DATA PROTECTION OFFICER (DPO) 191 views1 applications

JOB DESCRIPTION

General:

The DPO ensures that MSF WACA is compliant with the legal framework applicable to data protection as intended by the GDPR and the local regulations of the countries where MSF WACA works.

Under the supervision of the Deputy Executive Director and in functional connection with the Administration and Compliance, he/she shall:**

1. Manage Data Protection Compliance and Mainstreaming

• Develop, implement and enforce a suitable and relevant data protection policy and ensure it is reviewed on an annual basis. This will initially involve identifying the gaps between the current state of data protection within MSF WACA and the requirements of the GDPR, setting out a roadmap (based on the MSF Baseline Framework and on priority identified risks) for achieving acceptable levels of data protection across the Organization, and developing a system to prevent or deal with violations of legal guidelines and internal policies.
• Establish a formal Data Protection Committee tasked with ensuring ongoing oversight of all data protection requirements. This should have a formal term of reference and be sponsored by a member of the Management Team (CoDir).
• Utilize the Data protection Software “OneTrust” to support the development of the data protection system.
• Update procedures and internal guidance where necessary relating to the processing of personal information.
• Act as the contact point for the national Data Protection Authorities. This should include collating information which may be requested in the course of any investigation or enforcement action. The DPO will also be responsible for maintaining a log of all such requests and producing summary reports as required.
• Maintain a register documenting all personal information processing activities within MSF WACA. Define and maintain information flow maps within the MSF WACA, and between the MSF WACA and its third-party partners, both within the Movement and externally. Liaise with the IT Security Manager to establish and maintain a register of information owners for sets of information (e.g. paper files, databases) and educate the information owners on their responsibilities (what is the data, how is it used, who has access to it).
• Manage all data protection incidents, including notification of Data Protection Authorities and relevant individuals as required, ensuring corrective action is taken to mitigate the incident, provide recommendations to avoid the occurrence of similar incidents and maintain and incident log.
• Develop or advise on the development of new policies and/or best practice with regard to data sharing internally between departments, within the MSF Movement between Sections or with external third parties, and sit on relevant working groups, platforms and other forums to represent MSF WACA as appropriate.
• Ensure that data protection impact assessments are performed when appropriate (e.g. major system or product developments etc.). Advise those performing such impact assessments as necessary.
• Inform the Data Protection Committee of any risks identified in the day-to-day handling of personal data within MSF WACA, including risks stemming from failure to abide by relevant policies or recommendations made by the DPO.
• Establish and maintain full data protection documentation for the purposes of abiding by the principle of accountability under the GDPR and ensure that such documentation is accessible by the relevant Data Protection Authority as required.
• Consult internally and with the wider MSF movement to consider and develop an action plan for how privacy by design and default can be mainstreamed within MSF WACA, to enable the organization to move from a culture of compliance to positive mainstreaming of data protection as a humanitarian right.

2. Monitor Data Protection Compliance and Mainstreaming

• Develop and implement a procedure for regular reviewing of compliance with relevant legislation and related organizational policies, doing so in a fully independent manner. The reviews should include third-party data processors used by MSF WACA.
• Highlight and develop solutions for any issues relating to the fair obtaining, use and storage of personal data, information quality and integrity, technical and organizational security.
• Liaise with the team in charge of internal auditing to ensure that personal data processing is included as appropriate within the annual audit programme. Occasional participation in or assistance with internal audits may be required.
• Act as the contact point for the International GDPR Steering Committee responsible for monitoring the overall compliance of the MSF Movement, providing updates on the status of MSF WACA as requested, and participate in the intersectional international taskforce and discussions regarding such compliance.
• Provide comprehensive annual reports on MSF WACA’s data protection compliance, training and awareness to the Data Protection Committee.

3. Training & Awareness

• Provide advice and training to staff and managers to raise awareness and understanding about their responsibilities regarding data protection and other associated legislation or good practice.
• Develop and implement a strategy to ensure that data protection mainstreaming is part of the culture within MSF WACA and is understood as an opportunity rather than just a constraint.
• Liaise with the IT Security Manager (or equivalent) to develop and implement a data protection awareness and training programme.
• Maintain and update own knowledge of developments in data protection issues, information management and related legislation.
• Be a resource for all employees by providing expert advice on related law and other relevant issues.
• Ensure written information on data protection is available for provision to customers and employees, including appropriate privacy notices etc.
• Provide a consultancy service for all departments, including liaison, assessing problems, queries, procedures and practices and take responsibility for advice given.
• Continue to keep abreast of developments in the field of data protection by attending appropriate conferences and continuing personal development, as necessary. Keep the Data Protection Committee informed of new developments and make recommendations for changes to policies and procedures where appropriate

JOB PROFILE

Education / Qualification / Pre-requisites

· Relevant academic degree or equivalent significant experience within the area (IT, law, audit, risk analysis, compliance, project management, change management, policy development, governance, mainstreaming change).

Competencies / Skills

· A good understanding of Privacy Law, Information Technology, and Project/Change Management.

· Genuine interest in and commitment to the humanitarian principles of MSF.

· Strong communication skills and the ability to explain complex matters in simple terms

· Ability to audit data management systems.

· Ability to exercise professional judgement in the processing of requests for various types of information from various sources, manage the collection of the relevant information and produce a professional response within the requirements of the relevant legislation.

· Able to communicate effectively with people at all levels both inside and outside the Organisation, including strong written communication skills.

· Confidence in providing advice to staff at all levels across the Organisation and to take and defend a minority position where necessary.

· Ability to develop and deliver guidance, advice and training to staff about their responsibilities regarding data protection.

· Desirable: a comprehensive understanding of MSF field activities and of the MSF Movement: its systems, structure, stakeholders and culture.

Aptitudes – Soft skills

· Ability to work in a multi-cultural environment as part of a team in a stressful environment, possessing maturity, patience and understanding.

· Tact, diplomacy, and tenacity as well as the ability to build and maintain a strong network within the MSF Movement.

· Probity, objectivity, autonomy, impartiality, and the ability to make and defend decisions in a fully independent manner.

· A commitment to advancing Equality, Diversity, and Inclusion (EDI) across the MSF Movement, and an understanding of how privacy and EDI mainstreaming can be aligned under a common humanitarian rights framework in MSF.

· Sufficient IT knowledge and understanding in terms of data storage, retrieval, and information security. The DPO will be required to discuss requirements and solutions confidently with IT staff and to be able to think critically about such questions.

Professional experience required

· At least 5 years of significant relevant experience in a similar role within an organisation of similar size and structure and with numerous cross-border data flows.

· Expertise in designing and implementing data protection compliance.

· Applied knowledge in project management.

· Experience within an organisation that treats special categories of data such as medical data.

· Expert knowledge of the GDPR and other relevant applicable law, including that relating to NGOs and organisations processing medical data, as well as of current and best practices in the field of data protection.

· A comprehensive understanding of the practical application of relevant legislation (including the GDPR) and official guidance relating to processing of personal data.

Languages skills

· Fluency in spoken and written English and French (desirable)

Computer skills

· Masters the Pack Office

· Masters the data protection Software “OneTrust”

· Good command of Power BI, Share Point and ERP tools/platforms

· Sufficient IT knowledge and understanding in terms of data storage, retrieval, and information security. The DPO will be required to discuss requirements and solutions confidently with IT staff and to be able to think critically about such questions.