Head of Cyber Security and Data Protection

We're The Restaurant Group (TRG for short) and we're one of the UK's biggest hospitality businesses. With over 40 years in the game, we are a significant player in the UK casual dining market, operating a number of renowned restaurants and pubs including Wagamama, Barburrito, and Brunning & Price. Our diverse portfolio of brands provides something for everyone, and we are proud to be TRG.

Reports To: Chief Information Officer (CIO) / Dotted line: General Counsel

Team: Cyber Security Manager and various supplier partners

The Role:

The Head of Information Security & Data Protection Officer (DPO) will be responsible for leading the company's information security strategy, ensuring the protection of digital assets, systems, and sensitive data across the organisation. This role also encompasses all Data Protection Officer responsibilities, leading the organisations privacy programme and associated committee whilst ensuring compliance with UK GDPR and other applicable data protection regulations. The role holder will develop, implement, and maintain robust cyber security policies, practices, and procedures while ensuring the company meets its legal obligations concerning data privacy. Operating within the restaurant and hospitality sector, this role will also focus on securing point-of-sale systems, customer data, and digital transactions in a fast-paced environment.

Cyber Security Strategy & Management

• Develop and implement a comprehensive information security strategy tailored to the needs of the The Restaurant Group.
• Lead the design and implementation of effective cyber security controls to safeguard digital systems, including customer data, financial information, and point-of-sale (POS) systems across the group.
• Monitor, assess, and mitigate vulnerabilities and threats, using tools like firewalls, intrusion detection systems, encryption, and other cybersecurity technologies.
• Regularly conduct risk assessments and security audits of all IT systems, applications, and infrastructure.
• Develop a cyber resilience plan, ensuring business continuity and disaster recovery mechanisms are in place

Data Privacy & GDPR Compliance (Data Protection Officer Responsibilities)

• Serve as the company's Data Protection Officer (DPO) in compliance with the UK GDPR and Data Protection Act 2018.
• Advise the organisation on its legal obligations under data protection laws, ensuring the proper handling of personal data across all business processes, especially in customer data collection and marketing activities.
• Lead data protection impact assessments (DPIAs) to identify and mitigate privacy risks in new projects and services.
• Act as the point of contact with the Information Commissioner's Office (ICO) and manage data breaches in accordance with the law.
• Develop training and awareness programs for employees around data privacy and security best practices.
• Records of processing: maintaining each business division's personal data processing activities on OneTrust.
• Incident management: managing personal data incidents, including investigation, response, notification assessment and remediation.
• CCTV management: assisting with the CCTV improvement plan, conducting DPIAs, drafting processes and completing annual registrations.

Information Governance & Compliance

• Privacy programme support: managing TRG's data privacy programme and compliance framework.
• Ensure compliance with industry-specific regulations and standards such as the Payment Card Industry Data Security Standard (PCI DSS) for secure transactions.
• Oversee third-party risk management, ensuring vendors and service providers adhere to security standards.
• Prepare regular reports for senior management, detailing information security risks, incidents, and mitigation strategies.

What we're looking for:

• In-depth understanding of UK data protection laws (UK GDPR, Data Protection Act 2018) and experience in a Data Protection Officer role.
• Strong knowledge of cybersecurity frameworks (e.g., ISO 27001, NIST), technologies, and best practices.
• Familiarity with compliance requirements in the hospitality industry, including PCI DSS.
• Experience in risk management, vulnerability assessments, and penetration testing.
• Experience with OneTrust (desirable)

Education and Qualifications

• Bachelor's degree or equivalent from an accredited university, preferably in a legal or technical topic.
• Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), or similar credentials.
• Certified Data Protection Officer (CDPO), Certified Information Privacy Professional (CIPP), or equivalent certification.

What We Can Offer You:

• Up to 20% bonus
• Excellent benefits package including 30% discount for dine-in with friends and family and any of our TRG brands including wagamama's, Barburrito, Brunning and Price Pubs and any of our airport concessions
• Single Healthcare Cover
• Birthday meal on us
• Access to discount platform
• Health Assured
• Group Income Protection
• Life Assurance
• Wide range of apprenticeship opportunities for development and personal growth

We're committed to creating an inclusive environment for all, where team members are valued for their unique perspectives. We are proud to celebrate our diverse voices! And we are a disability confident employer.

We want every candidate to have the opportunity to succeed, we will ask if you need any adjustments during the application and interview process to be your best!