Data Protection Senior Associate (L2) - Risk Management, CBS - Manchester
Job Description
At Ernst & Young (EY), the Risk Management (RM) function plays a critical role in identifying, managing, and mitigating risk across the business. RM supports the firm in upholding EY’s business standards, protecting its reputation and value, and ensuring compliance with all applicable legal, regulatory and professional obligations.
The UK Data Protection team supports the firm in complying with data protection and privacy legislation and regulatory requirements. The team develops, implements, and maintains data protection policies, standards and procedures; provides advice on complex matters; delivers training and awareness; and monitors the application of global and local policies.
The team sits within Central UK Risk Management alongside other specialist risk and compliance functions.
The Opportunity
This role supports EY’s compliance with data protection and privacy legislation, including UK GDPR and Data Protection Act 2018. It is suited to an experienced compliance or risk professional who operates with independence, accountability and commercial judgement.
As a Senior Associate, you will take ownership of complex data protection matters, progressing work with limited supervision and acting as a trusted escalation point for the business. You will exercise confident decision‑making, provide clear and pragmatic advice, and influence stakeholders across the firm.
Your Key Responsibilities
- Act as the first point of contact for the business on data protection queries, providing clear, pragmatic advice while balancing regulatory requirements with commercial realities.
- Independently manage data subject rights requests, determining appropriate actions and escalating only when necessary.
- Lead investigations into data incidents and breaches, taking ownership of fact‑finding, containment and mitigation, and coordinating with stakeholders to drive timely resolution.
- Lead and coordinate the review of Privacy and Confidentiality Impact Assessments (PIAs) for EY products, applications, tools, technologies and suppliers, providing risk‑based assessment and guidance to product owners on required controls and mitigations.
- Draft, review and update internal data protection policies, procedures and training materials, ensuring they are practical, current and aligned to regulatory expectations.
- Manage personal workload and competing priorities autonomously, ensuring work queues progress efficiently and service standards are met without day‑to‑day direction.
- Proactively identify opportunities to improve and streamline data protection processes, taking responsibility for driving enhancements rather than merely supporting them.
- Support wider Data Protection initiatives and projects, contributing expertise and leadership as required, with minimal supervision from Managers or the Data Protection Officer.
Behaviours, skills and attributes for success
- Operate with confidence and independence, progressing work and making informed decisions without detailed instruction.
- Demonstrate an “ownership” mindset — seeing issues through from identification to resolution.
- Provide credible challenge and clear messaging to senior stakeholders, including delivery of difficult or risk‑based advice.
- Remain resilient and effective in a fast‑paced, ambiguous environment, adapting quickly as priorities change.
- Have a strong ability to plan, prioritise and execute work independently, managing complexity with minimal oversight.
- Exhibit excellent judgement and problem‑solving skills, confidently taking responsibility for decisions.
- Communicate authoritatively, able to influence and advise stakeholders at all levels of the firm.
- Maintain a calm, professional, positive and resilient approach under pressure, with a pragmatic and solutions‑focused mindset.
- Maintain high levels of accuracy and attention to detail.
- Work collaboratively within a high‑performing team, contributing to wider objectives and supporting colleagues where needed.
To qualify for the role you must have:
- At least two years of professional work experience in a relevant role such as complaints handling, incident management, quality control/assurance, risk management, legal or compliance.
- An interest in understanding UK data protection and privacy legislation and a risk‑based approach to compliance.
While full training will be provided, ideally, you’ll also have one of the following:
- Familiarity and practical experience with the application of data protection law and/or policies.
- Experience working in financial/professional services or a regulated environment.
- Certified courses or qualifications in data protection or privacy, e.g., CIPP/E.
#J-18808-Ljbffr