Data Protection Officer

Data Protection Officer

JOB PURPOSE
To support the Companies Office of Jamaica’s strategic objectives by monitoring compliance and data practices internally to ensure the business and its functions comply with the applicable requirements under the provisions of the Data Protection Act. The DPO will be responsible for staff training, data protection impact assessments, and internal audits. The DPO will also serve as the primary contact for supervisory authorities and individuals whose data is processed by the organisation.

KEY OUTPUTS
 Recommendations made for the appropriate organisational and technical measures to ensure the security of personal data
 Data Protection policies and procedures
 Risk and breach register and reports
 Personal Data Breaches reported to the Office of the Information Commissioner and any other relevant stakeholder in accordance with the Data Protection Act
 Accurate and up-to-date information provided.
 Security audits Conducted.
 Training and sensitization Conducted.

PERFORMANCE CRITERIA
 Work volume targets and daily, weekly, and monthly deadlines are consistently met.
 Confidentiality and integrity are exercised.
 Staff is competent, well-trained and motivated to achieve organizational objectives.
 Strong and capable Data Protection policies and procedures developed
 Degree of partnership established with the OIC
 Implementation and maintenance of data protection standards, policies, procedures, and good practice.
 Effectiveness of the management of the Personal Data
 Adequacy of recommendations made for improved management of data
 Degree of Internal customer satisfaction with the quality of data protection training and guidance delivered.
 Timeliness in reporting breaches to OIC and Agency Management
 Resolution of breaches identified
 Currency of knowledge of local privacy legislation
 Percentage of successful breaches mitigated.
 Data Protection Risks identified and addressed
 Problems and new requests are met with speedy and effective response
 Reports generated for both internal and external stakeholders

WORKING CONDITIONS
Normal Working Hours Monday to Thursday 8:30 – 5:00
Friday 8:30 – 4:00
Work Environment Normal office conditions.
Travel is required periodically.
Occasional exposure to a hostile environment

SPECIAL WORKING CONDITIONS
May be required to work beyond normal working hours.

LIASES WITH
Internally: Executives, Managers, Supervisors, and other internal stakeholders
Externally: Government Ministries
Agencies within the parent Ministry
Advisory Board and CEO’s Board
Public sector as well as Elected officials
Data Protection Authorities
Office of the Information Commissioner
Customers

JOB RESPONSIBILITY
 Develops, implements, monitors, and reviews Agency Data Protection Policy.
 Implement measures and a privacy governance framework to manage data use in compliance with the DPA, including developing templates for data collection, and assisting with data mapping.
 Working with key internal stakeholders in the review of projects and related data to ensure compliance with local data privacy laws, and where necessary, complete and advise on privacy impact assessments.
 Examine existing software and Data Protection Procedures in order to ensure any modifications made meet user requirements for both the Agency’s policy and the Data Protection Act.
 Identifies system training needs and recommends and/or assists in developing appropriate training programmes.
 Ensure that the Companies Office of Jamaica processes personal data in compliance with the data protection standards and in compliance with the Data Protection Act and good practice.
 Consult with the OIC to resolve any doubt about how the provisions of the Data Protection Act and any Regulations made thereunder are to be applied.
 Ensure that any contravention of the data protection standards or any provisions of the Data Protection Act by the Companies Office of Jamaica is dealt with in accordance with the provisions of the Data Protection Act.
 Notify the Integrity Commission, Data Protection Authorities, and Office of the Information Commissioner of any contravention or breaches of the data protection standards or any provisions of the Data Protection Act.
 Collaborate with the Information Security function to maintain records of all data assets and exports, and maintain a data security incident management plan to ensure timely remediation of incidents including impact assessments, security breach response, complaints, claims or notifications, and responding to subject access requests.
 Ensures that the Companies Office of Jamaica’s IT systems and procedures comply with all relevant data privacy and protection laws, regulation, and policy (including in relation to the retention and destruction of data).
 Assist data subjects in the exercise of their rights under the Data Protection Act, in relation to the Integrity Commission.
 Liaise with the Integrity Commission and other Data Protection Authorities with the development of internal policies and procedures related to the processing of personal data.
 Make recommendations for the appropriate organisational and technical measures to ensure the security of personal data.
 Act as the primary contact point for the Office of the Information Commissioner on issues relating to the processing of data, and to consult, where appropriate, with regard to any other matter.
 Monitor changes to local privacy laws and make recommendations where necessary.
 Develop strategies and initiatives to ensure engagement with key internal and external stakeholders
 Performs other related functions required from time to time

JOB DIMENSION/AUTHORITY
 Recommend staff leave.
 Recommend security procedures and maintenance for Data Protection
 Report breaches to the OIC
 Develop and review data protection policies
 Maintain risk and breach register
 Advise OIC of breaches
 Take remedial action for breaches
 Conduct training and sensitization relating to data protection
 Data Protection Security Audits
 Take disciplinary action in accordance with the Agency’s policies and procedures.

KEY COMPETENCIES
 Sound knowledge of the agency of the organisation’s IT infrastructure including relevant computer applications and software.
 Excellent knowledge of project development and management.
 Excellent analytical skills.
 Ability to work unsupervised, exercise leadership, and influence change.
 Excellent interpersonal and communication skills.
 Excellent knowledge of the Data Protection Act, and all other applicable Acts/ Legislation and policies that govern data protection and the operation of the Agency.
 Proficient in the use of Document Management and workflow application and the associated reporting tool

Demonstrate a high level of confidentiality in the execution of duties with the ability to act in an independent manner, free of any real or perceived conflicts.

 Knowledge of information technology, data management and compliance processes.
 Detail-oriented approach needed to recommend and implement strategic improvements on a range of data privacy and data protection issues.
 Ability to handle confidential and sensitive information with the appropriate discretion.
 Change management skills
 Knowledge of Government of Jamaica (GOJ) Procurement Rules, Governance and Risk Management.

QUALIFICATION & EXPERIENCE
 BSc. in Law, Compliance, IT Security, Audit, or similar background.
 Certification in Data Protection and/or Privacy certification such as CIPP, CIPT, ISEB, etc.
 Four (4) years related work experience in law, audit, and/or risk management, compliance, or equivalent experience. Experience should be at the management/ supervisory level
 Sound knowledge of the Data Protection Act and other applicable data protection policies.
or
 Master’s Degree in Law, Data Protection, Business Administration, or similar background from a recognized tertiary institution;
 Two years’ related work experience in law, audit and/or risk management, compliance, or equivalent experience. Experience should be at the management/ supervisory level
 Certification in Data Protection and/or Privacy certification such as, CIPP, CIPT, ISEB, etc
 Sound knowledge of the Data Protection Act and other applicable data protection policies.