Associate Director Data Protection

Governance & Framework Application in Foundry Platform

Act as the embedded data protection lead for the Foundry platform programme, ensuring all use cases are designed and implemented in full alignment with the DH Data Protection Framework, applicable laws, and privacy by design principles.

• Apply the Group’s data protection framework to projects in scope, ensuring policies, procedures, and templates are clearly understood and adopted by relevant teams.
• Support business owners in complying with all required processes and artefacts (e.g., DPIAs, TIAs, ROPAs, LIAs, data maps) relevant to their use cases.
• Oversee the data ingestion process to verify all controls are in place before data is introduced into the platform, mitigating risks early.
• Ensure that evolving regulatory requirements—including emerging AI regulations such as the EU AI Act—are reflected in project documentation, controls, and workflows.
• Promote consistent and practical application of the framework by providing guidance and clarity on how requirements apply specifically to the Foundry platform.

Compliance & Risk Management: Privacy by Design and AI

Embed privacy by design and data protection principles at the earliest stages of project design and development.

• Advise on Data Protection Impact Assessments (DPIAs) and AI Impact Assessments for relevant use cases.
• Identify use cases that may trigger obligations under the EU AI Act or other applicable AI regulations, escalating them for further review as appropriate.
• Ensure project documentation clearly captures decision rationales, risk mitigations, and alignment with privacy by design/default policies.
• Drive awareness and understanding during sign-off processes to ensure stakeholders fully appreciate the data protection implications of their projects.

Compliance & Risk Management – Use Case Oversight

Provide proactive oversight of all Foundry use cases to ensure they are compliant, risk-assessed, and well-documented prior to go-live.

• Work closely with business owners to identify data protection risks early, including those arising from AI capabilities and cross-border data flows.
• Ensure that use cases are supported by appropriate risk assessments, privacy notices, and legal bases, with clear records of approval and stakeholder engagement.
• Collaborate with Legal to address complex or emerging regulatory issues.
• Maintain oversight of processing activities to ensure Records of Processing Activities (ROPAs) for Foundry are accurate, comprehensive, and regularly updated.
• For use cases that present data protection risks which are non-compliant but commercially compelling, lead the preparation of detailed risk assessments outlining likelihood, impact, and residual risk. This assessment is communicated to the DPO to support executive-level decision-making regarding risk acceptance.

Data Subject Rights & Incident Management Support

Oversee and support the handling of data subject requests and incident response within the Foundry environment.

• Ensure requests are identified, tracked, and fulfilled within statutory timeframes.
• Collaborate with technical teams to enable accurate extraction, correction, or deletion of data from the platform.
• Support investigations of data incidents and embed lessons learned into ongoing processes to prevent recurrence.

Assurance & Continuous Improvement

Provide independent assurance to the DPO that Foundry use cases remain compliant and risks are effectively managed.

• Conduct targeted assurance reviews of high-risk or AI-related use cases.
• Work with stakeholders to close gaps and drive continuous improvement.
• Maintain an up-to-date risk register for Foundry processing activities, ensuring clear accountability and timelines for mitigation.

Engagement & Awareness

Lead efforts to build privacy capability and embed a privacy-conscious culture within Foundry teams.

• Deliver targeted training and practical workshops tailored for business owners, developers, and analysts involved with the platform.
• Develop role-specific guides and quick-reference materials to help teams navigate complex data protection and AI requirements.
• Serve as a trusted point of contact for data protection queries, ensuring timely escalation and resolution of issues.