HSBC Group

Business: Enterprise Risk Management

Open positions:1

Role Title: AVP - Data Protection Office GSC's

Global Career Band: 5

Location (Country / City ):India/Bangalore

Recruiter Name :  Geetika Gupta

Why join us?

• To ensure HSBC meets its obligations under data protection and privacy laws in designated ASP Markets
• Data Privacy Officers (DPOs) are responsible for ensuring HSBC meets its obligations under data protection and privacy laws within their particular jurisdiction. They provide expert advice, guidance and direction and support the necessary standards and controls to enable the Bank, including its employees and relevant third parties, to manage privacy risks and comply with obligations under data protection laws in relation to the processing of personal data.
• To establish a culture of privacy within HSBC, the DPO will need to work collaboratively with key senior stakeholders across the business and will be accountable for keeping executives appraised of privacy risks and issues.
• The role holder is the designated to be the Alternate DPO backup for designated ASP markets and will assist the DPO to carry out the following tasks:
• Informing and advising the business and its employees of their data privacy and protection compliance obligations;
• Providing expert guidance, oversight and challenge on all aspects of data protection and privacy risk strategy and compliance focusing efforts on areas that present higher data privacy risks;
• Monitoring compliance with data privacy provisions and with HSBC Group policies relating to the protection of personal data, including the assignment of responsibilities, staff education and awareness training, and ensuring remediation of any related audit findings;
• Reviewing and advising on Data Protection Impact Assessments (DPIAs) and monitoring performance of mitigations, where necessary;
• Cooperating with the regulatory authority;
• Acting as the contact point internally and externally with data subjects and the regulatory authority;
• Advising on, and providing the business with support, to ensure the necessary safeguards and controls are in place to ensure compliance with requirements for international data transfers by identifying all circumstances in which personal data is transferred outside of the relevant jurisdiction; and
• Provide incident management advice and/or support as needed and ensure that data incidents and breaches are responded to and managed effectively with data subjects and that the relevant authorities are informed within necessary timeframes.
• This job description is not intended to be an exhaustive list of responsibilities. The DPO- Senior Manager may be required to complete other reasonable duties, especially in relation to specific jurisdiction and local law variances.

What you’ll do:

Principal Accountabilities:  Key activities and decision making areas

Operational Performance

• Support the implementation of HSBC approved risk appetite into local policies, processes, systems, models and limits.
• Support the design, development and renewal of local data protection and privacy risk policy and minimum standards.
• The DPO will coordinate with the Risk Steward at appropriate times to enable DPO to discharge statutory roles – e.g. supporting on policy setting, reporting.
• Provide advice on privacy requirements to help build privacy by design and privacy by default into processing activities involving personal data.
• Provide advice and guidance on all aspects of data protection and privacy risk including the records required to demonstrate compliance, risk identification, assessment, mitigation, response and reporting.

Typical Targets and Measures

• Comprehensive procedures and controls are in place to manage Data Privacy and Information Governance within HSBC.
• Data Privacy and Information Governance policies are effectively communicated and adhered to within the jurisdiction.
• Adverse consequences arising due to regulatory issues related to Data Privacy and Information Governance, including changes in law and regulations are properly managed, mitigated and remedial action initiated.
• Key regulatory and policy changes and details of emerging legal and regulatory risks related to Data Privacy and Information Governance are communicated to senior management within HSBC in a timely and concise manner.

Impact on the Business

• Maintain, support and review procedures to enable customers to exercise their individual rights.
• Under direction of Chief Risk Officer or regional Data Privacy lead provide SME advice related to Data Privacy and Information Governance, including matters that are complex or have potential for significant legal, financial and / or reputational impact.
• Ensure the company delivers on day-to-day operational through engagement with the Risk Steward such as the fulfilment of DSARs and DPIAs.
• Maintain responsibility, as directed by the Chief Risk Officer, for the execution of business and operational strategies related to DPO activities within jurisdiction.
• Provide advice relating to Data Privacy and Information Governance issues involving the relevant jurisdiction, with a particular focus on, and responsibility for, DPO activities including developing strategies to respond to changes in law and regulation.

Typical Targets and Measures

• Compliance with regulatory requirements.
• Positive customer and stakeholder feedback.
• Effective management and engagement with data process owners and Chief Risk Officer.
• Timely and proactive guidance and support provided to key stakeholders on the management of personal data.

Customers / Stakeholders

• Act as the leading point of contact for the local Data Protection Authority (DPA) and regulators as appropriate and cooperate with any requests from the DPA.
• Act as an escalation point for personal data breaches.
• Work closely with Data and Architecture Office (DAO) and Information Security to ensure appropriate security measures are in place to protect personal data and ensure that Information Security and data protection policies and procedures are aligned.
• Ensure senior management are appropriately advised of developments relating to Data Privacy.

Typical Targets and Measures

• Policies and procedures related to DPO activities are in place and communicated within HSBC and controls are established to ensure such policies are being complied with across HSBC.

Leadership & Teamwork

• Clearly communicate functional strategy requirements and performance management expectations.
• Maintain and develop positive and professional working relationships with business managers, Chief Risk Officer, ORR (Risk Stewards) and Legal function.
• Lead, manage, review, guide and support staff that report to the jobholder where applicable.

Typical Targets and Measures

• Close working relationships maintained with Chief Risk Officer, Risk Stewards, the HSBC DPO network and local Legal Function teams.
• Regular reports and meetings held with business managers and local Legal function management to update them on developments related to DPO activities Performance measures are established, staff engagement scores and annual appraisals reviewed, succession plans and training plans in place.

