Data Protection Officer

To lead and oversee the organization’s data protection compliance framework, ensure adherence to the Data Protection Act, 2020 (Jamaica), and provide independent assurance and regulatory liaison across the entire Unicomer (Jamaica) Limited operations – end to end.

POSITION: DATA PROTECTION OFFICER (DPO)

REPORTS TO: MANAGING DIRECTOR, JAMAICA

SUPERVISION GIVEN TO: NONE

PURPOSE: To lead and oversee the organization’s data protection compliance framework, ensure adherence to the Data Protection Act, 2020 (Jamaica), and provide independent assurance and regulatory liaison across the entire Unicomer (Jamaica) Limited operations – end to end. The DPO serves as the organization’s independent authority on data protection matters and primary liaison with the Office of the Information Commissioner.

The Data Protection Officer (DPO) shall perform statutory functions as prescribed under the Data protection Act, 2020 and shall operate with full independence in executing those duties.

STATUTORY RESPONSIBILITIES

• Monitor compliance with the Data Protection Act and internal data protection policies.
• Advise on and oversee Data Protection Impact Assessments (DPIAs).
• Maintain oversight of Records of Processing Activities (POA).
• Cooperate with and act as contact point for the Office of the Information Commissioner.
• Raise awareness and monitor staff compliance with data protection obligations.

PRINCIPAL ACCOUNTABILITIES

Governance & Compliance

• Develop, implement, and maintain the organization’s data protection framework
• Ensure compliance across all categories of personal data, including customer, employee, contractor, and vendor information
• Oversee documentation of personal data processing activities in accordance with statutory requirements
• Embed privacy-by-design principles across operations
• Ensure appropriate lawful basis for processing and compliance with data retention schedules.
• Oversee third-party processor due diligence and ongoing monitoring.

Advisory & Risk Oversight

• Advise Executive Management on data protection risks and compliance obligations.
• Oversee Data Protection Impact Assessments, where required.
• Review and ensure appropriate data protection clauses in agreements involving the processing or exchange of personal data. Monitor cross-border data transfers and ensure appropriate safeguards.
• Conduct annual enterprise-wide privacy risk assessments.

Data Subject Rights & Incident Management

• Oversee the management of data subject rights requests
• Lead oversight of personal data breach investigations
• Assess statutory notification requirements and ensure timely reporting
• Maintain oversight of breach remediation and risk mitigation

Regulatory & Reporting

• Serve as the primary contact with the Office of the Information Commissioner
• Manage regulatory correspondence and inspections
• Provide quarterly data protection risk reports to the Managing Director and Executive Team within 15 days of quarter end.
• Escalate material risks affecting the microfinance entity to its Board of Directors
• Training & Awareness
• Oversee annual data protection training and awareness initiatives across the organization.
• Monitoring training completion rates and recommend corrective action for non-compliance.

AUTHORITY & INDEPENDENCE
The Data Protection Officer shall:

• Operate independently in all data protection matters and shall not receive instructions regarding the execution of statutory duties.
• Have direct access to Executive Leadership and/or BCJL Board of Directors.
• Serve as the organization’s designated representative to the Office of the Information Commissioner
• Have authority to escalate material data protection risks
• Not be assigned duties that create a conflict of interest

JOB SPECIFICATIONS:

QUALIFICATION/EDUCATION AND EXPERIENCE:

• Undergraduate Degree in Law, Compliance, Risk, IT Security, Finance, Audit or similar background.
• Minimum 5 years’ experience in legal advisory, compliance, regulatory affairs, audit, risk management, or related field.
• Demonstrated experience interpreting and applying legislation and regulatory requirements.
• Strong working knowledge of the Data Protection Act, 2020 (Jamaica).
• Experience within financial services, micro-finance, retail, or other regulated industry preferred.
• Professional privacy certification (e.g., CIPP, CIPM) preferred.

KNOWLEDGE, SKILLS AND ABILITIES:

• Strong working knowledge of the Data Protection Act
• Sound legal interpretation and analytical skills
• Understanding of data governance, risk management, and internal control frameworks
• Experience managing regulatory engagement and compliance oversight
• Exceptional communication both written and oral, and interpersonal skills.
• Independent judgment and objectivity
• Strong analytical and investigative capability
• Ability to influence senior leadership
• Ability to operate independently and cross -functionally

KEY PERFORMANCE INDICATORS

• Regulatory Compliance: Zero material enforcement action arising from non-compliance with the Data Protection Act
• Breach Management: 100% of suspected data breaches assessed within 48 hours and, where required, reported within statutory deadlines
• Compliance Culture: 100% completion of annual mandatory data protection training by June 30
• Audit Risk Closure: Minimum of 2 formal data protection compliance reviews conducted annually, with 90% of identified high-risk findings closed within 60 days
• Governance and Reporting: Quarterly data protection risk reports submitted to the Managing Director / presented to Executive Team within 15 days pf quarter end, with no overdue high-risk items exceeding 90 days without mitigation plan.

WORKING CONDITIONS

• Typical Office environment
• Irregular hours from time to time
• Some mental pressure due to demand
• Occasional exposure to hostile environment

This represents a broad outline of duties and responsibilities and cannot list in detail all the tasks the jobholder will be expected to undertake. Management reserves the right to review duties, responsibilities and key performance indicators based on the needs of the business.