In Asia Pacific, BNP Paribas is one of the best-positioned international financial institutions with an uninterrupted presence since 1860. Currently with over 18,000 employees* and a presence in 13 markets, BNP Paribas provides corporates, institutional and private investors with product and service solutions tailored to their specific needs. It offers a wide range of financial services covering corporate & institutional banking, wealth management, asset management, insurance, as well as retail banking and consumer financing through strategic partnerships. . 
Worldwide, BNP Paribas has a presence in 68 markets with more than 193,000 employees. It has key positions in its three main activities: Domestic Markets and International Financial Services (whose retail-banking networks and financial services are covered by Retail Banking & Services) and Corporate & Institutional Banking, which serves two client franchises: corporate clients and institutional investors. Asia Pacific is a key strategic region for BNP Paribas and it continues to develop its franchise in the region.  

* excluding partnerships

At BNP Paribas, we passionately embrace diversity and are committed to fostering an inclusive workplace where all employees are valued, respected and can bring their authentic selves to work. We prohibit Discrimination and Harassment of any kind and our policies promote equal employment opportunity for all employees and applicants, irrespective of, but not limited to their gender, gender identity, sex, sexual orientation, ethnicity, race, colour, national origin, age, religion, social status, mental or physical disabilities, veteran status etc. As a global Bank, we truly believe that inclusion and diversity of our teams is key to our success in serving our clients and the communities we operate in. 

BNP Paribas Group Overview
BNP Paribas Group has a presence in 75 countries with more than 185,000 employees, including 17,000 in Asia Pacific. It ranks highly in its two core activities: Retail Banking & Services and Corporate & Institutional Banking.

At BNP Paribas Group, we work continuously on behalf of our clients, helping them to realize their projects around the world. You can be an important part of this, helping us to serve our clients both in mature and emerging markets, providing them with financial solutions across a diverse range of expertise, products and services.

Strong risk management, combined with the stability that comes from being part of one of the largest banking groups in the world, underpin our success. Joining us, you’ll become an integral part of a dynamic team that spans nationalities, cultures and backgrounds, drawing together people from around the globe and reflecting our commitment to international placements.

DPO positioning
BNP Paribas Personal Data Protection framework, defined to respond to the new Data Protection legislations including the General Regulation on Data Protection - GDPR, relies on the accountability of teams within the Group in their processing of Personal Data (customer, employees, UBOs, representatives of corporate and vendors, etc.)

The 1st Line of Defence (Business, Operations, IT and APAC CDO) has the responsibility to imbed data protection regulations and Group policies and guidelines in the internal organisation and processes within its perimeter  (e.g.  privacy by design, PIA, security measures, etc.).

The DPO is positioned in the 2nd line of Defence (within RISK function), and will constitute his/her DPO office for the scope outlined under his/her responsibility. The DPO must supervise the compliance with data protection regulations and Group policies and guidelines, ensure second level controls and give the necessary guidance to support the 1st Line of Defence.

In order to ensure consistency with the Group's management structure, an APAC DPO will be appointed . The APAC DPO will be in the reporting line of the Head of Operational Risk and Control (2nd line of defence), interface with the APAC CDO and will have a functional reporting line to Group DPO.

For their territories’ scope of responsibility, the DPO will be supported by Data Protection Correspondents (DPC) positioned in key APAC countries..  

Key direct responsibilities

A DPO will be appointed on a full-time basis with following key direct responsibilities within their scope: 

1.    Communication with external stakeholders, Data Protection Authorities and data subjects 
•    Act as the key point of contact and cooperate with relevant Data Protection Authorities (DPA) on issues relating to personal data processing; 
•    Act as a point of contact for data subjects with regards to significant issues 

2.    Matters related to organisation and framework related to personal data protection within his / her scope:

A.    Define general policies and guidelines on personal data protection and ensure their consistence with the relevant Group policies and guidelines. 

B.    Contribute to the monitoring of the regulatory landscape on APAC data protection regulations and the relevant communication performed by LEGAL.

C.    Participate in, and establish as necessary data protection committees at different levels (e.g. ICC, Personal Data Protection and Privacy Committee, etc.)

D.    Oversee and supervise the overall personal data protection framework on the following topics:
•    Review and advise on implementation of  policies and guidelines on Personal Data Protection 
and monitor consistency in their implementation (Consent collection process, cross border transfers, management of retention or personal data obsolescence, etc.)

