Lisa Budd

• Managed a 3-person team through day-to-day planning.
• Reviewed and updated governance plans to keep documents current and accurate.
• Completed and maintained the ICO accountability tracker for clear audit trails.
• Managed the RoPA (Record of Processing Activities).
• Attended strategic stakeholder meetings to advise on current and future planning needs..
• Developed and delivered comprehensive training programmes covering practical role-specific skills.
• Conducted performance reviews to spot development areas and reward high achievers.
• Advised senior management on facilities needs and supported ongoing operations.
• Reviewed, drafted and updated current policies.
• Maintained confidentiality of resident information in line with data protection policies.
• Established robust data governance practices to meet data protection standards.
• Redesigned and streamlined DPIA documents and process for simpler compliance and use across the business to encourage engagement.

I made the decision to leave Unite Students due to personal reasons. I have been living in the USA with family for the past 6 months and am now due to return back to the UK.

Hybrid between 1-2 days in Exeter, Reading or London per week.

Cuckoo Broadband is a tech-forward startup backed by a major utility provider and had minimal data protection infrastructure upon my arrival. Over the past year, I’ve led the design and implementation of a comprehensive data governance framework, embedding strong data protection practices across the organisation from the ground up.

I also, led the design and delivery of the Data Squad training program—an 8-week course with weekly 2-hour sessions—which resulted in a 90% pass rate across both cohorts for the IAPP Data Protection Foundation certification. Alongside this, I introduced ongoing training initiatives and a monthly data protection quiz, significantly increasing awareness and engagement across the business. I also played a central role in implementing the Technical Design Authority (TDA), the Data Protection Committee, and regular stakeholder governance meetings. These initiatives helped strengthen cross-functional collaboration, improve visibility across teams, and contributed to dissolving operational silos within the organisation.

Core Responsibilities:

• Design, implement, and maintain a full data governance program.
• Lead the Data Protection Committee and Technical Design Authority (TDA) meetings to engage stakeholders and drive compliance.
• Maintain and manage the compliance workbook in line with ICO recommendations.
• Serve as the primary point of contact for all data protection matters across the business.
• review contracts to ensure they contain appropriate data protection provisions, and negotiate amendments where necessary to strengthen and align them with compliance requirements.
• Manage Subject Access Requests (SARs) and maintain the SAR register in collaboration with Customer Care Teams.
• Create and embed a DPIA template and process, including associated data flow diagrams.
• Conduct DPIAs and train employees in their use and importance.
• Maintain and enhance the Record of Processing Activities (RoPA).
• Proactively identify, assess, and mitigate data protection risks.
• Perform privacy document audits and conduct gap analyses.
• Draft and implement missing policies, including the Employee Privacy Policy.
• Negotiate and establish robust data sharing and data processing agreements to address contract risk with suppliers.
• Handle all BAU Data Protection Officer responsibilities in a fast-paced, scaling business.

Hybrid between 1-4 days in the London office per week.

SCS JV is the Strabag, Skanska and Costain joint venture collaboration currently building the HS2 high speed train track between London, Birmingham and beyond.

During my employment with SCS JV I took part in a year long leadership program. This program was an initiative within SCS JV for aspiring leaders to mirror roles within the Senior Leadership Teams. This afforded me the opportunity to work on strategic activities, problem solve, provide reverse mentoring, influence and shape the future of the business and develop new skills.

One of my DPIAs was submitted to the ICO for advice and recommendations, reflecting the scale and complexity of the work.

During my time at SCS I have set up the Data Protection Forum, a knowledge exchange and support group for all HS2 joint venture DPO's, the SCS Data Protection monthly catch up for all the SCS joint venture DPO's and the Data Protection Committee.

These, along with monthly key stakeholder meetings, have been vital in understanding new projects that may be coming down the pipeline, any issues arising from projects in flight, the sharing of good practice and team bonding.

