Data Protection Officer

Job Purpose

The Data Protection Officer is responsible to:

• Design and oversee the implementation of an adequate data protection framework to include policies, procedures, guidelines, systems and assessment mechanisms in keeping with the Data Protection Act and all other relevant legislation.
• Monitor compliance with the Agency’s data protection measures through the creation of operational guidelines, the execution of audits, and the provision of recommendations for improvement where necessary.
• Ensure staff awareness of the data protection framework by coordinating training and sensitisation initiatives.

Key Responsibilities

Technical/Professional Responsibilities

• Develops, implements and maintains frameworks for Data Protection, including policies, procedures, guidelines, an operational roadmap and a maturity model.
• Ensures that all required processes, systems, and controls are in place to ensure adherence to the legally stipulated data protection standards in all areas throughout the Agency.
• Keeps abreast of changes in the legislative environment and adjusts the Agency’s frameworks accordingly to ensure consistency.
• Conducts divisional and agency-wide data security and protection audits to ensure data protection, security and privacy compliance and address potential data protection issues.
• Makes recommendations based on internal audit findings on data protection, security and privacy to ensure the effective adoption of the legally prescribed implementations by the Agency.
• Conducts annual Agency-wide Data Protection Impact Assessments (DPIAs) to identify and mitigate risk factors in the data protection process.
• Creates annual Data Protection Impact Assessment (DPIA) report for submission to the Office of the Information Commissioner, Ministry of Science, Energy & Telecommunication.
• Assists the Agency in preparation for external audits and risk assessment activities that concern Data Protection.
• Liaises with stakeholders to ensure privacy by design at all levels.
• Manages and monitors the Agency’s internal policies to ensure compliance with the General Data Protection Regulation (GDPR).
• Advocates for establishing and maintaining a data protection and privacy culture within the Agency and its stakeholders.
• Keep stakeholders updated with regular reports on the Agency’s data protection strategies and policies.
• Act as primary contact for the Agency on data protection policies and issues.
• Ensures all concerns raised by data subjects are addressed within legal timeframes.
• Liaise with external data controllers that process data on behalf of the Agency to ensure that the established data protection standards are upheld at all stages of the data lifecycle.
• Maintains a record of all external data controllers with whom the Agency does business.
• Maintains a database that houses the request details of all processing activities in the Agency.
• Establishes effective partnerships with external stakeholders with whom the Agency will collaborate to achieve its data protection mandate.
• Ensures that data protection standards are observed in all human resource management-related functions, including recruitment and selection, separation, and performance management processes.
• Implements communication strategy to ensure the sensitisation of all staff about the data protection policies and guidelines, the role of each employee in ensuring Agency-wide compliance, and the value of the data protection mandate to the Agency and its stakeholders.
• Advocates for establishing and maintaining a data protection and privacy culture within the Agency.
• Conduct training and support for employees directly involved in data processing, handling, and management.
• Evaluate the existing data protection strategies and frameworks and identify areas requiring improvement or rectification.
• Reviews existing policies, procedures and guidelines that have implications for data processing and makes recommendations to ensure that data protection standards are upheld.
• Convenes meetings to discuss data protection issues and proposes solutions as required.
• Reports data protection breaches to the Information Commissioner and supervises the resolution of the breach by the responsible parties.
• Stay updated on data security news and trends to implement new technologies and improve data protection in the organisation.
• Prepares other reports and project documents as required.
• Promotes customer trust and confidence in conducting transactions with the Agency by guaranteeing maximum protection of all personal and sensitive data.

Planning

• Create and/or maintain an operational roadmap and maturity model for data protection at the JCA;
• Develop and implement frameworks for Data Protection Policy Procedures and Guidelines;
• Recommend assessment action plans to identify gaps in relation to regulatory requirements,
• Including developing and managing any mandated documentation or audit trail; and
• Follow-up with changes in the legislative environment and issue recommendations to guarantee compliance;

Monitoring

• Monitor The JCA’s compliance with regulatory requirements and its own Data Protection Policy;
• Conduct data security and processing audits and determine if/when The JCA will need to alter its procedures to comply with legislation;
• Conduct and monitor Data Protection Impact Assessments;
• Develop data protection impact assessments and risk mitigation recommendations;
• Provide advice and instructions on how to conduct Data Protection Impact Assessments (DPIAs); and
• Maintain records of data processing operations.