•    Review and advise on implementation of Privacy by design principles  from the design stage and during the life-cycle into all projects, products, services, activities, processes and systems

•    Provide advice on Privacy Impact Assessment (PIA) (e.g. whether or not to carry out a PIA, what methodology to follow, what safeguards to apply to mitigate any risks to the rights and interests of individuals) and monitor that PIAs are performed correctly 

•    Review and advise on implementation of Personal Data Security principles and management of personal data breaches
    •    Monitor the implementation of Group security strategy in line with Personal Data Protection regulatory requirements
    •    Contribute to risk evaluation in case a personal data breach occurs to ensure in a timely manner:
    •    Appropriate safeguards (technical and organizational) are set-up to mitigate any risks to the rights and interests of the data subjects
    •    Adequate communication and reporting channels are in place to notify the appropriate stakeholders (e.g. management, Data Protection Authorities, data subjects)
    •    Oversee the Reporting of personal data breaches to the DPA

•    Oversee the Records of processing activities (“Register”)
    •    Review and advise on rules regarding record of processing activities 
    •    Monitor that the record of processing activities (“Register”) is kept up to date, filed under the responsibility of the controller / processor, in line with defined rules and make it available upon Data Protection Authorities request

•    Build and implement an awareness program 
    •    Contribute to the promotion of a data protection culture 
    •    Ensure that training provided to the employees involved in processing activities are sufficient and refreshed on a periodic basis to maintain data protection awareness 

E.    Define and operate the second level controls and independent testing on personal data protection framework in order to monitor compliance with personal data protection legislation and internal policies and guidelines:
•    Define and perform risk-based second level of controls on processes related to personal data protection. 
•    Assess effectiveness of the 1st Line of Defence (business and IT) controls on Personal Data Protection based on Generic Control Plans defined by the Group
This will involve 2LoD controls testing against Local and Group Data Protection requirements for: personal data processed across the organisation; high risk activities, new products and activities which involve personal data and testing of IT systems in addition to testing of business operations
•    Provide independent reporting and alert on critical points to senior management

F.  As APAC DPO, the following key direct responsibilities are also included: 
•    Coordinate overall communication with Data Protection Authorities for all Countries present in the  APAC Territory
•    Provide independent reporting and alert on critical points to corresponding CROs and Heads of country
•    Coordinate the network of DPC and DPOs within his / her scope
•    Define and chair country Personal Data Protection and Privacy Committees

Confidentiality obligation
The DPO will be bound by secrecy or confidentiality concerning the performance of his/her or her tasks, in accordance with applicable laws.

Required skills and experience

•    10 + years’  experience with significant knowledge and experience in Data Protection/Privacy and banking sector
•    Expert knowledge of the APAC data protection legislation (At least one of the following countries as well as ability and interest to get familiar with the rest: Australia, New Zealand, China, Hong Kong, India, Indonesia, Japan, Malaysia, Philippines, Singapore, South Korea, Taiwan, Thailand, Vietnam)
•    Knowledge of internal organisation and processes
•    Understanding of data processing operations, including business applications and data use 
•    Experience in interacting with regulators
•    Experience in transversal management and working
•    Experience in project management and change management
•    Experience of advising on regulatory requirements, in particular the ability to explain in “plain English”
•    Strong knowledge and interest in Information Technology, digital and new technologies and understanding of information security principles and controls 

Behaviour and soft skills
Data Protection Officer should demonstrate: 
•    Independency, objectivity and integrity. 
•    Excellent writing and communication skills – allowing him/her to act as a communicator across the bank
•    Ability to lead, engage and work transversally
•    Ability to manage and develop teams’ knowledge on data protection and privacy
•    Fluent in English (mandatory), national language (language of the country where DPO exercises)
•    Demonstrating a high-level of commitment and self-motivation, combined with enthusiasm and a genuine interest in order to be a successful Data Protection Officer 

•    Be a role model, supporting and fostering a culture of good conduct
•    Demonstrate proactivity, transparency and accountability for identifying and managing conduct risks
•    Consider the implications of your actions on colleagues, partners and clients before making decisions.
•    Take responsibility for your team’s conduct and conduct risks.

Qualification on Data Privacy is highly appreciated. He/she will be required to enrich his/her competencies with additional professional qualifications relevant to Data Protection, such as:
•    IAPP Information Privacy Professional/Asia (CIPP/A) and Europe (CIPP/E) 
•    IAPP Certified Information Privacy Manager (CIPM) or Certified Information Privacy Technologist (CIPP/IT)
•    Fellow of Information Privacy (FIP) 
•    or equivalent data privacy qualification


Primary Location
HK-Hong Kong (HK)-Hong Kong
Job Type
Standard / Permanent
Education Level
Bachelor Degree or equivalent (>= 3 years)
Experience Level
At least 10 years

Découvrez les métiers de BNP Paribas : IT, Tech et Data

Au-delà d’être un groupe financier, BNP Paribas est aussi une entreprise technologique. Les systèmes d’information, la data et les outils sont au cœur de notre ADN et offrent de nombreuses opportunités professionnelles !

En savoir plus

Pourquoi je candidaterais ?

Pour quelles raisons je rejoindrais BNP Paribas et pas une autre entreprise ?

Parce que je souhaite...

  • Et si on vous disait que travailler dans notre Groupe, ce n’est pas ce que vous croyez ? Chez BNP Paribas, on exerce une multitude de métiers qui évoluent en permanence pour être en phase avec les attentes des clientes et clients comme de la société.

  • Se sentir bien dans son job, c’est avant tout venir travailler comme on est.  C’est aussi avoir les moyens d’un bon équilibre entre sa vie professionnelle et sa vie personnelle. Deux engagements majeurs pour BNP Paribas.

  • Chez BNP Paribas, le développement de vos compétences est essentiel, pour vous comme pour nous. Et cela vous servira pour toute votre vie professionnelle.

En savoir plus