About BNP Paribas Group:
BNP Paribas is a top-ranking bank in Europe with an international profile. It operates in 71 countries and has almost 199 000 employees. The Group ranks highly in its three core areas of activity: Domestic Markets and International Financial Services (whose retail banking networks and financial services are grouped together under Retail Banking & Services) and Corporate & Institutional Banking, centred on corporate and institutional clients. The Group helps all of its clients (retail, associations, businesses, SMEs, large corporates and institutional) to implement their projects by providing them with services in financing, investment, savings and protection. In its Corporate & Institutional Banking and International Financial Services activities, BNP Paribas enjoys leading positions in Europe, a strong presence in the Americas and has a solid and fast-growing network in the Asia/Pacific region.
About BNP Paribas India Solutions:
Established in 2005, BNP Paribas India Solutions is a wholly owned subsidiary of BNP Paribas SA, a leading bank in Europe with an international reach. With delivery centers located in Bengaluru, Chennai and Mumbai, we are a 24x7 global delivery center. India Solutions services three business lines: Corporate and Institutional Banking, Investment Solutions and Retail Banking for BNP Paribas across the Group. Driving innovation and growth, we are harnessing the potential of over 6000 employees, to provide support and develop best-in-class solutions.
Data Protection Officer
Business Line / Function:
Chief Risk Officer
Number of Direct Reports:
Directorship / Registration:
- Management and governance of data protection risk for the India legal entity and ensure regulatory and policy adherence as 2nd line of defence.
- To fully inform and implement controls and activities for the India DPO in order to supervise the compliance with data protection regulations and Group policies and guidelines, ensure second level controls.
- Provide necessary advisory to support the 1st Line of Defence to fulfill the data protection requirements of the entity. Implementation, management and innovation of 2nd line of defence risk management within ISPL.
- Communication with external stakeholders, DPO and data subjects
- Act as the key point of contact and cooperate with relevant members of the DPO community on issues relating to personal data processing;
- Act as a point of contact for data subjects with regards to significant issues
- Matters related to organisation and framework related to personal data protection within his / her scope:
- As directed by the DPO, Implement general policies and guidelines on personal data protection and ensure their consistency with the relevant Group policies and guidelines.
- Contribute to the monitoring of the regulatory landscape on data protection regulations and the relevant communication performed by LEGAL.
- Contribute to, and establish as necessary data protection committees at different levels (e.g. ICC,
Personal Data Protection and Privacy Committee, etc.)
- As instructed by DPO, implement the overall personal data protection framework on the following topics:
- Review and advise on implementation of policies and guidelines on Personal Data Protection
and monitor consistency in their implementation (Consent collection process, cross border
transfers, management of retention or personal data obsolescence, etc.)
- Review and advise on implementation of Privacy by design principles from the design stage and during the life-cycle into all projects, products, services, activities, processes and systems
- Provide advice on Privacy Impact Assessment (PIA) (e.g. whether or not to carry out a PIA, what methodology to follow, what safeguards to apply to mitigate any risks to the rights and interests of individuals) and monitor that PIAs are performed correctly
- Review and advise on implementation of Personal Data Security principles and management of personal data breaches
- Monitor the implementation of Group security strategy in line with Personal Data Protection regulatory requirements
- Contribute to risk evaluation in case a personal data breach occurs to ensure in a timely manner:
- Appropriate safeguards (technical and organizational) are set-up to mitigate any risks to the rights and interests of the data subjects
- Adequate communication and reporting channels are in place to notify the appropriate stakeholders (e.g. management, Data Protection Authorities, data subjects)
Oversee the Reporting of personal data breaches to the DPA as per DPO
- Contribute to maintenance of the Records of processing activities (“Register”)
- Review and advise on rules regarding record of processing activities
- Monitor that the record of processing activities (“Register”) is kept up to date, filed under the responsibility of the controller / processor, in line with defined rules and make it available upon Data Protection Authorities request
- Build and implement an awareness program
- Contribute to the promotion of a data protection culture
- Ensure that training provided to the employees involved in processing activities are sufficient and refreshed on a periodic basis to maintain data protection awareness
E. Under DPO guidance, operate the second level controls and independent testing on personal data protection framework in order to monitor compliance with personal data protection legislation and internal policies and guidelines:
- Define and perform risk-based second level of controls on processes related to personal data protection.
- Assess effectiveness of the 1st Line of Defence (business and IT) controls on Personal Data Protection based on Generic Control Plans defined by the Group
This will involve 2LoD controls testing against Local and Group Data Protection requirements for: personal data processed across the organisation; high risk activities, new products and activities which involve personal data and testing of IT systems in addition to testing of business operations
- Provide independent reporting and alert on critical points to senior management
F. As the
, the following key direct responsibilities are also included:
Coordinate overall communication with leadership from DPO
Provide independent reporting and alert on critical points to the APAC DPO and CRO
Governance & Oversight
- Contribute to the establishment of ISPL governance within the three lines of defence model in alignment with the Group Risk Management Framework
- Assist with establishing appropriate risk management governance committees, arrange agendas and chair meetings as appropriate
- Assist with establishing and oversight of the Operational Risk Management infrastructure and ensure practices are consistent with regulatory expectations and industry sound practices
Risk management environment
Business Resiliency & Continuity: Oversee and drive the business resiliency and continuity plans to ensure the ability of the Bank and at ISPL to operate on an ongoing basis and limit the losses in the event of severe business disruption. Coordinate with the first and third lines of defence to test these plans to ensure coverage and adequacy.
Technical & Behavioral Competencies
- Professional qualifications relevant to Data Protection (CIPP, CIPM etc.)
- Strong risk mindset with understanding of applicable regulatory requirements in financial services sector around Information Security Risks (Technology Risk, Business Continuity Risk, etc.) Experience in managing Enterprise Risk and necessary Controls.
- Experience in conducting Privacy Risk assessment process.
- Knowledge of Regulatory requirements including Data Privacy Regulations like GDPR, India Data
Privacy Law, SEBI and RBI privacy requirements etc. with cross border implications.
- Must be able to interface and coordinate work efficiently and effectively with business and technology partners. Good team player with strong stakeholder management, relationship building, influencing, facilitating.
- Good listening and analytical skills including,
- Being able to come to a thoughtful and business focused conclusion quickly.
- Ability to co-operate and work well with others adopting an approachable style.
Specific Qualifications (if required)
• Ability to analyze and adopt the global privacy and data protection trends and regulatory requirements.
• Understand the emerging technology trends and necessary security implications.
Behavioural Skills: (Please select up to 4 skills)
Ability to collaborate / Teamwork
Attention to detail / rigor
Transversal Skills: (Please select up to 5 skills)
Ability to manage a project
Ability to develop others & improve their skills
Ability to set up relevant performance indicators
Choose an item.
Bachelor Degree or equivalent
At least 12 years