Data Privacy Specialist at Absa Bank Limited

Job Summary

Work embedded as a member of squad OR; across multiple squads to produce, test, document and review algorithms & data specific source code that supports the deployment & optimisation of data retrieval, processing, storage and distribution for a business area.

Job Purpose

The job holder will be a member of Absa bank Kenya Information Risk Management & Data Privacy Team responsible for implementing the information risk and Data Privacy/Protection programs in Absa bank Kenya. The primary function of the role is to ensure information/Data is protected effectively and consistently with its criticality. Also ensuring that Audit, Regulatory and Governance requirements are realized in the Bank.

Main accountabilities

Work with the Absa Kenya IRM team to build an implementation method for the IRM & Data Privacy policies

• Based on the Group design, the method will become the model for implementation across  ARO, to ensure:
• Consistency of approach and interpretation where necessary
• Clear controls on exceptions where requested
• Businesses have clear communications channels for feedback and queries

Data Privacy Standards Implementation

• Consistent implementation of DP policy, data Standards and Procedures across the businesses.
• Maintain /Report Monthly Risk indicators
• Communications  to  emphasize the importance of Data Privacy
• Implement Absa operating framework for the management and control of  Data Privacy in BAU
• Training and awareness, materials, from general awareness to subject matter experts.
• Publication of guidance on data privacy best practice.
• Data Privacy program Implementation
• Breach escalation.
• Implement and tracking of Data Privacy Training
• Provide Data Protection champions.
• Compilation  and consolidation of Country DP risk profile
• Participating in new projects and products to check data privacy requirements
• Implementation of Logical  Access Management Requirements
• Ensure PIAs are completed for new implementations, changes, projects and new products
• Review PIAs submitted by projects and product teams
• Review of submitted Data Privacy Related Dispensations, waivers and breaches
• Review and maintain a tracker on Data Privacy Related Dispensations, waivers and breaches
• Track country DP requirements implementation in respect of:
• Privacy notices roll out
• Personal Data lifecycle management (collection/creation, use/reuse, processing, storage/archiving & destruction)
• Personal data transfers & Further processing of personal data
• Direct marketing customer consent management
• Privacy related complaints.
• Data/Information security & safeguards.
• Incident Management
• Implementation of completeness and validation controls in systems
• Implementation of required privacy controls within the system/processes/products in line with the PIAs prior to go-live
• Remediation of Data Quality issues/gaps affecting Data Privacy/Protection
• Implementation of approved Data Privacy Retention Schedule
• Execution of Data Subject processes

Records Management

• Monitor and report on Key Risk Indicators
• Guide the business in classification and categorization of records that contain personal Information
• Be a point of contact and give guidance to the business on Retention of Personal Information.
• Publication of guidance on privacy retention schedule

Data Leakage Protection

• Ensure the raised Data Leakage alerts that relates to Data Privacy are closed within SLA
• Give advice and guidance to other staff on how to secure and handle Personal Information

Controls & Risk Assessment                                      

• Carry out Data Privacy reviews in sampled business units
• Facilitate the remediation and closure of all the issues picked regarding information
• Provide the information to create a threat profile.
• Clear controls on exceptions where requested
•  Ensure the Businesses have clear communications channels for feedback and queries
• Publication of guidance on IRM best practice.

Issues and incident Management:

• Log and follow to closure the incidences reported within the business
• Report and escalate the incidences identified as per the DPIMS
• Maintain a data base of remediation issues identified and actions agreed, to ensure consistency of approach and common themes for reporting to ARO IRM team
• Identify remediation activity and agree action plans
• Consistency of approach and interpretation where necessary          
• Ensure the implementation of and the monitoring of the Data Privacy Incident Management Standard within the Business
• Develop an implementation schedule for Business Units where required

Third Party Management

• Perform due diligence on all new 3rd Parties to ensure a duty of care is provided for data and information assets. 
• Ensure risk is mitigated in accordance with policy and governance, and that regular reviews of risk are provided.
• Track Third party supplier obligations  compliance on Data Privacy
• Review third party contracts for inclusion of DP requirements/schedules.
• Assess possibility of processing without transfer of personal data
• Ensure required exceptions to Binding Corporate  Rules are considered and relevant BCR put in place
• Ensure embedment of Privacy notices

