Data Privacy Specialist

Job Summary

Work embedded as a member of squad OR; across multiple squads to produce, test, document and review algorithms & data specific source code that supports the deployment & optimisation of data retrieval, processing, storage and distribution for a business area.

Job Purpose

The job holder will be a member of Absa bank Kenya Information Risk Management & Data Privacy Team responsible for implementing the information risk and Data Privacy/Protection programs in Absa bank Kenya. The primary function of the role is to ensure information/Data is protected effectively and consistently with its criticality. Also ensuring that Audit, Regulatory and Governance requirements are realized in the Bank.

Main accountabilities

Work with the Absa Kenya IRM team to build an implementation method for the IRM & Data Privacy policies

Based on the Group design, the method will become the model for implementation across  ARO, to ensure:
Consistency of approach and interpretation where necessary
Clear controls on exceptions where requested
Businesses have clear communications channels for feedback and queries

Data Privacy Standards Implementation

Consistent implementation of DP policy, data Standards and Procedures across the businesses.
Maintain /Report Monthly Risk indicators
Communications  to  emphasize the importance of Data Privacy
Implement Absa operating framework for the management and control of  Data Privacy in BAU
Training and awareness, materials, from general awareness to subject matter experts.
Publication of guidance on data privacy best practice.
Data Privacy program Implementation
Breach escalation.
Implement and tracking of Data Privacy Training
Provide Data Protection champions.
Compilation  and consolidation of Country DP risk profile
Participating in new projects and products to check data privacy requirements
Implementation of Logical  Access Management Requirements
Ensure PIAs are completed for new implementations, changes, projects and new products
Review PIAs submitted by projects and product teams
Review of submitted Data Privacy Related Dispensations, waivers and breaches
Review and maintain a tracker on Data Privacy Related Dispensations, waivers and breaches
Track country DP requirements implementation in respect of:
Privacy notices roll out
Personal Data lifecycle management (collection/creation, use/reuse, processing, storage/archiving & destruction)
Personal data transfers & Further processing of personal data
Direct marketing customer consent management
Privacy related complaints.
Data/Information security & safeguards.
Incident Management
Implementation of completeness and validation controls in systems
Implementation of required privacy controls within the system/processes/products in line with the PIAs prior to go-live
Remediation of Data Quality issues/gaps affecting Data Privacy/Protection
Implementation of approved Data Privacy Retention Schedule
Execution of Data Subject processes

Records Management

Monitor and report on Key Risk Indicators
Guide the business in classification and categorization of records that contain personal Information
Be a point of contact and give guidance to the business on Retention of Personal Information.
Publication of guidance on privacy retention schedule

Data Leakage Protection

Ensure the raised Data Leakage alerts that relates to Data Privacy are closed within SLA
Give advice and guidance to other staff on how to secure and handle Personal Information

Controls & Risk Assessment  

Carry out Data Privacy reviews in sampled business units
Facilitate the remediation and closure of all the issues picked regarding information
Provide the information to create a threat profile.
Clear controls on exceptions where requested
Ensure the Businesses have clear communications channels for feedback and queries
Publication of guidance on IRM best practice.

Issues and incident Management:

Log and follow to closure the incidences reported within the business
Report and escalate the incidences identified as per the DPIMS
Maintain a data base of remediation issues identified and actions agreed, to ensure consistency of approach and common themes for reporting to ARO IRM team
Identify remediation activity and agree action plans
Consistency of approach and interpretation where necessary
Ensure the implementation of and the monitoring of the Data Privacy Incident Management Standard within the Business
Develop an implementation schedule for Business Units where required

Third Party Management

Perform due diligence on all new 3rd Parties to ensure a duty of care is provided for data and information assets.
Ensure risk is mitigated in accordance with policy and governance, and that regular reviews of risk are provided.
Track Third party supplier obligations  compliance on Data Privacy
Review third party contracts for inclusion of DP requirements/schedules.
Assess possibility of processing without transfer of personal data
Ensure required exceptions to Binding Corporate  Rules are considered and relevant BCR put in place
Ensure embedment of Privacy notices
Policy, Audit & Regulatory translation

Working with Information Risk Team, understand and enable group policy whilst ensuring local requirements are catered for.
Monitor compliance of policy and standards and drive the closure of gaps.
Communicate risk based policies and minimum standards and escalate approval of exceptions.
Use risk management principles to safeguard Data Privacy, and the confidentiality, integrity and availability of information in accordance with the bank’s operating model and risk appetite.
Be a custodian of Information Management in your locality
Project  implementation in Kenya:

Work with line managers and local project teams to:

