Data Protection Officer

Job description & person specification

Title: Data Protection Officer

Department: Legal

Work patterns: 4 to 5 days a week. Hybrid working

Job purpose summary:

LLAOL is seeking to recruit a Data Protection Officer (DPO) to play a critical role in ensuring LLA complies with all applicable data protection legislation, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR). The DPO will act as the primary contact for data protection matters, providing guidance, oversight, and support to ensure LLAOL complies with the applicable law. The DPO will foster a culture of data protection awareness across LLA and liaise with regulatory authorities as required. The DPO will work closely with LLA’s Legal, Risk and Compliance, and Cybersecurity teams to develop and monitor policies and standards in compliance with the law.

Key responsibilities and accountabilities:

  • Monitor compliance with data protection laws and internal policies, including regular audits and reviews.

  • Advise and inform staff on their obligations under data protection legislation and best practice procedures, including setting standards to ensure compliance.

  • Develop, implement, maintain, and deliver data protection policies, procedures, and training programmes.

  • Serve as the primary point of contact for data protection queries from the business and for the Information Commissioner’s Office (ICO).

  • Manage and respond to Data Subject Access Requests (DSARs), and support all other data subject rights (erasure, rectification, objection, restriction, and portability) within statutory deadlines. Oversee the handling of personal data breaches, ensuring prompt reporting and appropriate remedial action.

  • Work with key internal stakeholders in the review of projects and related data to ensure compliance with applicable laws.

  • Undertake DPIAs (and work with the business to identify when DPIAs are required).

  • Maintain records of processing activities and ensure documentation is up to date and accurate.

  • Review and provide guidance on contracts and data sharing agreements to ensure compliance with data protection requirements.

  • Keep abreast of developments in data protection law and advise management of any changes affecting the organisation.

  • Participate in LLA’s Information Security Committee meetings, ensuring that data protection risks, DPIA outcomes, and compliance issues are considered in cybersecurity decision‑making, program planning, and incident reviews.

  • Collaborate with the Cybersecurity team to:

  • Raise employee awareness of data privacy and security risks through training sessions, targeted communications, and ongoing awareness programs;

  • Maintain comprehensive records of all data assets, data flows, record of processing activities, and data exports to support governance and audit readiness;

  • Embed privacy by design and default into airport and IT projects, ensuring early consultation on system changes, and new or high‑risk data processing;

  • Review and maintain the incident response plan from a data protection perspective, ensuring timely detection, escalation, investigation, remediation, and regulatory reporting;

  • Support internal and external audits, including those from the ICO, CAA, DfT, NCSC, and independent assurance providers; and

  • Support LLA to achieve ISO 27001 certification, helping to ensure information security and privacy controls are embedded and operationally effective.

  • Working with LLA’s IT team to ensure that IT systems and procedures continue to comply with all relevant data protection laws and policy (including in relation to the retention and destruction of data).

  • Working with LLA’s legal team to help advise on data protection law issues.

  • Provide regular reports to the Audit and Risk Committee and the Information Security Committee on data protection compliance.

  • Review and authorise the release of CCTV footage to external third parties.

  • Contribute to delivering a great guest experience by performing your role with accuracy and efficiency. Recognising that every task, whether guest-facing or behind the scenes, contributes to supporting the company’s overall LLA Way Strategy and service standards.

  • Proactively and positively promote the LLA Way initiatives and projects with all employees and the wider airport community.

Knowledge, skills & experience:

  • A successful candidate for this role will have:

  • Strong knowledge of UK GDPR, Data Protection Act 2018, PECR and related privacy legislation.

  • Demonstrable experience in data protection, compliance, or information governance role.

  • Excellent communication and interpersonal skills, with the ability to influence and educate staff at all levels.

  • Strong analytical and problem-solving abilities, with attention to detail and a proactive approach.

  • Ability to interpret complex legislation and translate requirements into practical policies and procedures.

  • Experience in conducting audits, risk assessments, and handling data breaches.
  • Relevant professional certification (e.g., CIPP/E, CIPM, or similar) is desirable.
  • Sufficient knowledge of information technology and data management systems.
  • Strong change and project management skills, including the ability to manage time well, prioritise effectively, and handle multiple deadlines.
  • High standards of integrity, confidentiality, and ethical conduct.
  • Experience in reviewing and advising in respect of data sharing agreements, schedules, and provisions.

  • Preferred but not essential:

  • Aviation industry experience

  • Experience in amending and drafting data sharing agreements, schedules, and provisions

This job description is intended to give an appreciation of the role and the range of duties and responsibilities to be undertaken. It does not attempt to detail every activity. Specific tasks and objectives will be agreed on an ongoing basis. The post holder will be required at all times to perform any other reasonable tasks, as requested by the Line Manager, in order to meet the operational needs of the business.

For any further information, please contact the Human Resources department at [email protected]. London Luton Airport Operations Ltd collects your personal information when you submit your application. For more details about the personal information LLA collects, how we collect it, why we need it, what we do with it, how long we keep it, and what your rights are, please see our privacy notice at www.london-luton.co.uk/privacy-notice.

LLA is committed to fostering, promoting, and preserving a culture of diversity, equality, and inclusion as we carry out our mission. We will always be respectful and seek to learn from those different from ourselves. We strive to be an equal opportunity employer, and we are determined to ensure that no applicant or employee has a negative experience for being who they are. We welcome all applications!

To apply:

If you wish to apply for this role, please send your CV that summarises your knowledge, skills, and experience within the context of the Data Protection Officer job description to [email protected], using the reference DPO1602 in the subject line. In the body of the email, please make sure to include the following:

  • Current and expected salary
  • Notice period/availability to start
  • Right to work in the UK / sponsorship requirements
  • Whether you are happy to travel to Luton three days a week