Compliance Officer

About us

We are a leading consultancy with a purpose to make an enduring impact on health and healthcare. We work with leaders and frontline teams to improve health, transform healthcare, drive adoption of innovation and create value through investment.

Our consultancy serves the entire healthcare sector, from payors and providers of care, to life science companies, health tech and sector suppliers and health investors. We provide end-to-end services, from strategy through implementation, accelerated by data, digital and AI.

We shape opinion through evidence-based thought leadership on key issues affecting health. With unmatched ability to access and use health data, our consultants are a driving force for delivering positive and meaningful change.

About the role

The Compliance Officer sits within the Data Operations team and reports directly to the Director of Data, Analytics and Intelligence. The role is the operational coordinator for information governance (IG), data protection, and regulatory compliance across CF. It is also an enabling role within Data Operations, responsible for the workflow management and project coordination that allows the team to operate efficiently. The Compliance Officer provides day-to-day coverage of the DPO responsibilities that sit beneath the Director of Data, Analytics and Intelligence, who holds the statutory Data Protection Officer designation. The Compliance Officer will undertake recognised DPO training and certification, enabling them to act as the primary point of contact for all compliance-related queries across the business.

The role primarily spans three interconnected business functions — IT, People, and Data Operations — with additional support to the wider corporate team as needed. The Compliance Officer is responsible for reducing regulatory risk, maintaining audit readiness, and providing structured assurance to the Board and Executive Committee. Responsibilities include information governance and data protection, ISO certification coordination, data breach compliance and incident response, people and employment compliance, regulatory monitoring, and legal and IP query management. As with all corporate functions, the role will span compliance obligations across existing and emerging geographies (UK, Middle East and Europe).

This is an excellent opportunity for a graduate with a legal background — or someone early in their compliance career — to develop a broad and substantive compliance portfolio within a dynamic, data-rich healthcare consultancy. Full training and professional development support will be provided.

Responsibilities

The requirements, responsibilities and duties of the role will include, but are not limited to:

Policy Development and Maintenance

• Develop, maintain and regularly review internal compliance policies to ensure staff are equipped to meet regulatory obligations, including:

• Data protection and privacy policies, including employee and candidate privacy notices

• Employment contracts

• Associate agreements and Statements of Work (SoWs)

• Anti-bribery and conflicts of interest policies

• Information security policies aligned to ISO 27001

• Identify and flag compliance issues, deviations from standard terms, or matters with wider legal or commercial implications, escalating to the People team and legal advisors as appropriate

• Own the annual policy review cycle, coordinating with relevant function leads to ensure policies remain current and fit for purpose

• Develop accessible plain-English guidance and FAQs to support staff understanding and day-to-day compliance

Data Protection Officer

• Act as the operational Data Protection Officer and primary internal contact handling day-to-day data protection queries, escalating to the Director of Data, Analytics and Intelligence as required, relating to:

• UK GDPR compliance queries

• CF technical products (e.g. HealthStrata)

• Maintain and update Records of Processing Activities (ROPAs) across the business, working with data owners to ensure completeness and accuracy

• Maintain the Information Asset Register (IAR) across CF, ensuring it reflects current systems, data flows and processing activities

• Review and advise on Data Protection Impact Assessments (DPIAs) and Data Sharing Agreements (DSAs) for new projects, client engagements and internal systems, working with technical leads and project managers to identify and mitigate risks

Data Breach Compliance and Incident Response

• Ensure CF’s data breach policy and incident response process is embedded across the business and adhered to consistently

• Act as the first point of contact for suspected or confirmed data breaches, leading the internal response and coordinating with relevant function leads

• Maintain a data incident and breach register, ensuring all incidents are documented with appropriate detail for regulatory audit purposes

• Conduct post-incident reviews to identify root causes and drive remediation, reporting findings and lessons learned to the IG Committee and senior leadership

• Develop and deliver breach awareness training so that all staff understand their obligations to report suspected incidents promptly

Information Governance Coordination

• Coordinate the monthly IG Committee, including scheduling, agenda-setting, minute-taking and action tracking

• Prepare briefing materials and compliance reports for the Committee, including updates on training completion, audit status, incident logs, breach register and regulatory developments

• Follow up on actions and decisions arising from Committee meetings, maintaining a live action log and escalating overdue items as required

• Support the Director of Data, Analytics and Intelligence in fulfilling the governance obligations arising from Committee oversight

• Work closely with the Director of Data, Analytics and Intelligence and the Office and Facilities Manager to coordinate CF’s annual ISO 27001 (Information Security Management) and ISO 9000 (Quality Management) audit programmes including:

• Managing audit preparation, scheduling and evidence-gathering, working with relevant teams to ensure readiness

• Liaising with external auditors and certification bodies, acting as the primary point of contact throughout the audit cycle

