Data Protection Controller & Operational Risk Analyst

Data Protection Controller & Operational Risk Analyst

Bnp Paribas 2



Data Protection Controller & Operational Risk Analyst

Detalhes da Vaga

BNP Paribas is a leading European bank with an international reach. It has a presence in 72 countries, with more than 202,000 employees - including more than 154,000 in Europe and over 5,000 in Portugal alone.
BNP Paribas is present in Portugal since 1985, having been one of the first foreign banks to operate in the country. Today, BNP Paribas has several entities operating directly in this territory, offering a wide range of integrated financial solutions to support its clients and their businesses.
Worldwide, the Group has key positions in its three main activities: Domestic Markets and International Financial Services (whose retail-banking networks and financial services are covered by Retail Banking & Services) and Corporate & Institutional Banking, which serves two client franchises: corporate clients and institutional investors. The Group helps all its clients (individuals, community associations, entrepreneurs, SMEs, corporate and institutional clients) to realise their projects through solutions spanning financing, investment, savings and protection insurance.

BNPP Group Personal Data Protection framework, defined to respond to the new General Regulation on Data Protection - GDPR coming into effect on 25 May 2018, relies on the accountability of teams within BNPP entities and territories in their processing of Personal Data (customer, employees, UBOs, representatives of corporate, vendors, etc.).
The 1st Line of Defence (Business, IT and CDO) has the responsibility to embed data protection regulations and Group policies and guidelines in the internal organization and processes within its perimeter (e.g. privacy by design, PIA, security measures, etc.).
DPC is positioned in the 2nd line of Defence (within RISK function), and will be responsible for the scope outlined under his/her responsibility. The DPC must assist the relevant DPO in supervising the compliance with data protection regulations and Group policies and guidelines, ensuring second level controls and giving the necessary guidance to support the 1st Line of Defence.
In order to ensure consistency with the Group's management structure, a DPC is positioned at Entity level. He/she will report to Data Protection Officer (DPO) of the relevant Business Line.

A DPC will be appointed with the following key direct responsibilities within his / her scope:
1. Communication with external stakeholders, Data Protection Authorities and data subjects:
Su pport the DPO by preparing the communication;

Participate in exchanges with the relevant DPA and cooperate with the DPA, based on DPO's instructions.

2. Matters related to organization and framework related to personal data protection within his / her scope:
A. Contribute to the monitoring of the regulatory landscape on data protection regulations and the relevant communication performed by LEGAL.

B. Participate in committees on / in relation to personal data protection at local level

C. Cooperate with the Country DPO

D. Assist the DPO in overseeing and supervising the overall personal data protection framework on the following topics:

Review and advise on implementation of Group policies and guidelines on Personal Data Protection and monitor consistency in their implementation (Consent collection process, cross border transfers, management of retention or personal data obsolescence)

Review and advise on implementation of Privacy by design principles from the design stage and during the life-cycle of all projects, products, services, activities, processes and systems

Provide advice on Privacy Impact Assessment (PIA), e.g. whether or not to carry out a PIA, what methodology to follow, what safeguards to apply to mitigate risks to the rights and interests of individuals) and monitor that PIAs are performed correctly

Review and advise on implementation of Personal Data Security principles and management of personal data breaches

Monitor the local implementation of Group security strategy in line with Personal Data Protection regulatory requirements

Contribute to risk evaluation in case a personal data breach occurred to ensure in a timely manner

Appropriate safeguards (technical and organizational) are set-up to mitigate any risks to the rights and interests of the data subjects

Adequate communication and reporting channels are in place to notify the appropriate stakeholders (e.g. high management, Data Protection Authorities, data subjects)

Oversee the Reporting of personal data breaches to the DPA

Support the relevant DPO to oversee the Records of processing activities ("Register")

Review and advise on rules regarding record of processing activities ("Register")

Monitor record of processing activities ("Register") is kept up to date, filed under the responsibility of the controller / processor, in line with defined rules

Support the build and implementation of an awareness program

Contribute to the promotion of a data protection culture within his/her scope of responsibility

