DPC positioning
BNPP Group Personal Data Protection framework, defined to respond to applicable privacy regulations throughout BNPP territories , relies on the accountability of teams within BNPP entities in their processing of Personal Data (customer, employees, UBOs, representatives of corporate, vendors, etc.)
The 1st Line of Defence (Business, IT and CDO) has the responsibility to embed data protection regulations and Group policies and guidelines in the internal organization and processes within its perimeter (e.g. privacy by design, PIA, security measures, etc.)
DPC is positioned in the 2nd line of Defence (within RISK function) and will report to CIB Business Line DPO.. The DPC must assist CIB BL DPO in supervising the compliance with data protection regulations and Group policies and guidelines, ensuring second level controls and giving the necessary guidance to support the 1st Line of Defence.
Within the scope of your missions, the DPC may have to travel from time to time to some of CIB locations, or to attend conferences in the context of training and upskilling process.
Key direct responsibilities
A DPC will be appointed with the following key direct responsibilities within his / her scope:
Communication with external stakeholders, Data Protection Authorities and data subjects:
- Support the DPO by preparing the communication
- Participate in exchanges with the relevant DPA and cooperate with the DPA, based on DPO’s instructions.
Matters related to organization and framework related to personal data protection within his / her scope:
- Contribute to the monitoring of the regulatory landscape on data protection regulations and the relevant communication performed by LEGAL
- Participate in committees on / in relation to personal data protection at global / Business Line level, in cooperation with the 1st line of Defense as well as the worldwide network of Territory DPOs
- Assist the BL DPO in overseeing and supervising the overall personal data protection framework on the following topics:
- Review and advise on implementation of Group policies and guidelines on Personal Data Protection and monitor consistency in their implementation (Consent collection process, cross border transfers, management of retention or personal data obsolescence)
- Review and advise on implementation of Privacy by design principles from the design stage and during the life-cycle of all projects, products, services, activities, processes and systems
- Provide advice on Privacy Impact Assessment (PIA), e.g. whether or not to carry out a PIA, what methodology to follow, what safeguards to apply to mitigate risks to the rights and interests of individuals) and monitor that PIAs are performed correctly
- Review and advise on implementation of Personal Data Security principles and management of personal data breaches.
- Contribute to risk evaluation in case a personal data breach occurred to ensure in a timely manner, and confirm:
- Appropriate safeguards (technical and organizational) are set-up to mitigate any risks to the rights and interests of the data subjects
- Adequate communication and reporting channels are in place to notify the appropriate stakeholders (e.g. high management, Data Protection Authorities, data subjects)
- Oversee the Reporting of personal data breaches to the DPA
- Oversee and monitor the Records of processing activities (“Register”)
- Support the build and implementation of an awareness program and contribute to the promotion of a data protection culture within his/her scope of responsibility
- Help the relevant DPO to assess effectiveness of LOD1 Control framework and operate the second level controls of independent testing on personal data protection framework to be sure compliance with personal data protection legislation and internal policies and guidelines are in plac.
This will involve 2LoD controls testing against GDPR requirements, for: personal data processed across the organization; high risk activities, new products and activities which involve personal data and testing of IT systems in addition to testing of business operations
- Prepare independent reporting and inform the DPO on critical points to be escalated to Senior Management
Confidentiality obligation
The DPC will be bound by secrecy or confidentiality concerning the performance of his/her or her tasks, in accordance with applicable laws.
Required skills and experience
Background
- 8 to 10years’ experience in Data Protection/Privacy/Digital law(banking sector experiences are appreciated
- Significant knowledge and experience in Data Protection Impact Assessment including TIA, LIA, LOA, understanding of personal dataflow (data life cycle), business applications and data use
- GDPR analytical skills to check & challenge and seek evidences from 1LOD project stakeholders Experience in project management and change management
- Experience in transversal management and working
- Experience in interacting with regulators (will be a plus)
- Experience of managing compliance programs on regulatory requirements
- Strong knowledge and interest in Information Technology, digital and new technologies and understanding of information security controls and principles
Behavior and soft skills
- Independency, ability to self-lead to question and seek answers
- Structural and synthetical writing skills to document a privacy risk opinion
- Be self-organized to be able to keep track with various topics and meetings; prepare meetings and write minutes
- Objectivity balancing documented pros & cons
- Integrity, ability to learn and listen
- Excellent communication skills – allowing him/her to act as a communicator across the bank, on behalf of the DPO
- Fluent in English (mandatory), national language (language of the country where DPC exercises) - Spanish
- Demonstrating a high-level of commitment and self-motivation, combined with enthusiasm and a genuine interest in order to be a successful DPC
Benefits
- Training programs, career plans and internal mobility opportunities, national and international thanks to our presence in different countries
- Diversity and Inclusion Committee that ensures an inclusive work environment. In recent years, several employee communities have been created to organize diversity and inclusion awareness actions (PRIDE, We Generations and MixCity)
- Corporate volunteering program (1 Million Hours 2 Help) in which employees can dedicate time out of their working hours to volunteer activities
- Flexible compensation plan
- Hybrid telecommuting model (50%).
- 31 vacation day