Data Protection Officer at Mukuru

An exciting opportunity has become available for a Data Protection Officer to join the Mukuru team.

The purpose of the position (DPO) is to encourage and ensure compliance with regulations governing data privacy and the protection of and access to information. The DPO will develop, maintain, and monitor the Group data protection, privacy and access to information strategy, framework, policies and standards (programme) for effective implementation. The DPO will serve as the primary point of contact for Regulators and data subjects concerning data protection, privacy, and access to information within Mukuru.

The DPO should have oversight on implementing the Group data protection, privacy and access to information programme and report on an ongoing basis to senior management forums on its effectiveness. The DPO will work closely with the Heads of Compliance, Risk and Legal, and the Regulatory Compliance Change Programme Manager as part of second-line management. The DPO will support and work closely with first-line management, including the Data Governance Manager, Data Privacy Commercial Legal Advisor, Head of Information Security, Head of IT Strategy and Architecture, and Chief Information Officer

Duties and Responsibilities include (but is not limited to):
Develop, maintain, and monitor the Group data protection, privacy and access to information strategy, framework, policies and standards for effective implementation throughout Mukuru.
Have oversight on the implementation of the Group data protection, privacy and access to information framework and report on an ongoing basis to senior management forums on its effectiveness
Work closely with the Heads of Compliance, Legal and Risk, General Counsel, Regulatory Compliance Change Programme Manager, Product Owners, and other Compliance Management Members
Guide on the implementation of data privacy, protection, and access to information governance frameworks under the Group’s regulatory obligations
Guide and oversee impact assessments and internal data privacy and protection audits.
Work closely with the Procurement, Data Governance Manager, Data Privacy Commercial Legal Advisor, Head of Information Security, Head of IT Strategy and Architecture, and Chief Information Officer to effectively implement adequate controls.
Attend various regulatory compliance governance forums focussing on the development, implementation and/or remediation of data protection and privacy controls across the Group
Raise compliance risks and areas of non-compliance, together with proposed recommendations to address such risks and remediation of non-compliance
Provide subject matter expertise and fit-for-purpose recommendations relating to Mukuru’s data protection, privacy, and access to information requirements
Assist with clarifying regulatory requirements on projects and BAU to ensure that requirements are understood, clearly documented, and implemented
Assess and provide regulatory guidance to existing and potential new products and services within Mukuru, as well as expansion into new geographies
Work with the technical teams to translate complex regulatory requirements into fit[1]for-purpose technical requirements, with emphasis on the effectiveness and sustainability of proposed solutions Ÿ Provide advice and recommendations relating to data protection impact assessments performed by Information Security
Assess 3rd parties’ data protection and privacy frameworks, policies, standards, processes etc. as part as partner and vendor due diligence
Develop and monitor the implementation of policies, standards, procedures, and other documents applicable to business and in compliance with the applicable privacy, protection and access to information laws and regulations
Develop templates for data collection, advising on and assisting with data mapping and records of data processing, and vendor management reviews
Understand the business of Mukuru to draft fit-for-purpose written guidance to employees on the appropriate implementation of data protection and privacy rules, laws and standards through policies, procedures, and other required artefacts
Perform testing on the effectiveness of the controls implemented by the first line of defence (business).
Monitor compliance and data practices internally to ensure that the business and its functions comply with the applicable privacy, protection and access to information laws and regulations
Document and maintain risk and breach registers, tracking the implementation of remediation against appropriate business owners
With the support of the Head of Information Security and Data Governance Manager, develop and maintain a personal data security incident management plan to ensure timely remediation of incidents impacting personal data, including impact assessments, breach response, complaints, claims or notifications.
Be actively involved and support the Group during external audits and/or inspections of all data protection, privacy and access to information controls implemented
Register with the applicable Information Regulators and serve as the primary contact for all such Regulators in the jurisdictions where the Group operates
Serve as the primary point of contact where data subjects raise queries, concerns and complaints relating to the processing, handling, or retention of their personal information, as well as access to information requests
Evaluate and approve requests for access to information received regarding the grounds set out in PAIA within the time constraint or any extended period.
Work with the Regulator concerning investigations conducted to prior authorisations or potential contravention of Regulations.
The DPO will be responsible for the development of training content (in consultation with Mukuru Learning and Development) and the facilitation thereof
Attend all required training courses, internally and externally
Obtain/maintain professional membership to ensure that role remains current in terms of trends, legislative and regulatory updates
Attend and, where requested, participate in local and international training and awareness conferences
Monitor all current and future legislative requirements relating to data protection and privacy regulations, legislations, guidelines, and best practice
Identify development areas in your role and work with your Department Heads on your Personal Development Plan

Key Requirements:

• Grade 12 or equivalent
• Law / post graduate leg risk or audit qualification
• Hold at least one data protection and/or privacy certification, such as CIPP, CIPT, CIPM, ISEB, etc. (preferred) or willingness to achieve within a short period of being appointed.
• Excellent working knowledge of data protection, privacy, and access to information laws applicable to Africa, the UK and EU
• Experience in regulatory compliance, focusing on data and privacy governance framework to manage data use in compliance.
• Sound understanding of compliance methodology, working knowledge of all elements comprising.

Beneficial:

• Knowledge of payment, information technology and data management systems
• Knowledge of contracts and commercial agreements
• Able to exercise independent judgment and act on it
• Excellent drafting, investigation, and communication skills
• Excellent presentation skills
• Drafting in a well-structured and logical way – must have the ability to write and review regulatory compliance guidance notes and reports with detailed requirements to inform the business of regulatory requirements and potential impact
• Ability to undertake large, long-term projects, develop alternative methods to complete them and support business in implementing sustainable and fit-for-purpose solutions.
• Logical, practical, and efficient, with keen attention to detail and focus on sustainability
• Highly self-motivated and directed
• Ability to effectively prioritise and execute tasks while under pressure
• Must be able to adapt quickly to change, be agile in approach, but thorough in execution
• Ability to communicate technical and complex regulatory concepts to stakeholders
• Advanced communication and stakeholder management skills
• Hybrid way of work (Various Mukuru Offices, Home)

Additional Skills:

• 5 to 8 years of experience in compliance, legal, audit and/or risk function (regulated industry).
• Must have at least 4 (four) years of recent experience in data protection, privacy and access to information laws and regulations in South Africa (POPIA, PAIA), European data privacy laws (GDRP), UK data protection act, any other data privacy legislation or regulation
• Experience in developing and facilitating compliance training
• Experience working independently as well as in a team-oriented, collaborative environment
• Working in a fast paced and high-pressure environment requiring high energy
• Working within an Agile environment