Check that trainings to the employees involved in processing activities are sufficient and provided on a periodic basis to maintain data protection awareness

E. Help the relevant DPO to operate the second level controls and independent testing on personal data protection framework to be sure compliance with personal data protection legislation and internal policies and guidelines are in place :
Perform risk-based second level of controls on processes related to personal data protection

Assess effectiveness of the 1st Line of Defence (business and IT) controls on Personal Data Protection based on Generic Control Plans defined by the Group

This will involve 2LoD controls testing against GDPR requirements, for: personal data processed across the organization; high risk activities, new products and activities which involve personal data and testing of IT systems in addition to testing of business operations
Prepare independent reporting and inform the DPO on critical points to be escalated to Senior Management

Confidentiality obligation
The DPC will be bound by secrecy or confidentiality concerning the performance of his/her or her tasks, in accordance with applicable laws.


6 + years' experience with significant knowledge and experience in Data Protection/Privacy and banking sector

Knowledge of internal organization and processes

Understanding of data processing operations, including business applications and data use

Experience in project management and change management

Experience in transversal management and working

Experience in interacting with regulators (will be a plus)

Experience of managing compliance programs on regulatory requirements

Strong knowledge and interest in Information Technology, digital and new technologies and understanding of information security controls and principles

Behavior and soft skills

DPC should demonstrate:
Independency, objectivity and integrity

Excellent writing and communication skills - allowing him/her to act as a communicator across the bank, on behalf of the DPO

Ability to lead, engage and work transversally on behalf of the DPO

Ability to develop teams' knowledge on data protection and privacy

Fluent in English (mandatory), national language (language of the country where DPC exercises)

emonstrating a high-level of commitment and self-motivation, combined with enthusiasm and a genuine interest in order to be a successful DPC

B e a role model, supporting and fostering a culture of good conduct

Demonstrate proactivity, transparency and accountability for identifying and managing conduct risks

Consider the implications of your actions on colleagues, partners and clients before making decisions

Ta ke responsibility for your team's conduct and conduct risks.

Qualification on Data Privacy is highly appreciated. He/she will be required to enrich his/her competencies with additional professional qualifications relevant to Data Protection, such as:
IAPP Information Privacy Professional/Europe (CIPP/E) or Certified Information Privacy Professional/ IT (CIPP/IT)

Certified Information Privacy Manager (CIPM)

Practitioner Certificate in Data Protection (PC.dp)

Fellow of Information Privacy (FIP)

ISEB Data Protection

or equivalent data privacy qualification

Please note that only applications submitted in English will be considered.
In case you are selected for this role, further documentation will be requested to support your hiring process.

BNP Paribas is an equal opportunity employer and proud to provide equal employment opportunity to all job seekers. We are actively committed to ensuring that no individual is discriminated against on the grounds of age, disability, gender reassignment, marriage or civil partnership status, pregnancy and maternity, race, religion or belief, sex or sexual orientation. Equity and diversity are at the core of our recruitment policy because we believe that they foster creativity and efficiency which in turn increase performance and productivity. We strive to reflect the society we live in, while keeping with the image of our clients.

Fonte: Neuvoo3_Ppc



Security specialist

KCS IT – WE MAKE IT Founded in 2008, KCS IT is a consultancy company in the field of Information Technology and Services, focused on creating value for its...

Kcs It - Lisboa

Publicado há um mês

Virtualização e storage

Think Data, Be Smart. Quem somos? Buscamos um profissional Administrador de Sistemas para fazer parte da DataSmart, uma empresa portuguesa especializada em...

Datasmart - Lisboa

Publicado há um mês

Cobol analyst developer

# Who we are? As part of Rupeal group, Kwan is an IT Staffing company which specializes in the art of professional fulfillment, making sure that anyone who...

Kwan - Lisboa

Publicado há um mês

Modern webstack office 365 developer

So, you clicked this ad looking for a new job challenge? That’s perfect since we just happen to be looking for a talentedModern WebStack Office 365 Developerto...

Devscope - Porto

Publicado há um mês