Core Responsibilities:

• Design, plan and implement a complete data governance program.
• Structuring of the Data Protection Committee to assist in engaging key stakeholders
• Training and launch of the Data Guardians scheme to assist in embedding data protection across the project
• Working closely with HR to achieve compliance whilst manage an extremely large and diverse workforce
• Being single point of contact for everything data protection
• Designing and implementing a DPIA template, processes and data flow diagram
• Undertaking DPIA's and educating employees on the use of DPIA's.
• Designing an article 30 register, disseminating and advising departments on how to complete. Using to generate ROPA.
• Identifying potential risks and mitigating those risks.
• Working with stakeholder to drive projects forward.
• Educating and providing training on Data Protection brining an overall awareness throughout the JV.
• Use of OneTrust.
• Project Management of new systems during the assessment and implementation process.
• Gap analysis and audit of privacy documents.
• Review, writing and implementing missing policies.
• Writing and implementing the Employee Privacy Policy.
• Mitigating risks for weak contracts with robust data sharing and data processing agreements.
• All BAU data protection officer duties.
• Interviewing and engaging junior members to form the data protection team.
• Daily management of and support junior team members to grow.
• Prep, contribute and take part in ISO27001 audit.
• Demonstrated consistent hard work and dedication to achieve results and improve operations.
• Actively listened to stakeholder and team members to fully understand requests and address concerns.

On site 3 days per week at the London Office

I was contracted to Arcadia as a Data Protection Specialist. The role comprised of day to day data protection duties.

Core Responsibilities:

• Undertaking DPIA's on legacy and in flight systems.
• Contributing to the new DPIA process and forms.
• Meeting with stakeholder to drive projects forward.
• Working closely with the marketing team to achieve compliance in implementing their marketing plan in line with PECR.
• Assisting teams to complete DPIA's.
• Reviewing DPIA's, highlighting the risks and detailing mitigation options.
• Liaising with in-house departments to make sure they were included in the DPIA process by the Project Owner to bring a cohesive company approach to DPIA's.
• Mentoring Junior Advisors giving guidance and support.
• Taking part in supplier and internal audits.
• Producing a weekly report to the Group DPO.
• Updating the project tracker so that the DP team has sight of the current status of projects under my wing.
• Provide training.
• Adhered to data protection laws and other legal regulations.

Hybrid 4 days a week in the Bath office 1 working from home.

The role comprised of getting them back on track after the introduction of GDPR on the 25th May 2018.

• Core Responsibilities:
• Discovering outstanding actions from the data governance plan.
• Amending and implementing the data governance plan.
• Reviewing current policies and plugging gaps.
• Reviewing Data Registers and Retention Policies.
• Amending where appropriate and compiling a complete up to date set of policies.
• Reviewing working processes currently in place including SAR's and RTE
• Reviewing new starter training data protection content and extending where required.
• Writing, delivering and assessing annual refresher training across the business as a whole.
• Undertaking DPIA's on new systems already in the work stream.
• Retrospectively undertaking DPIA's on systems processing high volumes of personal data and reactively catching those about to be deployed.
• Developing processes to embed DPIA's across the business as a whole.
• Attending IT monthly meeting to discuss future systems, talk though architecture and potential system risks.
• Being the main point of contact for Data Protection and compliance queries.
• Managing junior staff who administered SAR's requests.
• Data breach investigation and implement mitigation measures.
• Preparing weekly update reports to the Chief Exec and content for the monthly Exec meeting slide pack.
• Implementing new SAR process on the Good Energy website to circumnavigate the Customer Complaints Team and enhance the customer experience.
• Liaising closely with Legal and Procurement to review DP schedules within 3rd Party contracts.
• Working closely with the Marketing team to advise on new marketing initiatives so that PECR was not breached.

On site

Engaged to design and implement the District Council's data protection governance plan ready for the introduction of the GDPR

Core Responsibilities:

• Auditing the current status of the District Council data protection posture.
• Preparing a Governance Plan with a RAG listing of importance.
• Find solutions for high risk processing.
• Implement new processes that did not breach the new regulations.
• Produce new and review the current set of policies.
• Embed data protection throughout the Council.
• Prepare monthly reports for the Chief Executive.
• Training for all staff and Council Members.
• Leave the Council with a governance road map.