland
 Acting as deputy in the DPO’s absence

People Management
 The role does not have any direct reports, but occasionally may be responsible for managing volunteers or work experience students working on privacy management projects

Finance Management
 None

Tools / equipment / systems
• Microsoft packages (Word, Excel, PowerPoint, Access etc.) data processing, report preparation, etc.
• Microsoft SharePoint (creating and maintaining shared folders)

Example key performance indicators and targets
 Annual objective setting.
 Annual check and updating (if required) of policies, training and guidance documents.

Place in organisational structure (extract of org chart showing role):

The Purpose, Context, Key Responsibilities, and Person Specification reflect the requirements of the job at the time of issue. The Trust reserves the right to amend these with appropriate consultation and/or request the post-holder to undertake any activities that it believes to be reasonable within the broad scope of the job or his/her general abilities.

Application Deadline: Friday 28/04/2023