• Maintaining and updating the Information Security Management System (ISMS) documentation, including policies, risk registers and statement of applicability

• Tracking corrective actions and non-conformances (NCRs) arising from audits, following up with responsible owners to ensure timely resolution

• Maintaining and updating CF’s information security and governance policies in line with ISO requirements, coordinating the annual policy review cycle

• Supporting continuous improvement of CF’s information security and quality management practices

Training and Awareness

• Maintain and deliver the CF-wide IG training programme, including mandatory annual training for all staff and induction training for new joiners

• Develop training materials and internal communications to promote IG and data protection awareness across CF, including accessible guidance on GDPR obligations, information security practices and ethical conduct

• Monitor and report on training completion rates, maintaining auditable records of compliance and reporting to the IG Committee and senior leadership

• Deliver refresher compliance training covering GDPR, information security, data breach obligations and anti-bribery requirements

Data Operations Workflow Management

• Maintain the Data Operations intake and triage process for incoming data requests, ensuring requests are logged, prioritised, assigned and tracked through to completion with clear visibility for the Director of Data, Analytics and Intelligence and Lead Data Engineer.

• Implement and maintain Agile working practices within Data Operations, including sprint planning, backlog management, stand-ups and retrospectives, adapted appropriately for a small data operations team

Maintain a live view of team capacity and workload across Data Operations, supporting the Director of Data, Analytics and Intelligence in resource allocation and prioritisation decisions

Requirements

• A legal degree or equivalent legal or compliance qualification, or demonstrable experience in a compliance, information governance or data protection role

• Demonstrable knowledge of UK GDPR and the Data Protection Act 2018; understanding towards or willingness to pursue recognised DPO certification

• Strong attention to detail with the ability to identify risk in complex documentation and translate regulatory requirements into practical, actionable guidance

• High personal integrity and the confidence to raise concerns or challenge decisions where necessary

• Highly organised with the ability to manage multiple workstreams simultaneously and prioritise effectively

• Excellent written and verbal communication skills, with the ability to produce clear policy documents, training materials and committee reports

• Comfortable working across multiple business functions, building effective relationships with technical, operational and people teams

• Discretion and professionalism in handling sensitive personal and commercial information

Flexible working

We follow a hybrid working model that balances in person connections and remote work to drive exceptional client impact. We enjoy working in person together with clients and colleagues and work where clients need us to be.

In supporting flexibility and remote working, team members can work from home one day per week as standard. Additionally, we offer 44 remote working days per year which can be used to top up your working from home days and enable you to work from home up to two days per week-subject to client needs. Alternatively, you could use your allowance in blocks to manage school holidays or other commitments. Our core in person working hours are from 10am until 4pm allowing you that extra flexibility to manage your schedule in a way that works for you.

Our commitment to Diversity & Inclusion

We are committed to building an inclusive and supportive culture where diversity thrives, and all our people can excel. We only recruit, promote and reward our people based on their skills and contribution, without regard to gender, race, disability, religion, nationality, ethnicity, sexual orientation, age, marital status, or other characteristics.

We are Disability Confident Accredited, and we want you to feel comfortable and able to perform at your best in the recruitment process. If you require any reasonable adjustments for any part of the recruitment process, please let us know.

Benefits

• Holiday entitlement: 25 days/year for staff and 30 days/year for leadership, increasing by 1 day for every year of service up to a maximum of 35 days of holiday per year

• We contribute 7% of your salary into your pension, while you contribute 3% (or more if you like)

• Access to a flexible benefits programme giving you the chance to increase pension contributions, gain access to a cash plan or benefit from a ClassPass subscription

• Annual leave purchase: employees with less than 35 days annual leave entitlement are able to purchase additional annual leave days

• Income protection: in the event of long-term incapacity and a qualifying claim, 75% of salary will be paid

• Enhanced sick pay benefit beyond Statutory Sick Pay for up to a total 12 weeks in any 12-month period

• Life insurance covering four times your basic salary in a tax-free lump sum payable to your beneficiaries in the event of your death whilst in service

• Enhanced family leave policies: additional pay for parents who have a baby or adopt

• Access to an interest-free loan of up to £10,000

• Access to an interest-free season ticket loan, repayable by 12 monthly instalments

• Workplace nursery scheme: access to a scheme to help working parents save tax and NI on the cost of the nursery care

• Flexible working policy: including the ability to work from home up to two days per week, with 44 remote working days per year

• An employee assistance and wellness programme: including access to telephone counselling, life coaching, interactive tools online and digital content downloadable from Lifeworks

• Seasonal flu jabs: provided by Boots annually

• Eye care tests: vouchers and discounts at Vision Express

• Ride to work scheme, saving up to 42% on bikes and cycling accessories at Evans Cycles

• Membership to the Health Service Journal (HSJ)