Standard / Permanent
HK-Hong Kong (HK)
BNP Paribas Personal Data Protection framework, defined to respond to the new Data Protection legislations including the General Regulation on Data Protection - GDPR, relies on the accountability of teams within the Group in their processing of Personal Data (customer, employees, UBOs, representatives of corporate and vendors, etc.)
The 1st Line of Defence (Business, Operations, IT and APAC CDO) has the responsibility to imbed data protection regulations and Group policies and guidelines in the internal organisation and processes within its perimeter (e.g. privacy by design, PIA, security measures, etc.).
The DPO is positioned in the 2nd line of Defence (within RISK function), and will constitute his/her DPO office for the scope outlined under his/her responsibility. The DPO must supervise the compliance with data protection regulations and Group policies and guidelines, ensure second level controls and give the necessary guidance to support the 1st Line of Defence.
In order to ensure consistency with the Group's management structure, an APAC DPO will be appointed . The APAC DPO will be in the reporting line of the Head of Operational Risk and Control (2nd line of defence), interface with the APAC CDO and will have a functional reporting line to Group DPO.
For their territories’ scope of responsibility, the DPO will be supported by Data Protection Correspondents (DPC) positioned in key APAC countries..
A DPO will be appointed on a full-time basis with following key direct responsibilities within their scope:
1. Communication with external stakeholders, Data Protection Authorities and data subjects
· Act as the key point of contact and cooperate with relevant Data Protection Authorities (DPA) on issues relating to personal data processing;
· Act as a point of contact for data subjects with regards to significant issues
2. Matters related to organisation and framework related to personal data protection within his / her scope:
A. Define general policies and guidelines on personal data protection and ensure their consistence with the relevant Group policies and guidelines.
B. Contribute to the monitoring of the regulatory landscape on APAC data protection regulations and the relevant communication performed by LEGAL.
C. Participate in, and establish as necessary data protection committees at different levels (e.g. ICC, Personal Data Protection and Privacy Committee, etc.)
D. Oversee and supervise the overall personal data protection framework on the following topics:
· Review and advise on implementation of policies and guidelines on Personal Data Protection
and monitor consistency in their implementation (Consent collection process, cross border transfers, management of retention or personal data obsolescence, etc.)
· Review and advise on implementation of Privacy by design principles from the design stage and during the life-cycle into all projects, products, services, activities, processes and systems
· Provide advice on Privacy Impact Assessment (PIA) (e.g. whether or not to carry out a PIA, what methodology to follow, what safeguards to apply to mitigate any risks to the rights and interests of individuals) and monitor that PIAs are performed correctly
· Review and advise on implementation of Personal Data Security principles and management of personal data breaches
- Monitor the implementation of Group security strategy in line with Personal Data Protection regulatory requirements
- Contribute to risk evaluation in case a personal data breach occurs to ensure in a timely manner:
- Appropriate safeguards (technical and organizational) are set-up to mitigate any risks to the rights and interests of the data subjects
- Adequate communication and reporting channels are in place to notify the appropriate stakeholders (e.g. management, Data Protection Authorities, data subjects)
- Oversee the Reporting of personal data breaches to the DPA
· Oversee the Records of processing activities (“Register”)
- Review and advise on rules regarding record of processing activities
- Monitor that the record of processing activities (“Register”) is kept up to date, filed under the responsibility of the controller / processor, in line with defined rules and make it available upon Data Protection Authorities request
· Build and implement an awareness program
- Contribute to the promotion of a data protection culture
- Ensure that training provided to the employees involved in processing activities are sufficient and refreshed on a periodic basis to maintain data protection awareness
E. Define and operate the second level controls and independent testing on personal data protection framework in order to monitor compliance with personal data protection legislation and internal policies and guidelines:
· Define and perform risk-based second level of controls on processes related to personal data protection.
· Assess effectiveness of the 1st Line of Defence (business and IT) controls on Personal Data Protection based on Generic Control Plans defined by the Group
This will involve 2LoD controls testing against Local and Group Data Protection requirements for: personal data processed across the organisation; high risk activities, new products and activities which involve personal data and testing of IT systems in addition to testing of business operations
· Provide independent reporting and alert on critical points to senior management
F. As APAC DPO, the following key direct responsibilities are also included:
· Coordinate overall communication with Data Protection Authorities for all Countries present in the APAC Territory
· Provide independent reporting and alert on critical points to corresponding CROs and Heads of country
· Coordinate the network of DPC and DPOs within his / her scope
· Define and chair country Personal Data Protection and Privacy Committees
The DPO will be bound by secrecy or confidentiality concerning the performance of his/her or her tasks, in accordance with applicable laws.
Technical & Behavioral Competencies
- 10 + years’ experience with significant knowledge and experience in Data Protection/Privacy and banking sector
- Expert knowledge of the APAC data protection legislation (At least one of the following countries as well as ability and interest to get familiar with the rest: Australia, New Zealand, China, Hong Kong, India, Indonesia, Japan, Malaysia, Philippines, Singapore, South Korea, Taiwan, Thailand, Vietnam)
- Knowledge of internal organisation and processes
- Understanding of data processing operations, including business applications and data use
- Experience in interacting with regulators
- Experience in transversal management and working
- Experience in project management and change management
- Experience of advising on regulatory requirements, in particular the ability to explain in “plain English”
- Strong knowledge and interest in Information Technology, digital and new technologies and understanding of information security principles and controls
Behaviour and soft skills
Data Protection Officer should demonstrate:
- Independency, objectivity and integrity.
- Excellent writing and communication skills – allowing him/her to act as a communicator across the bank
- Ability to lead, engage and work transversally
- Ability to manage and develop teams’ knowledge on data protection and privacy
- Fluent in English (mandatory), national language (language of the country where DPO exercises)
- Demonstrating a high-level of commitment and self-motivation, combined with enthusiasm and a genuine interest in order to be a successful Data Protection Officer
- Be a role model, supporting and fostering a culture of good conduct
- Demonstrate proactivity, transparency and accountability for identifying and managing conduct risks
- Consider the implications of your actions on colleagues, partners and clients before making decisions.
- Take responsibility for your team’s conduct and conduct risks.
Qualification on Data Privacy is highly appreciated. He/she will be required to enrich his/her competencies with additional professional qualifications relevant to Data Protection, such as:
- IAPP Information Privacy Professional/Asia (CIPP/A) and Europe (CIPP/E)
- IAPP Certified Information Privacy Manager (CIPM) or Certified Information Privacy Technologist (CIPP/IT)
- Fellow of Information Privacy (FIP)
- or equivalent data privacy qualification