Policy, Audit & Regulatory translation

• Working with Information Risk Team, understand and enable group policy whilst ensuring local requirements are catered for. 
• Monitor compliance of policy and standards and drive the closure of gaps.
• Communicate risk based policies and minimum standards and escalate approval of exceptions.  
• Use risk management principles to safeguard Data Privacy, and the confidentiality, integrity and availability of information in accordance with the bank’s operating model and risk appetite.
• Be a custodian of Information Management in your locality

Project  implementation in Kenya:

Work with line managers and local project teams to:

• Train them in the implementation methodology and their understanding of  Data Privacy policies
• Adapt the methodology to fit the operating model of the local businesses
• Manage their queries - researched and answered promptly, and recorded on a data base
• Monitor their implementation v. plan, sample their deliverables, and challenge as appropriate
• Influence (but not run) new projects and provide steering to fix crucial Data Privacy Issues.
• Ensure that new projects follow the laid down process and Framework. 
• Apply consistent Privacy risk indicators to all projects and identify those with high risk.

Collaborate with business units:

To ensure that:

• Each business adopts a consistent approach to policy implementation where necessary
• Their queries are managed  - researched and answered promptly
• Each business submits a monthly progress report in an agreed format, and to an agreed standard of detail.

Training and Development

• Ensure that the mandatory Awareness Training programme that promotes and embeds a risk and security awareness culture within the business is carried out in each business unit
• Develop training and awareness, materials, from general awareness to subject matter experts
• Ensure each business unit has appointed information Risk Management Champion
• Train the IRM champions on a yearly basis on Privacy Requirements.
• Ensure that New Joiners induction training includes Information Risk awareness.
• Monitoring of LMS  training
• Conduct awareness as requested by units

Technical skills / Competencies

Education and Experience Required:

• A degree from a reputable learning institution.
• Professionally Certified (e.g. in CRISC, CISM, CISA) or CISSP or similar certification.
• Accredited in Information Management/Information Sciences of 5 years in Financial Services or related industry.
• 4 years experience, preferably in IT Security and Risk management related role.
• Experience fulfilling a consulting role.
• Proven relationship with executive management and communication skills.
• Extensive Microsoft office skills (Word, Excel, PowerPoint, etc.)
• Reasonable understanding of the principles, practices, and techniques related to Information Risk Management.
• Knowledge and understanding of the implications, to Absa, of the laws and regulations associated with Payment Card Industry, Data Security Services (PCI, DSS).
• Knowledge of wider aspects of risk control, operations and processes.
• Detailed understanding of the Risk assessment processes.
• Experience of a consultancy working style (i.e. used to working collaboratively across the business – essential for undertaking the assessment roles)

Competencies:

• Information Management
• Experience of developing IRM Standards - Basic
• Quality Focus - Competent
• Implementation Management  - Competent
• Influencing – Competent
• Information Security - Expert
• Understanding of compliance requirements relating to records retention – Competent
• Experience of developing communication and training strategies – Competent
• Understanding of records management technologies – Competent
• Planning and organization – Competent
• Problem solving – Competent
• Detailed understanding of the principles, practices, and techniques related to Information Risk Management.
• Technical Security background and experience of working on application developments
• A good understanding of the issues faced with outsourcing to external vendors and experience of conducting vendor assessments.
• Ability to influence senior management in relation to important Risk decisions.
• Proven leadership, relationship management and communication skills

Knowledge, Expertise and Experience

• Have core information risk management, confidence and a willingness to deliver.
• Good communication skills.
• Highly motivated and able to coordinate multiple activities across various disciplines.
• Experience of working in a financial organization would be beneficial.
• Awareness of operational risk disciplines, key risk indicators relevant to information risk and a business-focused approach to controls is also beneficial.  However deep technical knowledge in any one discipline is not a requirement for this role.
• It is essential that the candidate has a resilient, flexible approach to work, as a pre-requisite for working effectively as part of Barclays Information Management team.
• He or she must be prepared to turn their hand to support other requirements if needed, while ensuring that the core IRM responsibilities are maintained.
• A proactive and hands-on approach is essential to demonstrate that the value that this role and function can add to our organization.

Education

Bachelor's Degree: Information Technology