Train them in the implementation methodology and their understanding of  Data Privacy policies
Adapt the methodology to fit the operating model of the local businesses
Manage their queries – researched and answered promptly, and recorded on a data base
Monitor their implementation v. plan, sample their deliverables, and challenge as appropriate
Influence (but not run) new projects and provide steering to fix crucial Data Privacy Issues.
Ensure that new projects follow the laid down process and Framework.
Apply consistent Privacy risk indicators to all projects and identify those with high risk.
Collaborate with business units:

To ensure that:

Each business adopts a consistent approach to policy implementation where necessary
Their queries are managed  – researched and answered promptly
Each business submits a monthly progress report in an agreed format, and to an agreed standard of detail.
Training and Development

Ensure that the mandatory Awareness Training programme that promotes and embeds a risk and security awareness culture within the business is carried out in each business unit
Develop training and awareness, materials, from general awareness to subject matter experts
Ensure each business unit has appointed information Risk Management Champion
Train the IRM champions on a yearly basis on Privacy Requirements.
Ensure that New Joiners induction training includes Information Risk awareness.
Monitoring of LMS  training
Conduct awareness as requested by units
Technical skills / Competencies

Education and Experience Required:

A degree from a reputable learning institution.
Professionally Certified (e.g. in CRISC, CISM, CISA) or CISSP or similar certification.
Accredited in Information Management/Information Sciences of 5 years in Financial Services or related industry.
4 years experience, preferably in IT Security and Risk management related role.
Experience fulfilling a consulting role.
Proven relationship with executive management and communication skills.
Extensive Microsoft office skills (Word, Excel, PowerPoint, etc.)
Reasonable understanding of the principles, practices, and techniques related to Information Risk Management.
Knowledge and understanding of the implications, to Absa, of the laws and regulations associated with Payment Card Industry, Data Security Services (PCI, DSS).
Knowledge of wider aspects of risk control, operations and processes.
Detailed understanding of the Risk assessment processes.
Experience of a consultancy working style (i.e. used to working collaboratively across the business – essential for undertaking the assessment roles)


Information Management
Experience of developing IRM Standards – Basic
Quality Focus – Competent
Implementation Management  – Competent
Influencing – Competent
Information Security – Expert
Understanding of compliance requirements relating to records retention – Competent
Experience of developing communication and training strategies – Competent
Understanding of records management technologies – Competent
Planning and organization – Competent
Problem solving – Competent
Detailed understanding of the principles, practices, and techniques related to Information Risk Management.
Technical Security background and experience of working on application developments
A good understanding of the issues faced with outsourcing to external vendors and experience of conducting vendor assessments.
Ability to influence senior management in relation to important Risk decisions.
Proven leadership, relationship management and communication skills

Knowledge, Expertise and Experience

Have core information risk management, confidence and a willingness to deliver.
Good communication skills.
Highly motivated and able to coordinate multiple activities across various disciplines.
Experience of working in a financial organization would be beneficial.
Awareness of operational risk disciplines, key risk indicators relevant to information risk and a business-focused approach to controls is also beneficial.  However deep technical knowledge in any one discipline is not a requirement for this role.
It is essential that the candidate has a resilient, flexible approach to work, as a pre-requisite for working effectively as part of Barclays Information Management team.
He or she must be prepared to turn their hand to support other requirements if needed, while ensuring that the core IRM responsibilities are maintained.
A proactive and hands-on approach is essential to demonstrate that the value that this role and function can add to our organization.

Bachelor’s Degree: Information Technology


Click “APPLY FOR JOB” button above to apply for this job.

About Absa Bank Limited

Absa Bank Limited (Absa) is a wholly owned subsidiary of Barclays Africa Group Limited. Absa offers personal and business banking, credit cards, corporate and investment banking, wealth and investment management as well as bancassurance. Barclays Africa Group Limited is 62.3% owned by Barclays Bank PLC and is listed on the JSE Limited. The Group is one of Africa’s major financial services providers offering personal and business banking, credit cards, corporate and investment banking, wealth and investment management as well as bancassurance. The Group was formed through combining Absa Group Limited and Barclays’ African operations on 31 July 2013. Reflecting the enlarged group’s pan-African focus, the Group's name changed from Absa Group Limited, to Barclays Africa Group Limited on 2 August 2013. Registered head offices are in South Africa and the Group has majority stakes in banks in Botswana, Ghana,Kenya, Mauritius, Mozambique, Seychelles, South Africa, Tanzania (Barclays Bank Tanzania and National Bank of Commerce), Uganda and Zambia. The Group has representative offices in Namibia and Nigeria, as well as bancassurance operations in Botswana, Mozambique, South Africa and Zambia. Barclays Bank Kenya and Barclays Bank Botswana continue to be listed on their respective stock exchanges.Barclays Bank PLC has operations in Egypt and Zimbabwe, which are part of the African business and continue to be run by Barclays Africa Group’s management