Communication

• Act as a point of contact for data subjects, supervisory authorities, and internal teams;
• Act as a point of contact with data subjects, supervisory authorities, and internal teams;
• Liaise with Data Processors (other organizations that process data on behalf of The JCA);
• Ensure all queries/issues from data subjects are addressed within legal timeframes; and
• Serve as Secretary to the JCA Data Protection Committee;

Awareness/Culture

• Creates and manages a data protection awareness program for staff that includes:
  • Training sessions towards mastery of the Agency’s data protection procedures individually.
  • Sensitisation initiatives to educate staff about data protection best practices and regulatory requirements.
  • Effective staff engagement on updates in the data processing and protection legal landscape
• Participate in meetings with stakeholders to ensure privacy by design at all levels;
• Inform and advise both management and employees of their obligations to comply with the relevant data privacy and security laws;
• Promote data privacy awareness, including customized training to all staff;
• Champion the development of a culture of data protection and privacy within the Agency; and
• Provide leadership and guidance on the management of data privacy breaches.

Risk Management

• Ensures that all significant risks are identified and mitigated with the appropriate and timely actions are taken to manage.
• Implement the Enterprise Risk Management Framework for Data Protection related matters and activities.
• Creates, establish and implement policies and procedures on risk management and internal controls.

Customer Service Responsibilities

• Maintain customer service principles, standards, and measurements.
• Identify and incorporate the interests and needs of customers in business process design. 
• Ensure critical success factors are identified and meet expectations.

Other Responsibilities           

• Perform all other duties and functions as may be required from time to time.    
• May be required to provide witness statements, attend court proceedings, and give evidence.
• Comply with Health and Safety policies.

Required Competencies

Core

• Excellent verbal and written communication skills.
• Excellent customer service and interpersonal skills
• Excellent planning, organisation, and time management skills.
•  Strong analytical, judgement, decision-making and problem-solving skills
• Ability to think strategically.
• Keen attention to detail.
• Reporting skills
• Ability to work independently with minimal supervision.
• Ability to work in a team environment.
• Ability to be adaptable, especially under pressure.
• Ability to display high levels of confidentiality, integrity, and professionalism.
• Ability to communicate, interact and work effectively and cooperatively with all
• People, including those from diverse ethnic and educational backgrounds.
• Good team-building skills and the ability to interact effectively and professionally at all levels of the organisation (e.g., executives, managers, subject matter experts, peers, and support staff)
• Ability to organise and coordinate workshops, conferences, and meetings.

Technical

• Advanced IT skills in the Microsoft Office Suite Applications
• Working knowledge of Customs policies, procedures, and controls.
• Working knowledge of the Data Protection Act and other applicable regional and international data protection laws and regulations is required.
• Relevant, working knowledge of cybersecurity – managing security incidents, conducting risk assessments, and implementing countermeasures.
• The ability to understand and interpret complex legal requirements surrounding data privacy is a definite asset.
• Detailed knowledge and understanding of international data protection best practices.
• Detailed knowledge and understanding of auditing and assessment best practices.

Minimum Required Education and Experience

• A master’s degree in information security, Computer Science, Information Technology, Management Information Systems, or a related field with at least six years of industry experience in data protection and privacy compliance or related field and two years at the managerial level.

OR

• Bachelor’s degree in information security, Computer Science, Information Technology, Management Information Systems, or a related field with at least ten years of industry experience in data protection and privacy compliance or related field and four years at the managerial level.
• ISO/IEC 27701:2019 Privacy Management System Certificate
• Possess recognised privacy and data protection certification from the International Association of Privacy Professionals (IAPP):
• Certified Information Privacy Professional (CIPP)
• Certified Information Privacy Manager (CIPM)
• Certified Information Privacy Technologist (CIPT)
• At least one ISACA certification in governance and risk management:
• Certified in Risk and Information Systems Control (CRISC)
• Certified in Governance of Enterprise IT (CGEIT)
• Certified Information Security Manager (CISM)

OR

• At least 3 years’ work experience in Privacy, Compliance, Information Security, Auditing, or a relevant field (Finance, Law, Business Administration, Information Technology).
• At least 3 years’ work experience mapping/understanding business processes and data handling needs in a relevant/related industry.
• Experience in or understanding of Customs Administrations, as well as data processing within the Agency, will be a definite asset.
• Relevant working knowledge in cybersecurity – dealing with real security incidents, risk assessments, countermeasures and data protection impact assessments will be considered a definite asset.
• A working knowledge of the regional, international, and other relevant data protection laws is required. The ability to understand and interpret complex legal requirements surrounding data privacy is a definite asset.

Special Conditions Associated with The Job

• Work with standard equipment and specialised software will be conducted in various offices.
• Involves working in a fast-paced environment with ongoing interactions with critical stakeholders.
• A fair degree of travelling is required (>30%) periodically to represent JCA on matters locally and internationally.
• Work will be conducted in various offices outfitted with standard office equipment and specialised software.
• Involves working in a fast-paced environment with ongoing interactions with critical stakeholders.
• A fair degree of travelling is required (>30periodicallysis to represent JCA on matters locally and internationally.
• Maybe required to visit vendor sites for audits, inspections etc.
• Extended periods of sitting around a computer