Data Privacy Officer

Role Objective

Set up the privacy framework for Kotak Life. Serve as the single point of contact within the organization for staff members, regulators, and relevant public authorities on issues related to data protection. Ensure that company policies follow codes of practice such as, DPDPA. Evaluate the existing data protection framework to identify areas of no or partial compliance, and rectify any issues. Devise training plans and provide data protection advice to stakeholders. Inform and advise external and internal stakeholders on all matters related to data protection. Promote a culture of data protection and compliance across all units of Kotak Life.

Roles and Responsibilities

Privacy Governance

• Periodic reporting on risks, compliance, and related activities with regards to personal data processing within the Bank.
• Ensure all policies and procedures are in-line with applicable law.
• Design, develop, and document policies and procedures.
• Test applicability of data privacy laws and regulations (and industry standards).
• Provide advice on processing personal data in a lawful and legally compliant manner.
• Define data privacy strategy and drive balance innovation, compliance, and ethical use of personal data.
• Define and track Key Performance Indicators (KPI’s) for the privacy function.

Privacy Operations

• Be responsible for responding to all issues related to the processing of personal data of the Data Principal.
• Will be responsible for facilitating the exercise of Data Principal rights to ensure timely response to requests.
• Ensure and track responses to Data Principal Requests within the specified period as per applicable law.
• Oversee day-to-day operations of responding to Data Principal Requests.
• Be the point of contact for the grievance redressal mechanism under the provisions of the regulations.
• Will be responsible for ensuring that detailed Records of Processing Activities (RoPA) across all processes are updated and reflect the latest changes (if any) in the said process flow.
• Assist business in creating RoPA for all products and Business Functions.
• Responsible for establishing a process to define a consent management framework for the Company, through which a centralized tracking of consent lifecycle (collection, storage, modification, and revocation) is maintained in an auditable manner.
• Responsible for introducing tools and technologies to implement a consent management framework for adequately managing consent capturing and withdrawal.
• Create and increase awareness amongst employees, vendors, and other applicable stakeholders processing personal information.
• Responsible for reporting data breaches and thefts to the supervisory authority, notify the Data Principal about the breach as per defined timelines.
• Actively manage data privacy incidents and breaches to help mitigate and contain harm suffered by data principals due to the said breach.

Privacy Risk Management

• Keep abreast of the status and direction of privacy issues within the global banking industry in general and amongst Indian banks.
• Co-ordinate with internal and external auditing groups to assess the effectiveness of the privacy program.
• Track Key Risk Indicators (KRI’s) for the privacy function.
• Responsible for establishing and reviewing privacy metrics, as appropriate.
• Responsible for establishing and implementing the Data Privacy Impact Assessment (DPIA) process in the Company.
• Actively manage identified privacy risks.
• Oversee day-to-day operations for conducting DPIAs.
• Advise/consult and/or undertake assessments to determine the effectiveness of privacy controls implemented with third-party service providers/partners/vendors with access to Company’s personal data.
• Responsible for establishing and implementing the Privacy by Design process, which shall include assessments to identify privacy risks at the design level of application/process development.
• The DPO shall ensure identified risks are remediated before the implementation/deployment of the said change.

Internal Relations

All internal departments

External Relations

External Auditors, Third Party Audit SPOCs, Regulators, Data Protection Board

Educational Qualifications

• Post-Graduate in Information Security, Computer Science, IT, Law or Privacy domain.
• Expertise in data protection laws and practices, including deep understanding of GDPR, DPDPA.
• Experience in a legal, audit, or risk management role.
• Shall have strong experience in related disciplines such as information governance, incident response, risk management, etc.
• Shall have knowledge of the company’s business sector, data processing needs, information technologies, and data security.
• Shall have the ability to promote a data protection culture within the company.
• Strong project management skills.
• Ability to work effectively under pressure and to manage sensitive and confidential information.
• Excellent verbal and written communication skills, with strong attention to detail.

Certifications preferred

• IAPP certifications, namely CIPP/e, CIPP/US, CIPM.
• Any DPO certifications.

Key skills/competency

• Data Privacy
• GDPR
• DPDPA
• Privacy Governance
• Privacy Operations
• Risk Management
• Information Security
• Compliance
• Data Protection Laws
• Consent Management