Data Protection Officer (DPO)

About the Role

The Data Protection Officer (DPO) will work closely with the Compliance, Risk, and IT functions to develop, implement, and monitor data protection policies, standards, and governance frameworks applicable to the business in compliance with the Data Protection Act. The DPO will monitor internal compliance and data processing practices to ensure that the business, its subsidiaries, and all functions comply with applicable data protection and privacy requirements. The bearer of the role will be responsible for staff training, oversight of Data Protection Impact Assessments (DPIAs), and will act as the primary contact point for the Office of the Data Protection Commissioner (ODPC) and for individuals whose personal data is processed by the organization.

Essential Functions

• Establish and maintain the organization’s data protection governance framework, including the implementation roadmap, policies, and standardized templates for data collection, consent management, and data mapping.
• Provide advisory support to business units on the implementation of data protection requirements, ensuring compliance with the Data Protection Act, CAP 411C, and embedding privacy principles across processes, systems, and digital platforms.
• Develop, maintain, and ensure audit readiness of the Records of Processing Activities (ROPA) and related documentation, covering processing purposes, data categories, retention periods, and lawful bases.
• Design and deliver data protection training programs, ensuring continuous staff awareness in line with regulatory developments and emerging risks.
• Conduct and review Data Protection Impact Assessments (DPIAs) for new and high-risk processing activities, including products, systems, and digital platforms.
• Perform periodic compliance reviews and audits to assess adherence to internal policies and regulatory requirements, and drive timely remediation of identified gaps.
• Collaborate with IT to ensure effective data protection and security controls, including maintenance of data asset registers and implementation of incident management frameworks.
• Oversee and coordinate data breach and incident response processes, including breach detection, containment, investigation, impact assessment, regulatory notification, communication to affected data subjects, and post-incident remediation.
• Maintain the company’s personal data breach register.
• Manage data subject rights requests (including access, rectification, objection, restriction, and deletion), ensuring compliance with statutory timelines and proper documentation of responses.
• Support the development, review, and implementation of privacy notices across all data collection points, ensuring transparency and compliance.
• Serve as the primary liaison with the Office of the Data Protection Commissioner (ODPC) and other relevant stakeholders, including regulators, data controllers/processors, and data subjects, during inspections, audits, investigations, and ongoing engagements.
• Monitor regulatory developments, industry trends, and best practices in data protection, and provide proactive guidance to ensure continuous organizational compliance.
• Prepare and submit periodic and annual reports, including compliance reports, risk updates, and work plans to senior management, Board committees, and the ODPC.

Academic Qualifications

• Bachelor’s degree in Law, Information Technology, Computer Science, Information Systems, or a related discipline from a recognized institution.

Professional Qualifications

• Mandatory certification in Data Protection and Privacy such as: Certified Information Privacy Professional (CIPP/E, CIPP/IT, or equivalent) – IAPP, Certified Information Security Professional (CISSP), Certified Information Systems Auditor (CISA), or Certified Information Security Manager (CISM).

Experience

• Minimum of 5 years’ relevant experience in compliance, risk, legal, audit, or information governance within financial services (preferably insurance or banking).
• Demonstrated experience in conducting or supporting at least one Data Protection Impact Assessment (DPIA).
• Experience engaging with regulators, auditors, or supervisory authorities is highly desirable.
• Exposure to insurance operations (claims, underwriting, medical data, or fraud systems) will be an added advantage.

Skills and Attributes

• Strong expertise in data protection law, regulatory compliance, and privacy governance.
• Excellent understanding of insurance operations and data lifecycle management.
• Strong analytical and risk assessment capability with a high level of integrity and independence.
• Excellent communication, stakeholder engagement, and influencing skills.
• Strategic thinking and decision-making ability with strong organizational and project management skills.
• High attention to detail and documentation discipline.
• Negotiation and conflict resolution skills.
• Data analytics and reporting capability including software and systems proficiency (GRC platforms).
• Discretion and strict confidentiality in handling sensitive data.

How to Apply

Application letters and a copy of your current CV (combined into one document), including the names and addresses of three referees, should be sent by email to hr@tausiassurance.com. Please note that by submitting your application, you automatically give Tausi Assurance consent to process and use your personal data for recruitment purposes. Only shortlisted candidates will be contacted.