Data Protection Manager

At AQA, we’re committed to advancing education and we’re committed to our people. As the largest provider of academic qualifications in the UK, we mark over 10 million exam papers each year and it’s our people who make this happen.

Data Protection Manager

Manchester: £50,339 - £60,178

Permanent

Think you can lead data protection at a national scale?
Imagine being the go-to expert for privacy and governance in an organisation impacting millions of learners. If you’re ready to influence change, ensure compliance, and embed a privacy-first culture—this is your moment.

Join us in driving responsible data practices!
As Data Protection Manager at AQA, you’ll be at the heart of our Data Protection and Compliance team, reporting to the Group Data Protection Officer. You’ll manage and improve the data protection framework, shaping policy, managing compliance activities, and advising across all business functions. From handling SARs and data breaches to delivering training and awareness, your expertise will help us protect data while enabling innovation across AI, tech, and governance.

What’s in it for you?

• Impact & influence: Shape how we deliver privacy across the business, from tactical policy to day-to-day operations.
• Career development: Work alongside leaders in data governance, security, and AI ethics.
• Autonomy & variety: Lead end-to-end on DPIAs, SARs, RoPA, audits, retention, policy development, contracts, supplier risk, breach response, training, and more.
• Enjoy a flexible work environment with a 35-hour week and extensive opportunities for professional and personal development.
• Access to an enhanced contributory pension scheme which could you see you paying in 7% and AQA contributing 11.5% (Other options are available)
• Receive 25 days of annual leave, increasing to 30 days with service, plus bank holidays and additional Christmas office closure.
• Comprehensive health coverage from day one, including Bupa PMI, Health Cash Plan, and Life Assurance.
• Participate in eco-friendly transport schemes, including electric vehicles and cycle-to-work options.

You’ll need:

Experience with data protection frameworks (ISO 27701), RoPA, IAR, SARs, DPIAs, and breach management etc.

Strong communication, stakeholder engagement, and people management skills.

Certifications in data protection (e.g., CIPP/E, CIPM, PC.dp) or AI ethics / governance (e.g. AIGP).

Experience in a similar governance or compliance role preferably within a large complex organisation.

How do I apply?

Read the full job description and upload your most recent CV by following the link provided.

Closing date for applications will be Monday 21st April.

AQA is an equal opportunity employer committed to fostering an inclusive and diverse workplace where everyone—regardless of religion, ethnicity, gender identity or expression, age, disability, sexual orientation, or background—is valued, respected, and supported to thrive

Recruitment Agencies

We have a preferred supplier list (PSL) in place.

Unsolicited CVs will be treated as a gift. We will not be subject to or liable under your terms and conditions for agency fees.

