Head of Data Protection

About The Position

Requirements

• Significant experience (10+ years) leading data protection or privacy programmes in complex, cloud‑first environments; insurance/reinsurance or financial services experience strongly preferred.
• Deep knowledge of data protection and privacy regulations and principles (e.g., GDPR, UK GDPR, CCPA/CPRA and relevant sectoral obligations), and how to operationalise them at scale.
• Strong command of technical and organisational controls: encryption and key management, tokenisation/masking, DLP, IAM/PAM, secure configuration, data minimisation and logging/monitoring.
• Proven track record implementing privacy/security by design, data lifecycle and retention management, subject rights processes and incident/breach response.
• Hands‑on experience with data discovery, classification and cataloguing tools across multi-cloud and SaaS estates, and integration into engineering workflows.
• Experience governing cross‑border data transfers, residency controls and third-party data protection, including contractual mechanisms and continuous assurance.
• Demonstrated ability to deliver audit readiness and client assurance, with clear metrics, KPIs and board-level reporting on control effectiveness and risk reduction.
• Strong stakeholder management and influencing skills across Cyber, Legal, Risk, product and regional teams in a multi-jurisdictional environment.

Responsibilities

• Define and own the enterprise data protection strategy, policies and standards, aligning to global frameworks while accommodating regional regulatory requirements.
• Implement privacy and security by design across the data lifecycle, including collection, minimisation, lawful basis, consent, retention, deletion and safe disposal.
• Establish technical controls for sensitive data, including encryption and key management, tokenisation/masking, data loss prevention, secure data sharing and segregation of duties.
• Set and enforce access control models (least privilege, role‑based and attribute‑based access), including joiner‑mover‑leaver processes and privileged access management.
• Deploy data discovery and classification at scale, maintaining accurate inventories of personal, client‑confidential and regulated data across cloud and SaaS estates.
• Lead breach readiness and response for data incidents in coordination with Cyber, Legal and Communications, including playbooks, tabletop exercises, notification and lessons learned.
• Provide security assurance across change initiatives to ensure new platforms and data products meet data protection requirements from design through deployment.
• Oversee cross‑border data transfer governance, residency controls and supplier data protection due diligence, including contractual clauses and ongoing assurance.
• Drive regulatory readiness and evidence for audits and client due diligence, maintaining clear metrics and reporting on control effectiveness and risk posture.
• Manage a hybrid delivery model for data protection capabilities and tooling, directing in‑house teams and partners with clear KPIs, cost transparency and value realisation.

Benefits

• Health and Welfare Benefits: Medical, Dental, Vision, Health Savings Account, Commuter Benefits, Health Care and Dependent Care Flexible Spending Accounts, Accident Insurance, Critical Illness Insurance, Life Insurance, AD&D , Financial wellbeing support, Wellbeing Program and Work/Life Resources (including Employee Assistance Program)
• Leave Benefits: Paid Holidays, Annual Paid Time Off (includes paid state/local paid leave where required), Short-Term Disability, Long-Term Disability, Other Leaves (e.g., Bereavement, FMLA, ADA, Jury Duty, Military Leave, and Parental and Adoption Leave), Paid Time Off (Washington State only)
• Retirement Benefits: Savings Plan (401k)