Job Openings Deputy Head - Data Privacy & Protection - Emiratization

About the job Deputy Head - Data Privacy & Protection - Emiratization

Our client is a well-known large financial services organisation based in the UAE. They are looking to hire a seasoned Manager Data Privacy & Protection within their Information Security Group department.

The job holder will be conducting privacy risk assessments, focused on specific business activities while simultaneously facilitating business stakeholders to conduct privacy impact assessments on a business process level, and liaise with security professionals for application-focused data protection impact assessments.

The job holder will identify and suggest prioritization of privacy risk treatment for the organization, and work with the legal department to determine how to maintain and improve adherence to regulatory requirements and corporate policies.

The Manager Data Privacy and Protection will craft privacy training and awareness programs, and set up a personal data breach response plan in collaboration with the CISO.

Additionally he/she will oversight the design, implementation, and management of security measures to protect the companys data from unauthorized access, use, disclosure, disruption, modification, destruction and compliance requirements. They work closely with other Tech professionals and Data & Analytics Engineers to ensure that data security is integrated into all aspects of the bank's IT infrastructure.

Key Result Areas

Data Privacy Governance

  • Maintain, develop and implement the company's privacy program and the resulting privacy policies, procedures and documentation for the processing of personal data in coordination with appropriate members of the organization (e.g., business process owners, legal, information security, the works council, risk management, and the ethics and compliance officers).
  • Devise and update policies and procedures for customers, employees and data breach response activities, ensuring alignment with the actual implementation of personal data processing activities.
  • Monitor continuous adherence to the privacy programs requirements
  • Collaborate closely with the enterprise privacy council.
  • Work to ensure the organization maintains the appropriate privacy and confidentiality consent procedures, authorization forms, and information notices.
  • Establish and work with a multidisciplinary team, including audit and risk, compliance, HR, legal, business process owners, IT, security and other internal stakeholders to ensure enterprise wide coverage of the privacy discipline.
  • Work with procurement, vendor management and the legal department to ensure that third-party suppliers' contracts and operating-level agreements meet [international] privacy requirements.
  • Implement and maintain an internal reporting mechanism for intended (new or changed) personal data processing activities, to which business unit/process owners must adhere. Part of this mechanism will determine when and how to conduct the necessary impact assessment(s).
  • Notify data protection authorities of the organization's processing activities and/or obtain guidance where required.
  • Lead the enterprise's response to privacy-related emergencies and potentially damaging events.
  • Communicate with regulatory authorities and the public concerning privacy issues (for example, answering data subjects questions and requests).

Privacy Impact Assessments

  • Determine the enterprise's specific privacy-related requirements and potential vulnerabilities.
  • Receive and manage internal reports from business stakeholders to maintain insight overall project and innovative initiatives, including change management, to ensure timely attention for privacy bottlenecks and hiatuses.
  • Develop, improve and manage the privacy impact assessment process, in close collaboration with business stakeholders.
  • Conduct regular privacy policy compliance assessments to ensure that the company's privacy policies are being adhered to.

Compliance Monitoring

  • Ensure that business units, technology teams and third parties (service providers) follow the privacy program, implement measuring procedures to verify the extent in which these stakeholders meet privacy policy requirements and address privacy concerns.
  • Collaborate with and assist business units and technology areas to develop corrective action plans for identified privacy compliance issues.
  • Continuously monitor the status and effectiveness of privacy controls across service offerings, ensuring that privacy-related key risk indicators are effectively monitored to prevent an unacceptable impact on business objectives and reputation. This includes strong collaboration with security and IT leaders to advocate and optimize the use of privacy-enhancing technologies by default where applicable.
  • Conduct frequent compliance report monitoring activities on collaborating partners, third-party service providers' and other data processors' levels of privacy compliance.
  • Report findings in a structural, transparent and business-relevant manner to the members of the Board, allowing the business to decide and instruct on adequate and appropriate mitigating measures.

Personal Data Inventory and Usage

  • Support the creation of an inventory that documents how and why the organization collects, shares and uses personal data.
  • Build processes to continuously update and reevaluate the extent to which customer and employee information is collected and shared internally and externally.
  • Offer strategic advice to other stakeholders such as the CIO on cross-border data transfer matters for personal data.
  • Maintain the companys registry of all personal data stores and processing activities.
  • Strengthen alignment between privacy and data-centric stakeholders by assisting them in refining and operationalizing the retention program using output from privacy management activities (e.g. PIA) to facilitate deletion or anonymization of personal data that is no longer needed for identified purpose(s), and in accordance with applicable requirements.

Information Technology

  • Serve as the internal advisor to the CIO and CISO to interpret privacy-policy-related questions.
  • Ensure that data security practices in particular, logging, monitoring and auditing practices do not conflict with privacy requirements.
  • Work closely with the technology service teams to anticipate potential privacy problems embedded in the use of emerging technologies.
  • Liaise with the CISO in matters relating to data breaches (including preparedness, prevention, impact mitigation and integral management of breaches).
  • Work to integrate controls within specific HR and CRM business and IT processes.

Data Protection

  • Design and implement security architectures and solutions to protect data at rest, in transit, and in use.
  • Secure and harden database configurations to minimize security vulnerabilities, ensuring compliance with industry standards.
  • Mitigate data risks by configuring and maintaining data security controls such as data encryption, data masking and tokenization.
  • Collaborate with cybersecurity specialists such as penetration testers and detection engineers to conduct vulnerability scans and penetration testing to identify and remediate security weaknesses.
  • Implement solutions to enforce data security policies and procedures.
  • Monitor and analyse security logs and events.
  • Research attempted breaches of data security and rectifying security weaknesses.

General

  • Maintain a GRC roadmap and present progress bi-monthly to the Head of IS GRC.
  • Demonstrate adoption of ISG vision, mission, key principles, cultural and operational objectives. Support actively key ISG transverse initiatives.
  • Manage main GRC Run The Bank and Change The Bank agenda to deliver quality results, on time and budget. Escalate in advance any alert, risk, critical dependency, and issue that arise with options for their management to ensure pro-active management and no surprises.
  • Ensure preparation, execution and follow-up of regulatory examinations, audits, and assessment. Those reviews shall not result in any critical or high-risk issue for ISG or for ISG GRC.
  • Ensure closing of all legal, regulatory and audit issues with the expected level of quality, in time and budget.

Knowledge, Skills and Experience

  • A mid senior level officer with sound knowledge and 10 years of expertise in information security risk management with 3 years of experience of managing enterprise projects and of direct and in-direct relationship with senior and executive management.
  • Strong experience and knowledge across the Information Security and Cyber Security domains including governance, policy procedures, compliance management, risk management and security incident response etc.
  • Strong experience in Banking environment with strong understanding on key security frameworks such as ISO27001.XX, NIST 800.xx, PCI-DSS, SWIFT CSP, COBIT etc.
  • Strong interpersonal, analytical, and technical skills with strong in decision making and prioritization skills.
  • Sound knowledge of evolving advanced tech stacks and related control and risk universe.
  • Sound knowledge and expertise in conducting risk assessment.
  • Have over 10+ years of rich experience in information security domain and at least 2-3 years of dedicated experience in one of the GRC domain (Policy, Governance and Culture, Cyber Strategy & Program Management and Risk and Compliance).
  • Masters degree in IT/Information Security
  • Professional certifications: CISA, CISSP, PCI-QSA, SABSA etc.