Operational Effectiveness & Control

• Assist the Chief Risk Officer in monitoring the effectiveness of HSBCs management of risks relating to Data Privacy and Information Governance within jurisdiction.
• Assist the Chief Risk Officer in monitoring the implementation of risk management policies and controls relating to Data Privacy and Information Governance.
• Assist the Chief Risk Officer in maintaining HSBC internal control standards, including the timely implementation of internal and external audit points together with any issues raised by external auditors.

Typical Targets and Measures

• A framework is in place for the effective management of risks relating to Data Privacy and Information Governance and related to DPO activities within HSBC.
• Effective risk management processes relating to Data Privacy and Information Governance and related to DPO activities within HSBC and FIM requirements are being met as evidenced by regular reviews and audit reports.
• Measurements, reporting and review mechanisms are in place to assess operations related to Data Privacy and Information Governance and related to DPO activities within HSBC.

Major Challenges

• HSBC is an extremely diverse business. Such diversity is in an increasingly regulated and complex global environment with almost no consistency between laws and regulations in different jurisdictions. It is the role of the DPO to help ensure that the rights and freedoms of data subjects, concerning the processing of their personal data, continue to be respected to ensure that the  interests of HSBC are protected in an appropriate manner; being alive to the political, management, legal, regulatory and reputational implications of decisions and courses of action at a regional level; assisting the Chief Risk Officer and other HSBC Executives in the development of controls and systems and influencing the way in which the business is conducted in order to manage these risks.

The role requires a strong ability to:

• Adapt workstyle to meet complex and varied workloads
• Maintain knowledge of HSBC Group operations and policies
• Engender support of senior executives, some of whom will have competing priorities
• Think independently and provide advice that strikes an appropriate balance between management and mitigation of data privacy risk, business efficacy, and the potential risks and impacts for data subjects
• See the “bigger picture” and understand the interrelationships between a range of complex issues and the impact of those issues from a regulatory, financial and reputational perspective
• Adapt communication style and content to appropriately address management level of the audience
• Distil and communicate complex ideas in an understandable manner assisting the business to make difficult decisions
• Be seen as a role model by business stakeholders and colleagues, leading by example

Role Context :

• The diversity of HSBC’s business, and the constant changes internally and externally means the volume, complexity and diversity of matters, including confidential and commercially sensitive matters, which the jobholder is required to manage and advise on is very large and increasingly complex.
• The role requires a detailed knowledge of HSBCs operation in the jurisdiction and an understanding of its culture. It is essential that the jobholder has a very good working relationship with and is trusted by executive management but also cooperation from the Legal Function. 
• Role holder will be expected to work largely autonomously, but seek management input on unusual situations, highly complex issues, and matters that may pose significant legal, financial and / or reputational risk to the company.

Management of Risk

• The jobholder is responsible to ensure that (i) Data Privacy risks in their jurisdiction are clearly identified and policies and procedures are in place for managing those risks in compliance with “GDPR” or equivalent legislation, and in accordance with the Group Standards Manual and the Legal FIM; and (ii) the Chief Risk Officer team assists local business departments in managing the risks associated with the Data Privacy initiatives they are undertaking.

Observation of Internal Controls

• The jobholder is an “insider” for dealing purposes and subject to strict controls and confidentiality.
• Maintain HSBC internal control standards, including timely implementation of internal and external audit points together with any issues raised by external regulators.

What you will need to succeed in the role:

• Comprehensive knowledge and experience of Data Privacy and Information Governance and a working knowledge of the laws in the jurisdiction in which the role operates in.
• Recognized as a subject matter expert.
• A relevant data protection or privacy certification such as CIPP (preferred).
• Corporate experience and Compliance experience an advantage, but not essential.
• Detailed knowledge of the HSBC Group corporate structures, its business and personnel and a clear understanding of HSBC’s corporate culture.
• Strong ability to prioritize.
• Strong communication and inter-personal skills.
• Proven ability to establish and maintain a high degree of confidentiality, respect, trust and credibility at all levels.
• Experience in communicating, interacting and maintaining good working relationships with supervisory authorities.
• Strong written and verbal communication skills.
• Well-developed and professional interpersonal skills; ability to interact effectively with people at all organizational levels.
• Ability to work unsupervised, exercise leadership and influence change.
• Ability to use independent judgement and discretion when making the majority of decisions.
• Detail-focused approach needed to recommend and implement strategic improvements on a range of data privacy and data protection issues.

Link to Candidate User Guide:

https://hsbchrdirect.service-now.com/nav_to.do?uri=%2Fhrsp%3Fid%3Dkb_article_preview%26sys_id%3D0c6b11641b6a9810cec0553a2d4bcb2a

Video URL Internal: https://hsbc.mediaspace.eu.kaltura.com/media/World Cultural Day for Diversity/0_47as6uj3

You’ll achieve more at HSBC

HSBC is an equal opportunity employer committed to building a culture where all employees are valued, respected and opinions count. We take pride in providing a workplace that fosters continuous professional development, flexible working and, opportunities to grow within an inclusive and diverse environment. We encourage applications from all suitably qualified persons irrespective of, but not limited to, their gender or genetic information, sexual orientation, ethnicity, religion, social status, medical care leave requirements, political affiliation, people with disabilities, color, national origin, veteran status, etc., We consider all applications based on merit and suitability to the role.”

Personal data held by the Bank relating to employment applications will be used in accordance with our Privacy Statement, which is available on our website.

                                       ***Issued By HSBC Electronic Data Processing (India) Private LTD***