DPO Function / Data Protection Lead

Company: Tyrogen Limited (16884876)
Function: Data protection, privacy governance, and information-rights oversight
Reports to: Responsible Officer
Accountable to: Responsible Officer, with escalation to the Governing Body where required
Role type: Privacy / data protection / governance role
Engagement model: Retained internal accountability with external privacy advisory support where needed
Remuneration basis: Monthly retainer and/or advisory support basis for DPIA, DSAR, or breach-response work, as set out centrally in Role Profiles section 4.4
Review cycle: At least annual, and on any material privacy, processing, delivery-model, or scope change

Role purpose

The DPO Function / Data Protection Lead ensures that Tyrogen's privacy and data-governance expectations are defined, maintained, and retrievable. The role supports lawful, fair, and controlled handling of personal data and ensures that data-protection risks, data subject rights, retention expectations, and breach-response obligations are addressed through an appropriate governance route.

Role scope

The role has responsibility across Tyrogen's privacy and information-governance environment. The role covers:

• privacy governance and accountability,
• support for DPIAs and privacy-by-design considerations,
• retention and information-lifecycle oversight,
• DSAR and information-rights handling support,
• data-breach consultation and escalation support,
• and maintenance of privacy-governance outputs and records.

Key responsibilities

The DPO Function / Data Protection Lead will:

• support the definition and maintenance of Tyrogen's privacy-governance arrangements,
• advise on data-protection principles, lawful handling, and governance expectations,
• support DPIAs and privacy review where new processing, systems, or risks arise,
• support the management of retention expectations and privacy-related record control,
• support DSAR handling and other data subject rights processes,
• advise on breach assessment, containment, escalation, and consultation where relevant,
• maintain or support privacy-governance outputs and evidence records,
• identify and escalate material privacy or data-governance risks,
• work with compliance, operations, security, and leadership roles to ensure privacy controls are reflected in practice,
• support retrieval of privacy-related evidence for governance, audit, or regulatory purposes,
• and help ensure that Tyrogen's handling of personal data remains proportionate, defensible, and auditable.

Decision-making and authority

The role has authority to:

• require visibility of privacy-relevant processing, incidents, or governance changes,
• recommend DPIA activity, privacy review, corrective action, or escalation where appropriate,
• support or require the escalation of material privacy risks or potential breaches,
• advise on retention, DSAR handling, and privacy-governance controls,
• require visibility of record-retention, DSAR, and disclosure dependencies where privacy governance affects regulatory or audit readiness,
• and request supporting records or clarification where privacy accountability is unclear.

The role does not replace Board accountability or security, compliance, or operational ownership and must not allow convenience or commercial pressure to weaken privacy compliance or defensibility.

Regulatory and control context

The DPO Function / Data Protection Lead sits within Tyrogen's control architecture as the role responsible for privacy governance, lawful handling of personal data, retention linkage, and information-rights oversight. In particular, the role supports:

• the adequate-information, record availability, and secure data-governance expectations that sit behind Ofqual Criteria C.1 and the wider controlled operating model,
• operation of retention, hold, and disposal governance through Data Retention Policy,
• controlled handling of subject-access and related privacy requests through DSAR Process,
• privacy input to breach assessment, incident handling, audit evidence production, and disclosure minimisation where Tyrogen responds to governance, regulatory, or data-subject requests,
• and the requirement that privacy, retention, and disclosure decisions remain documented, proportionate, and defensible rather than being handled informally.

Where privacy risk, breach circumstances, retention failures, or disclosure uncertainty may affect learner data, regulatory evidence production, or Tyrogen's ability to respond lawfully and accurately, the role must escalate through the correct privacy, incident, governance, or regulator-facing route.

Working relationships

The DPO Function / Data Protection Lead works closely with:

• the Responsible Officer,
• the Governing Body where escalation is required,
• the Compliance Lead,
• the Operations Lead,
• the Security / Technology Lead,
• the Finance Lead where supplier, retention, or breach-cost implications arise,
• the Head of Assessment & Standards where assessment design or records create privacy implications,
• and any external privacy advisers, processors, or specialist support providers.

Person specification

The role-holder is expected to demonstrate:

Essential

• understanding of data-protection principles and governance expectations,
• ability to support retention, DSAR handling, DPIAs, and breach-response activity,
• ability to identify and escalate privacy risk appropriately,
• sound judgement in balancing operational practicality with privacy compliance,
• strong record-keeping and documentation discipline,
• clear communication on privacy obligations and risk,
• and ability to work effectively across operational, technical, and governance functions.

Desirable

• experience in privacy, data protection, information governance, or compliance roles,
• experience supporting rights requests, breach handling, or DPIA activity,
• and familiarity with controlled or regulated service environments.

Independence and conflicts requirements

• The role-holder must declare actual, potential, and perceived conflicts of interest.
• Where privacy support is provided externally, any supplier or commercial conflict relevant to the advice must be identified and managed.
• Privacy advice, breach handling, or governance outputs must not be distorted by convenience, delivery pressure, or undisclosed commercial interests.
• Any remuneration or commercial arrangement that could distort objective privacy judgement must be declared and managed.

Measures of success / KPIs

The effectiveness of the DPO Function / Data Protection Lead may be evidenced through:

• privacy-governance outputs maintained and retrievable,
• DPIAs or privacy reviews initiated where appropriate,
• DSARs and information-rights matters supported within required timescales,
• privacy risks and breach concerns identified and escalated promptly,
• retention and privacy-record expectations reflected in practice,
• reduction in avoidable privacy-control gaps or unresolved issues,
• clear privacy advice and governance traceability,
• and effective support for privacy-related audit, governance, or regulatory evidence requests.

Outputs and records

The role is expected to contribute to or oversee:

• privacy-governance records,
• DPIA records,
• DSAR or information-rights handling records,
• breach and privacy-incident records,
• retention and privacy-control records,
• and privacy-related evidence or escalation records.

Appointment, induction, and review

Appointment to the role should be supported by:

• role definition and privacy-accountability clarity,
• access to relevant privacy, retention, and incident records,
• conflicts declarations,
• induction to Tyrogen's privacy-governance and evidence framework,
• and periodic review of capability, capacity, and advisory support sufficiency.

Linked documents

• Role Profiles
• Data Retention Policy
• DSAR Process
• Information Security Policy
• Ofqual Audit Access and Evidence Production
• GDPR README
• ROPA
• Retention Schedule
• Delegation of Authority
• Resourcing Plan for Regulated Awarding