Data Privacy and Protection Specialist - Sandton, Johannesburg at FirstRand Group

Purpose

• To ensure the lawful processing of personal information in accordance with data privacy, protection legislation and regulations that applies to FirstRand, including information management best practices that aim to provide an independent privacy compliance advisory, risk assessment and monitoring service to FirstRand segments and business units  

Experience and Qualifications

• Minimum Qualification -  Bachelors Degree in Law, Risk Management, Information Management, Computer Science or Auditing
• Preferred Qualification -  Bachelors Degree in Law, Risk Management, Information Management, Computer Science or Auditing with CIPM and/or CIPP/E certifications
• Experience -  International Association of Privacy Professionals
• Additional Knowledge  - Strong knowledge of data privacy and protection laws, regulations, and best practices (includes the Protection of Personal Information Act and the General Data Protection Regulation)
• Strong knowledge of the data privacy and protection control environment (i.e., controls that are required to ensure compliance to data privacy and protection laws and regulations) across privacy themes such as: third party/supplier privacy risk management, data privacy governance, embedding data privacy into business operations, privacy notices, processes and procedures relating to data subject rights, information security risk management and privacy incident/data breach management
• Knowledge of compliance risk identification and assessment methodologies and processes
• Experience in working with functional areas such as Information Security; Information Governance; Internal Audit and Compliance
• Experience in privacy policy and framework development, including privacy risk identification, assessment, and reporting
• Experience in providing thought leadership as it pertains to data privacy and protection
• Experience in collaborating with industry bodies and engaging with Regulators
• Experience in the development and rollout of data privacy and protection training and awareness interventions

Responsibilities

• Identify and aggregate the privacy risk profile for FirstRand through the identification of underlying data privacy and protection risks and issues
• Participate in planned activities that are appropriate for own development
• Develop, encourage and nurture collaborative relationships across area of specialisation
• Display and encourage an appreciation of teamwork and inclusivity
• Compile reports that track progress and guide business to make informed decisions
• Ensure development and continuous value add improvement to operational processes
• Manages risks in own area of responsibility
• Build working relationships across teams and functional lines to enhance work delivery, collaboration and innovation
• Deliver customer experience excellence in own service delivery aligned to Organisational values and service standards
• Provide input into the budget and manage and report on budget usage that reflects delivery of planned work within agreed parameters
• Maintain and manage the existing privacy general awareness training interventions for FirstRand
• Support the establishment of the Data Privacy and Protection Centre of Expertise or Excellence to deliver on its mandate and service areas by providing subject matter expertise services
• Support the identification and rollout of targeted privacy training and awareness in the various FirstRand segments where required
• Assist in establishing learning and development opportunities for the privacy compliance SMEs (subject matter) expertise in the Data Privacy and Protection Centre of Excellence (CoE)
• Support the establishment of the Data Privacy and Protection Centre of Excellence (CoE) including the advisory capability through its deployed privacy compliance SME structure, mapped business processes, documented decision matrices and the CoE engagement manual
• Lead and support Regulator engagement and participate in industry engagements on various data privacy matters by providing the necessary leadership and support on various data privacy matters involving the Regulator, including but not limited to privacy incident/breaches, responding to privacy complaints and drafting submissions on emerging privacy laws and regulations
• Collaborate with industry bodies on various data privacy matters, which includes but is not limited to developing privacy codes of conduct and industry submissions on draft data privacy and protection laws and regulations
• Provide a privacy compliance advisory service (concerning various data privacy and protection laws and regulations that applies to FirstRand) and engages with the relevant segments and business units in conjunction with their respective Data Privacy Officer/s and privacy compliance SME/s
• Advise on and interpret the privacy compliance and control requirements emanating from data privacy and protection laws (e.g., the Protection of Personal Information Act, the General Data Protection Regulation) necessary for the lawful processing of personal information
• Research local and global trends pertaining to data privacy and protection, identifying best practices and precedence relating to enforcement activities
• Demonstrate thought leadership as it pertains to data privacy and protection risk and ensure that the risk exposure in this regard is understood
• Support the FirstRand privacy governance, reporting processes and governance structures, including the FirstRand Data Privacy and Protection Committee.
• Support the review of the data privacy and protection control environment by Group Internal Audit and Compliance Monitoring functions
• Develop, review and/or amend the FirstRand Privacy Framework, Policies, Minimum Standards, Tools and Guidance Notes setting out the minimum compliance requirements across data privacy themes which includes but is not limited to: third party/supplier privacy risk management; data privacy governance; embedding data privacy into business operations (includes privacy-by-design; personal information retention and deletion; and legitimate interest assessments); privacy notices; processes and procedures relating to data subject rights, including the Promotion of Access to Information Act (PAIA) Manual; information security risk management; and privacy incident/data breach management