Full Job Description

Summary

Purpose:
In your role as Data Protection Manager, you will operate within the (Enterprise Technology) Data Protection and Compliance team. You will be responsible for the development, implementation, and maintenance of AQA’s Data Protection framework and for the delivery and management of related governance and operational processes whilst directly contributing to the embedding data protection practices and frameworks across the organisation.
You will possess an inherent and robust understanding of Data Protection principles, legislation, technologies, and regulation and have demonstrable experience in the application and delivery of related governance.
You will ensure that the organisation operates in alignment with and adherence to any and all relevant legal, regulatory, and organisational governance and policy requirements, influencing, guiding and where necessary facilitating compliance.
You will provide business stakeholders with timely and effective advice / guidance and support, shaping and guiding how they may effectively and proportionately achieve any required levels of compliance.
You will promote the effective and proportionate delivery of data protection related governance through a variety of mechanisms including:
• effective stakeholder engagement / communication
• creation and delivery of training & awareness content
• application of consultative technical expertise / subject matter knowledge
• delivery of governance, risk management and related performance monitoring / reporting
• collaborative management and leadership skills
You will be familiar with, and ideally have experience of, the use of tools / platforms to deliver of Data Protection related management, governance, and compliance.
You will foster a positive culture of data privacy and protection throughout the organisation ensuring adequate and proportionate compliance with all relevant domestic / national and international DP and AI regulations.
You will provide business stakeholders and senior leadership with regular assessments and reporting covering Data Protection governance health, compliance performance and any related risks / issues and suggestions for how they might be addressed.Landscape:
The Enterprise Technology Division sits within the Corporate Services Division, enabling the centralised delivery of core corporate services. In addition, Enterprise Technology operates in close partnership with Assessment Technology and Programme Management, collectively delivering the full IT service portfolio of current operations to future change programmes.
The Data Protection Manager role sits within the Architecture and Security department in the Corporate Services Office - Enterprise Technology business area, reporting to the Group Data Protection & AI Ethics/Governance Lead. This role is a management position that requires collaboration and close working with cross-functional teams, wider team members, technical teams, legal, and business units.
Enterprise Technology consists of the following functions:
Service Delivery
Enterprise IT Services (Core IT Delivery teams - desktop, systems & infrastructure)
Enterprise Applications
Architecture & Security
Architecture & Security consists of:
Architecture (including Enterprise oversight)
Security & Risk
Security Operations (including Security Operations Centre)
Data Protection & Compliance
The Data Protection and Compliance team compromises of 5 team members delivering into the roles of:
Group Data Protection and AI Ethics lead
Data Protection Manager
AI Governance Manager
Data Protection Administrators(s)
Activities:
Manage the main day-to-day contact with the business to advise on potential complaints and data breaches, managing data breach notifications, ensuring that all data breaches are investigated, and remedial action is undertaken in accordance within the UK GDPR, Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR).
Manage the subject access request service for individuals and third-party requests for data, ensuring that all requests for information are properly handled as per UK GDPR and DPA 2018 requirements, in a timely manner.
Draft, implement, and maintain policies related to Data Protection, governance, risk, and compliance to ensure they remain compliant with the respective regulatory rules, regulations, and guidance.
Manage the operational development and delivery of a comprehensive and ongoing data protection awareness training programme, including face to face and on-line training, and disseminating new guidance on Data Protection to all colleagues and AQA partners.
Ensure that AQA remains complaint with UK GDPR and the Data Protection Act 2018, leading on the incorporation of any changes within policies and procedures.
Ensure that AQA is compliant with requirements for data protection under ISO 27001, ISO 27701 and ISO 42001 standards and contribute to audits as required.
Manage day-to-day data protection compliance, advising on data protection requirements and best practice.
Provide data protection input to new projects being implemented across AQA and its partner organisations and support the production of Data Protection Impact Assessments (DPIAs) as required with the relevant area of business.
Maintain all data protection governance services in relation to Records of Processing Activities (RoPA), Information Asset Registers (IAR), retention schedules, data sharing schedules, privacy notices, training compliance, regular Key Performance Indicator reporting to management, contract / data processing agreement reviews, international data transfers, conducting audits, DPIAs, regular and complex Subject Access Requests, management of data protection breaches.
Develop an understanding of operational processes and controls, and manage support in assessing their effectiveness in mitigating data protection risks faced by AQA.
Assist AQA at regulatory meetings on operational matters and other external stakeholder meetings as required.
Required to analyse complex service issues and determine appropriate resolutions in the interest of AQA and service stakeholders, whilst mitigating the risk of compliance failure in related regulated practices.
