Job Description

Position: Data Protection Officer Education Qualification: Post-Graduation /Graduation/ having good legal background. Professional Qualification Certification in any one or more Professional certifications like CIPP-E / CIPP-A / CIPM / FIP. Certifications in Certified Information Privacy Technologist (CIPT) / Certified Information Security Manager (CISM) / Certified Information Security Auditor (CISA) / ISO 27001/ ISO 31000. Expert Knowledge of data privacy laws and practices. Exposure to Data Privacy Laws & Regulations such as General Data Protection Regulation (\'GDPR\'), UK Data Protection Act 2018 etc. Work Experience About 10 - 15 years of work experience, in corporate sector with exposure to BFSI sector and regulator/ law enforcement agencies. In addition, candidates should have minimum 3-5 years (within overall experience of upto 15 years) experience in Data Privacy Laws & Regulation, IP and other Data security areas. Preference will be given to the candidates having higher experience in Data Privacy Laws & Regulation, Information Security and other Data security areas. Proficiency Data Protection Officer should have good knowledge of the data protection and privacy laws (Digital Personal Data Protection Act 2023 (DPDPA), General Data Protection Regulation (GDPR)) etc., its impact on the organization in-line with requirements/ advisories issued by various regulators - Government of India (GOI), Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), etc. Various regulations/ guidelines issued by Government of India (GOI), Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI) and other applicable regulators pertaining to compliance, Information Technology, Cyber Security and legal domains. Expertise in various technology integrations, cyber security and its impact in-line with data protection practices. Should have experience in a legal, audit, or risk management role and a proven track record of working as a DPO, compliance officer, or a related position. Excellent communication, collaboration, and facilitation skills are also required. Able to communicate across all organizational boundaries in an appropriate manner. Collaborate with all departments (Business, Technology, Compliance, Legal, Finance etc.) for implementing privacy measures across the organization. Strong organizational and management abilities are necessary to effectively manage programs and implement change. Capacity to work with cross functional teams, attention to details, organisational skills and multitasking. Roles And Responsibilities Should have good understanding about Banking/NBFC business. To monitor and ensure compliance with DPDPA 2023, and other applicable data protection laws/ advisories, and with the organization\'s data protection policies, including managing internal data protection activities. Monitor Data lifecycle management (DLM) to manage data throughout its lifecycle, from data entry to data destruction, in coordination with various internal and external stakeholder, service providers and 3rd party vendors/ partners. Preparing and Managing data privacy programs - Assess the current state and start building data privacy within the organisation. Assess current maturity with the DPDP Act\'s requirements and develop an action plan for compliance. The action plan can be bifurcated into short term and medium-term plans covering governance, technology, people and processes initiatives. Initiate the implementation of an identified action plan. Set up privacy organisation which might consist of representatives of various functions along with their roles and responsibilities. Data Protection Impact Assessment (DPIA). On-going audits/ assessments to ensure organization is complying with the requirements. Data protection risk register for the organization (internal and external impact). Active involvement during the design, implementation phase and responsible for monitoring of end-to-end Consent Management process in line with data gathered from the customers. Put processes and procedures in place to deal with data subject access requests and complaints. To educate the controller or processors on the obligations under data protection act. Prepare an inventory of paper based repositories/applications/data stores that houses personal data. Identify key paper repositories/applications/databases which are used to store/process personal data. Identify whether these applications are directly capturing personal data from data principals, or if these are downstream applications (this information will be used to apply data privacy controls such as privacy notice, consent, etc.). Review and Monitor for any changes and ensure the inventory is up-to-date. Identify the ecosystem of data processors which are currently being leveraged. Identify all third parties including service providers who are storing or processing personal data on behalf of an organisation. The data fiduciary will need to amend the third-party agreements/contracts with respect to their obligations and connect with data processors and communicate to them their upcoming responsibilities and obligations with respect to personal data which they are handling on the data fiduciary\'s behalf. Design draft versions of documents based on the requirements of the DPDP Act, Various advisories issued by regulatory(s) related to Compliance and Legal (policies, processes/procedures, notice, consent, contractual clauses). Prepare approved versions of documents such as data privacy policy and supporting processes/procedures across the organization. Update data classification, privacy policies and processes. Prepare content around privacy notices and consent Define standard contractual clauses which are to be embedded in various agreements, such as data processing agreements with third parties, contractual vendor\'s /service providers, etc. Design data principal\'s rights mechanisms to uphold the rights provided as per the provisions of the Act. Establish processes to address various rights which have been provided to data principals. Prepare procedures to determine how the request shall be accepted, validated and responded to, to the data principals. Determine tools that can be leveraged to facilitate the data principal rights management. Ensure robust monitoring mechanism is in place. Establish data breach notification and management mechanisms. Establish processes for data privacy breach management, including notifications to stakeholders (data principals, data protection board). Investigating and reporting data breaches procedures. Act as SPOC for data subjects and regulatory authorities. Define the data retention period for various categories of data. Categorise different types of data in relation to the retention period based on the inventory gathered. Assess business/operational/legal requirements for the category. Determine the minimum necessary retention period for each category based on these requirements and also in-line with the guidelines issued by RBI, SEBI and other applicable regulators. Ensure robust monitoring mechanism is in place. Active involvement during the evaluation and implementation of data privacy technologies that can be leveraged for data protection along with Business and IT Stakeholders. Determine the privacy technology solutions that can be leveraged to address specific privacy needs, e.g., automating data principal rights, conducting data protection impact assessments. Assess and evaluate the measures provided by privacy technology solutions. Assess the compatibility and scalability of privacy technology solutions with the existing IT infrastructure. Seek consent from various Business and IT Stakeholders, actively work with IT team during the project implementation process. Responsible for the Board of Directors governing Significant Data Fiduciary and act as a point of contact for the grievance redressal mechanism. Advising on regulatory requirements/ advisories. Risk Control Self-Assessment (RCSA) in-line with DPDPA. Conduct communication and awareness programmes for various stakeholders. Develop communications and awareness plans. Design engaging communication and awareness material. Launch awareness programmes. Leverage multiple channels of communication. Provide training and awareness sessions to different stakeholders. Develop dashboard for regular updates to Senior Management on the on-going activities. Submission of reports on data privacy laws to the Senior Management/ Board. Skills: a,gdpr,fip,cism,cipt,dashboard,dpdpa,rcsa,audit,cipp-e,cipp,databases,consent,spoc,cipm,information technology,privacy laws,third parties,data classification,cyber security,audits/ assessments,privacy policies,third-party agreements,data destruction,privacy notice,iso 31000,privacy controls,dpdp act,privacy organisation,risk management,dpdpa 2023,information security,privacy measures,data entry,compliance officer,data protection,data privacy,iso 27001/,prepare content,determine tools,risk control self-assessment,data privacy laws,data breach notification,data retention period,data protection act,deal with data,data processing agreements,privacy technology solutions,launch awareness programmes,data privacy policy,address various rights,data protection policies,data privacy technologies,certified information security auditor,general data protection regulation,data protection risk register,certified information privacy technologist,certified information security manager,managing data privacy programs,identify key paper repositories,data protection impact assessments,inventory of paper based repositories,assess and evaluate the measures,uk data protection act 2018,data protection impact assessment (dpia),identify the ecosystem of data processors,securities and exchange board of india,investigating and reporting data breaches procedures,digital personal data protection act 2023

foundit