JOB PURPOSE

To operationalize and maintain the Bank’s data privacy and protection framework, ensuring compliance with the Kenya Data Protection Act (and other applicable data protection requirements). This includes overseeing personal data inventory, privacy impact assessments and data subject rights responses.

KEY RESPONSIBILITIES AND ACTIVITIES

Data Protection Compliance

• Support implementation and day-to-day operation of the Bank’s Data Protection & Privacy Framework in line with the Kenya Data Protection Act and ODPC guidance.
• Assist the Data Protection Officer (DPO) in maintaining regulatory compliance.
• Support the administration and updating of data protection policies, standards procedures, and guidelines.

Data Inventory & Mapping

• Maintain the Bank’s Register of Processing Activities (RoPA).
• Coordinate periodic data mapping exercises across systems, vendors, and business units to ensure completeness and accuracy.
• Maintain and monitor data retention schedules for compliant disposal of records in accordance with regulatory and the Bank

Privacy Impact Assessments

• Conduct and document Data Protection Impact Assessments (DPIAs) for new products, systems, outsourcing arrangements, and process changes.
• Track implementation of privacy risk mitigation actions.

Data Subject Rights Management

• Coordinate responses to data subject requests (access, correction, deletion, objection).
• Ensure statutory timelines and documentation requirements are met.
• Assist in preparing reports, presentations, and compliance dashboards

Monitoring & Assurance

• Monitor compliance with privacy policies, consent requirements, data retention schedules, and cross-border data transfer controls.
• Support internal audits, regulatory reviews, and compliance assessments relating to data protection.
• Support the performance of third-party risk assessments and coordinate the tracking/closure of identified data privacy risks.
• Assess and identify data privacy risks for both existing and new projects, ensuring that privacy is embedded from the start (Privacy by Design) and that default settings protect personal data (Privacy by Default).

Training & Awareness

• Deliver data protection and privacy awareness training to staff.
• Provide practical guidance to business units on handling personal data securely.
• Conduct research on emerging privacy trends, regulatory updates, and best practices including

Incident Management

• Support investigation and documentation of data breaches and privacy incidents.
• Assist with regulatory notifications and internal reporting where required.

PERFORMANCE OBJECTIVES

• Maintain up-to-date processing inventories and DPIA records.
• Ensure timely responses to data subject requests.
• Sustain compliance with data protection audit outcomes.

KNOWLEDGE, SKILLS & EXPERIENCE

Academic

• Bachelor’s degree in Law, Information Systems, Computer Science, Business, Risk Management, or a related discipline.

Professional

• Certification or formal training in:
• Data Protection & Privacy (e.g., DPO Certification, GDPR/Data Protection short courses)
• Membership or affiliation with data protection or information security bodies is an added advantage.

Desired Work Experience

• 2–4 years’ experience in data protection, compliance, IT risk, legal compliance, or information security, preferably within a regulated financial institution.
• Demonstrated exposure in:
• Kenya Data Protection Act requirements
• Data mapping and processing inventories
• Privacy impact assessments or compliance reviews

Core Competencies

• Strong understanding of data privacy principles and regulatory requirements.
• Ability to document and maintain registers, DPIAs, and evidence packs.
• Good analytical and organisational skills.
• Strong attention to detail.

Behavioural Competencies

• High ethical standards and confidentiality.
• Strong sense of accountability.
• Ability to work independently with minimal supervision.
• Effective communication with business users.

• Support implementation and day-to-day operation of the Bank’s Data Protection & Privacy Framework in line with the Kenya Data Protection Act and ODPC guidance.
• Assist the Data Protection Officer (DPO) in maintaining regulatory compliance.
• Support the administration and updating of data protection policies, standards procedures, and guidelines.
• Maintain the Bank’s Register of Processing Activities (RoPA).
• Coordinate periodic data mapping exercises across systems, vendors, and business units to ensure completeness and accuracy.
• Maintain and monitor data retention schedules for compliant disposal of records in accordance with regulatory and the Bank
• Conduct and document Data Protection Impact Assessments (DPIAs) for new products, systems, outsourcing arrangements, and process changes.
• Track implementation of privacy risk mitigation actions.
• Coordinate responses to data subject requests (access, correction, deletion, objection).
• Ensure statutory timelines and documentation requirements are met.
• Assist in preparing reports, presentations, and compliance dashboards
• Monitor compliance with privacy policies, consent requirements, data retention schedules, and cross-border data transfer controls.
• Support internal audits, regulatory reviews, and compliance assessments relating to data protection.
• Support the performance of third-party risk assessments and coordinate the tracking/closure of identified data privacy risks.
• Assess and identify data privacy risks for both existing and new projects, ensuring that privacy is embedded from the start (Privacy by Design) and that default settings protect personal data (Privacy by Default).
• Deliver data protection and privacy awareness training to staff.
• Provide practical guidance to business units on handling personal data securely.
• Conduct research on emerging privacy trends, regulatory updates, and best practices including
• Support investigation and documentation of data breaches and privacy incidents.
• Assist with regulatory notifications and internal reporting where required.

• Strong understanding of data privacy principles and regulatory requirements.
• Ability to document and maintain registers, DPIAs, and evidence packs.
• Good analytical and organisational skills.
• Strong attention to detail.
• High ethical standards and confidentiality.
• Strong sense of accountability.
• Ability to work independently with minimal supervision.
• Effective communication with business users.

• Bachelor’s degree in Law, Information Systems, Computer Science, Business, Risk Management, or a related discipline.
• Certification or formal training in: Data Protection & Privacy (e.g., DPO Certification, GDPR/Data Protection short courses)
• Membership or affiliation with data protection or information security bodies is an added advantage.