Assist in coordinating investigations, provision and interpretation of data and responses to regulatory authorities.
Proactively manages a team in delivering an effective and efficient UK GDPR and DPA 2018 services in relation to queries, complaints, data sharing, subject access requests etc.
Deliver a high-quality service to all customers, colleagues, associates and third parties, with high attention to accuracy of information.
Keep up to date with the latest Data Protection technologies and regulations, proactively promoting Data Protection best practice.
The role will also involve assisting the wider team with input into the development and delivery of AI Governance across the organisation.
To be successful in this role, you will need to know:
Technical Skills:
Strong understanding of data protection principles, regulations, technologies, and related risks / challenges / benefits.
Proficiency in tools for data protection compliance and AI governance, including monitoring and risk assessment platforms.
Operate systems related to the work of the Data Protection Team. A working knowledge will be required of any systems that will enable the post-holder to resolve queries at first point of contact or make outbound contact.
To utilise the available range of digital tools for communication, content creation and information processing in order to work effectively and efficiently. To maintain digital skills to meet business need.
To comply with AQA IT security policies.
Subject Matter Expertise:
Detailed understanding of Data Protection Legislation, including UK GDPR, Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
Excellent working knowledge of Data Protection, processes, procedures, methodologies, and their practical application.
Good working knowledge of the administration of the Subject Access Request, contract, DPIA, RoPA/IAR, retention, and all other data protection process.
Excellent knowledge of managing, advising, and monitoring of all key aspects of regulatory risk, compliance, and assurance functions.
Broad understanding of the political, educational, and business context within which AQA works.
Excellent working knowledge and understanding of administrative procedures and IT applications.
Keep up to date with related domestic / international legislation.
Some knowledge of AI practices, principles, ethics, and regulation for cross team working.
People Management:
Ability to work with multidisciplinary teams with diverse expertise on data protection implementation.
Strong interpersonal skills for effective stakeholder engagement.
Mentor and develop wider team members to foster a culture of data privacy and protection.
Conduct workshops and training programs to educate employees about data protection.
To act as a role model, demonstrating the appropriate AQA behaviours, e.g. collaborative, team player, giving constructive feedback, developing, and managing self, in order to deliver excellent customer services.
By being a team player, enable high levels of performance from team and colleagues across the business by modelling AQA behaviours with confidence and providing clarity, challenge, feedback, coaching and development as required in line with business objectives.
Skills:
Experience in creating and implementing governance frameworks, risk management and compliance strategies.
Analytical mindset to assess compliance and risk implications of data protection in processes and systems.
Ability to manage audits and compliance reporting.
Excellent change management skills, tools, and techniques.
Ability to design, plan, deliver and measure the impact of quality & compliance programmes in an organisation.
Ability to assess complex information, situations and issues and deploy innovative problem-solving skills.
Ability to persuade and influence both internally and in external networks.
Strong communication skills, both orally (large/small groups) and in writing with an ability to convey complex information to business users.
Strong IT skills; accurate and proficient user of MS Office, particularly Excel, and other systems.
Leadership Skills:
Inspire and motivate team members and other colleagues.
Set challenging targets and support staff to achieve them.
Manage performance of staff effectively.
Work flexibly and adapt management style to get the best performance from staff.
Behaviours:
To model leadership behaviours with confidence and try to get the very best from direct reports and teams by providing clarity, feedback, coaching and development, while continuously seeking to enhance performance in line with business objectives.
Collaborative: works with others to achieve the organisation and team vision, contributing expertise and developing self and others to achieve excellence.
High integrity and commitment to responsible data protection practices.
Proactive and innovative approach to problem-solving.
Excellent communication skills to translate complex technical issues for non-technical audiences.
Experience:
Two to three years’ experience of working in a data protection role, dealing with Records of Processing Activities (RoPA), Information Asset Registers (IAR), retention schedules, data sharing schedules, privacy notices, training compliance, regular Key Performance Indicator reporting to management, contract / data processing agreement reviews, international data transfers, conducting audits, DPIAs, regular and complex Subject Access Requests, and management of data protection breaches.
Experience of developing and maintaining effective working relationships with a range of partners and stakeholders.
Experience of successfully delivering organisational wide data protection compliance frameworks in organisations.
Proven experience of working with senior level stakeholders, including third party suppliers, auditors, and regulatory bodies.
Experience in successfully delivering change through collaborative matrix management rather than hierarchical relationships.
Desired Qualifications:
Degree or equivalent professional qualification.
Certifications in data protection (e.g., CIPP/E, CIPM, PC.dp) or AI ethics / governance (e.g. AIGP).
Experience in a similar governance or compliance role.