Data Privacy Officer at Equity Bank Kenya

ROLE PURPOSE

The ideal candidate will be an expert in global data protection laws and will be responsible for ensuring the organization processes personal data in a compliant and ethical manner. A key challenge will be to create a framework that enables lawful data sharing across our various business licenses and jurisdictions to create a seamless customer onboarding experience ("One Customer View") while upholding the highest standards of data privacy and security. 

KEY RESPONSIBILITIES

Strategy and Governance

• Develop, implement, and maintain the EBKL’s data protection strategy, policies, standards, and procedures.
• Establish a Bank-wide data governance framework, creating a central authority for all data protection matters.
• Serve as the primary point of contact for data protection authorities and other regulators on data. 
• Advise the Board and senior management on data protection and privacy matters, ensuring they are informed of their obligations, risks, and the strategic implications of regulatory changes.
• Oversee the creation and maintenance of a comprehensive data inventory and data flow maps for all personal data processed by EBKL and its third-party ecosystem.

Compliance and Risk Management

• Monitor compliance with all relevant data protection laws (e.g., GDPR, Kenya Data Protection Act, etc.) and internal policies.
• Conduct and oversee Data Protection Impact Assessments (DPIAs) for new products, systems, and business processes, especially those involving data sharing across licenses (e.g., sharing bank KYC data with the insurance arm).
• Develop and manage a comprehensive record of all data processing activities (ROPA).
• Establish a framework for managing and responding to data subject requests (e.g., access, rectification, erasure) in a timely and compliant manner. 
• Act as the primary point of contact for all data protection authorities and regulators on data matters.
• Ensure all necessary registrations and notifications are made to the relevant data protection authorities.
• Oversee the management and review of data subject rights requests (e.g., access, rectification, erasure) to ensure they are handled efficiently and in compliance with the law.
• Identify, assess, and mitigate data protection risks across EBKL, and its third-party ecosystem.
• Ensure that third-party contracts and data sharing agreements have adequate data protection clauses and that due diligence is performed on all partners handling personal data.

Data Sharing Enablement

• Design and implement legal and technical mechanisms to facilitate lawful and secure data sharing between EBKL and its stakeholders including third parties, stakeholders and related entities.
• Review the Intra-Group Data Sharing Agreements that clearly define the purpose, legal basis, and safeguards for sharing customer data to reduce onboarding friction.
• Advise the business on data anonymization, pseudonymization, and other privacy-enhancing techniques to minimize risk while achieving business objectives.

 Incident Management

• Develop and manage EBKL data breach incident response plan.
• Lead the investigation, mitigation, and reporting of any data breaches or privacy incidents in collaboration with IT security and legal teams.
•  Develop and implement a data breach response plan and lead the investigation and reporting of any personal data breaches.

Training and Awareness

•  Develop and roll out a mandatory data protection training program for all employees and contractors across the Bank.
• Promote a culture of "privacy by design" and data protection awareness throughout the organization.
• Provide expert advice and guidance to business units (Banking, Insurance, Mobile Payments, Foundation) on data protection best practices for their specific operations.
• Work closely with IT and Information Security teams to ensure that appropriate technical and organizational measures are in place to protect personal data.
• Establish metrics and reporting mechanisms to monitor the effectiveness of the data protection program and report on compliance to senior management and the Board.
• Partner with Group and other stakeholders in the engagement with regulators on draft regulations, providing insightful input to shape a practical and effective data protection framework.

Qualifications

Academic Qualifications And Experience

• Bachelor's degree in Law, Information Technology, or a related field. A Master's degree is a plus.
• Professional certification in data protection and privacy (e.g., CIPP/E, CIPT, CIPM, FIP) is required.
•  Minimum of 8-10 years of experience in a senior data protection role, preferably within a multi-jurisdictional financial services or technology organization.
• Expert knowledge of major global data protection regulations (especially GDPR and African data protection laws) and their practical application.
• Demonstrated experience in developing and implementing enterprise-wide privacy frameworks.
• Strong understanding of IT security controls and privacy-enhancing technologies.

Key Competencies & Skills

• Expert Knowledge: In-depth knowledge of international data protection principles and regulations (e.g., GDPR) and specific knowledge of key African data protection laws.
• Demonstrated experience in developing and implementing enterprise-wide privacy frameworks.
• Strategic Thinking: Ability to develop and execute a long-term vision for data protection that aligns with the business Strategic objectives.
• Leadership & Influence: Strong leadership skills with the ability to influence and build consensus among senior executives, business leaders, and external stakeholders.
• Communication: Exceptional communication and interpersonal skills, with the ability to articulate complex legal and technical concepts to a non-expert audience.
• Stakeholder Management: Proven ability to build and maintain strong relationships with internal stakeholders, regulators, and industry bodies.
• Analytical & Problem-Solving Skills: Strong analytical skills to assess risks, interpret regulations, and develop pragmatic solutions.
• Integrity & Professionalism: High level of integrity and professional ethics.