Data Protection Officer

JOB PURPOSE:

Under the general supervision of the Chief Executive Office, the Data Protection Officer (DPO) is required to monitor, in an independent manner, the Agency’s compliance with the Data Protection Act (the Act) and provide direction for the Agency’s Enterprise risk management portfolio. The DPO ensures that the Agency processes data in accordance with the Data Protection Standards and general good practice. The DPO will assist the Agency in developing its data protection policies and procedures and act as a liaison between the Office of the Information Commissioner. The Data Protection Officer is responsible for assisting data subjects in the exercise of their rights under the Act as well as to develop and maintain a culture of compliance awareness and risk-mitigation in adherence to policies, procedures and practices. 

Both legal knowledge and technical fluency are highly desired as this role will work closely with staff across all areas of the portfolio. In addition, the scope of this position may be adjusted (in consultation with the postholder) to ensure it is aligned with the prescribed statutory regime and guidance provided by technical experts or the Office of the Information Commissioner. 

KEY RESPONSIBILITY AREAS

Technical/Professional 

• • Receives and processes requests from Data Subjects pursuant to the Act and maintains a register of all such requests. 
• • Consults with the OIC to resolve any doubt about how the provisions of the Act and any regulations made under it are to be applied. Gives advice and recommendations to the Forestry Department about the interpretation or application of the 
• • Cooperates with the OIC (responding to requests about investigations, complaint handling, inspections conducted by the OIC and any other relevant matter as required by law.
• • Performs or oversees initial and periodic privacy impact assessment, risk analyses, mitigation and remediation.
• • Develop and implement standard operating procedures for reporting contraventions of the Act to the CEO, reasonable timelines for resolution and clear protocols for reporting unresolved matters to the Office of the Information Commissioner where necessary. 
• • Review existing policies and procedures and provide recommendations to ensure that they are aligned with the Act. 
• • Consult with administrative personnel, branch heads and divisional heads regarding data processing activities. 
• • Develop training and sensitization materials to ensure that staff are familiar with relevant policies and procedures and their obligations under the Act to foster a data privacy culture.
• • Provides guidance to the Agency in the development and implementation of its data incident response and data breach notification procedures. 
• • Provide strategic, legal and regulatory guidance to Senior Management and other staff on privacy and data protection issues. 
• • Plans and executes audits of data processing activities to ensure compliance with the Act.
• • Stays abreast of local data protection and privacy laws, international developments and best practices. 
• • Participates in meetings, seminars, workshops and conferences as required.
• • Performs any other related duties that may be assigned from time to time.
• • Facilitates the implementation of all aspects of the risk function; including implementation of processes, tools and systems to identify; assess, measure, manage, monitor and report risks;
• • Assists in the development of and management of processes to identify and evaluate business areas’ risks and risk control self-assessment; 
• • Contributes to the process for of developing risk policies and procedures, risk tolerances and approval authority; 
• • Performs analyses of the organisation’s risks and risk events to identify concentration and trends. Works with Senior Director, Strategic and Corporate Planning to identify gaps and mitigation options; 
• • Establishes and maintains collaborative partnerships with external stakeholders, Risk Management Committee and risk management process participants and supports their risk and risk event management initiatives; 
• • Ensures appropriate risk response strategies (mitigation plans) are designed
• • Monitors major and critical risk issues. 
• • Communicates with risks owners; 
• • Maintains knowledge of ERM and technology industry trends, and ensures the organisation’s ERM programme meets expectations; 
• • Researches, proposes and enhances effective risk methods informed by best practice;

REQUIRED COMPETENCIES:

• • Excellent customer and quality focus 
• • Excellent oral and written communication skills 
• • Proficiency in the use of computer applications 
• • Good judgement and decision-making skills 
• • Excellent analytical and problem-solving skills 
• • Knowledge and understanding of the Data Protection Act 
• • Experience in managing data incidences and breaches 
• • Knowledge of cybersecurity risks and information security standards 
• • Knowledge of modern business practices and office practices 
• • Understanding of research methods and techniques 
• • Effective planning and organization skills 

MINIMUM REQUIRED EDUCATION AND EXPERIENCE

• • Bachelor of Science in Business Management, Project Management, Law Compliance, IT Security, Audit or similar background. 
• • Minimum three (3) years’ experience in business management, law, audit and/or risk management, compliance, or equivalent experience. 
• • Demonstrable experience and sound knowledge of the Data Protection Act and other applicable data protection policies e.g. General Data Protection Regulation.
• • Experience or specialized training in records and information management systems.
• • At least one Data Protection and/or Privacy certification such as, CIPP, CIPT, ISEB, etc., (preferred). 

WORKING ENVIRONMENT

• • Required to travel to meetings/workshops; 
• • Required to work beyond normal working hours in order to meet deadlines. 

AUTHORITY

The DPO has the authority to investigate and have immediate access to all personal data and data processing operations and to perform his/her duties independently. Specifically, the Data Protection Officer must: 

• • handle queries or complaints on request by the Agency, the controller, other persons, or on his/her initiative.
• • ensure that any other tasks or duties assigned to the DPO do not result in a conflict of interest with his/her role as a DPO. 

ACCOUNTABILITY

In your position of Data Protection Officer, you are accountable to your direct supervisor who has the authority to delegate duties and responsibilities to you in accordance with the policies and procedures of the Agency. 

We thank all persons who express an interest; however, only short-listed applicants will be contacted.