Ashurst is a leading progressive global law firm with a rich history, celebrating it's bicentenary in 2022. We are proud of our history and future-focused, having expanded into new technologies through our NewLaw division, Ashurst Advance, and our consulting arm. Our in-depth understanding of our clients and commitment to providing excellent standards of service have seen us become a trusted adviser to local and global corporates, financial institutions and governments in all areas of commercial law. To find out more please visit www.ashurst.com .
In order to comply with regulatory and client requirements, Ashurst will undertake appropriate vetting of staff. When applicants accept a job offer, Ashurst, alongside a specialist provider, will undertake professional verification and background checks. These checks are only undertaken with consent, and in accordance with our legal and regulatory obligations.
This role will be helping to drive the Risk & Compliance objectives relating to Data and Tech to ensure compliance, enable and support the successful delivery of the firm's digital transformation and data strategy underpinning the 2026 business plan.
While based in the UK, this role is set in the context of a global international firm, with the aim to gain maturity in the Data and Tech space globally. A maturity which will serve to:
(1) better inform strengthening key activities of the Risk & Compliance Framework, and
(2) support design and delivery of key strategic projects (amongst others, Digitalisation and Data Strategy).
The Risk & Compliance function is commercially minded and focuses on adding value to the business as well as the clients.
The successful candidate will work collaboratively across functions to ensure the continued delivery of strategic objectives.
The successful candidate will be expected to ensure that the design of policies, controls and processes are aligned to this focus.
Business as Usual and specialist knowledge:
Policies, procedures and processes
- Ensure the consistent review, gap analysis, remediation and changes of all the suite of data protection and privacy policies, procedures and processes as appropriate and on an annual basis at a minimum
- Review and actively promote refinements in the design of all policies, processes and controls which ensure compliance with data subjects rights (incl. technical improvements in the management of DSARs)
- Actively participate in the design of policies, controls and mechanisms in relation to data destruction and retention
- Ensure full analysis of relevant data and technology related regulations (and reporting mechanisms therein) applicable, ensure pertinent adjustments in policies, procedures and processes relevant to the expansion
- Organise systematic mapping, review and horizon scanning of all Data, Tech and Information Security Legal and Regulatory
- Ensure adequacy of Cookies policies across our estate of systems
Incidents response management
- Actively participate in the review and enhancements to our incidents, events and breaches management across the relevant functions globally. Ensuring that ISO standards are met for ISO27001 and leverage the work performed to contribute to achieving ISO31000 and 9100 certification
Modernising key processes
- Review and enhance the templates and management of DPIA, LIA or TIA supported by robust integrated systems to ensure timely reporting and controls across the firm
- Work with the relevant data and architects team as well as within the Data Strategy workstream to refine our firm's mapping suite. Ensure alignment wherever appropriate with our ROPA, adequately and systematically testing the review and updates
Corporate governance compliance
- Ensure compliance with the obligations set out in our Intra-Group Transfer Agreement which govern the flow of data across our global firm
- Advise and ensure compliance with data sovereignty and data residency requirements from our clients
- Advise on any changes to the geographical footprint of the firm and compliance with the Data, Tech and IS legal and regulatory obligations
- Ensure that all data related risks are inventoried and adequate controls are in place to remedy and mitigate impacts
Clients commitments, audits and firm's supply chain
- Ensure that all input relating to data and tech are adequately inserted in clients commitments and RFPs
- Ensure that all input relating to supply chain obligations are complied with at onboarding, and in auditing activities
- Ensure client audits are successfully conducted and remediated in line with our obligations and the firm's strategic direction
Project work and cross-functional workstreams:
Data security: support all work with a data security nexus as directed by the Programme Team. Participate in all current projects (DLP, CASB, security extensions of Teams and Intapp Walls amongst others)
Data Management: work with the ASC to test implementation of data management initiatives (e.g. consents) across our technology estate, geographical footprint and requirement as required.
Data Governance: work collaboratively across legal and business services teams to raise and devise or refine data governance plans to drive and embed a data culture across people, processes and tech
Data Strategy: work collaboratively with stakeholders to provide input in the relevant workstreams, advising and informing the relevant key stakeholders as directed
Data architecture: assist as required the relevant teams in new initiatives: new geographical offering, relocation to any systems design or programme governance, with the view to ensure agile implementation and sound execution
Digital transformation: ensure that any work under the Digital Transformation strategic projects benefits from this Team recommendations, review risk assessment to enable delivery and successful change management
Ashurst Advance and Ashurst Digital Ventures: ensure Data and Tech Reg support in our Ashurst Advance and Ashurst Digital Ventures offering and enable the drafting of data related policies and procedures to support their business model and delivery schedules
Perform key strategic forward planning:
- Ensure data handling corresponding practices are aligned to set of Data Ethical standards
- Ensure framework for management of copy data risks, alternative data sources and data mining. Ensure review and compliance with metadata management in the law firm context
- Ensure robust mechanisms are in place to capture, test and comply with all relevant broader Data and Tech regulations to support the digital transformation of our business globally, including but not limited to:
- Cloud Compute requirements itemised and updated as relevant to our estate
- Cyber encryption regulations and network access or routing techniques in the relevant jurisdictions
Training and raising awareness:
- Seek opportunities for regular and consistent engagement both within function and wider business:
- Raise awareness, champion and conduct meetings with partners and/or clients as well as other leaders in our business services functions in relation to Data & Tech regulatory requirements and their impact on the effective implementation and pursuit of our business strategy
- Raise awareness and educate on Data and Tech regulation, policy and procedure worldwide in a relevant and engaging manner: design, implement, improve and deliver training sessions to our wider business as required
- Develop and continually enhance a commercial understanding of the practice areas of the firm and relevant commercial strategy to assist in anticipating and devise mitigation plans of data and tech risk issues presented in compliance with regulations, clients requests and firm's risk posture
Supervision, management and coaching:
- Support the Glasgow team development, review and monitor team work to identify development needs. Assist all team members with queries, provide guidance on the resolution of difficult queries, spot-check analysis and debrief
- Manage priorities and meeting deadlines as well as provide clear direction to achieve outcomes
- Available outside of business hours to provide support when required
Risk and Control: Ensure that all activities and duties are carried out in full compliance with our regulatory requirements and internal policies.
Essential skills and experience:
- Deep expertise in Data Privacy and corresponding information security issues faced by international global law firms and sound experience in dealing with these issues at all level of the organisation
- Expert understanding on the partnership model and the challenges faced by today's legal industry
- Ability to put an argument across in a clear, articulate way showing sound business acumen to the partnership, senior management or clients of the firm
- Discrete and professional in handling sensitive, confidential situations
- Strong interpersonal skills, able to liaise effectively at all levels across the firm and offices
- Lead by example
- Commitment to supporting the team as a global function and ability to strengthen those connections globally
- Strong organisational and research skills, attention to detail and able to work well under pressure
- Ability to work efficiently, prioritise and meet deadlines
- Flexible and able to adapt quickly and positively to new situations
Education and requirements
- UK/Overseas risk, data or legal qualification with strong relevant experience in Data, Tech or Information Security
- In depth knowledge of key rules influencing the governance of law firms: SRA rules, GDPR, PIPPa, CCPA/PR, including data protection laws impact on AML regulations; FCPA and Anti-Bribery Act UK; Tax transparency regulations; financial sanctions (US, EU, UK, Australia);
- Expertise in data compliance framework
- Experience in data related enterprise risk and compliance issues
- Experience in advising clients on data related obligations in contracts or during audit
- Strong supervisory, team leading experience in educating members of a law firm in Compliance procedures