Data Protection Officer

The Data Protection Officer (DPO) leads the organization’s global privacy and data protection program and serves as the primary authority on compliance with applicable data protection laws and regulations, including GDPR, CCPA/CPRA and other local and global frameworks.

The DPO is responsible for advising the organization on its legal obligations, monitoring compliance, and fostering a strong data protection culture across approximately 1,200 employees and subcontractors operating in a global professional services environment.

The DPO operates with independence, integrity, and authority, acting as the primary contact for supervisory authorities, data subjects, customers, and internal stakeholders.

Scope, Purpose, and Nature of Role

The DPO takes the lead on all privacy matters across the organization and is ultimately accountable for the adequacy and effectiveness of the organization’s privacy framework, including governance, policies, controls, and regulatory compliance.

The role requires both strategic oversight and operational involvement, ensuring privacy principles are embedded into business processes, customer engagements, and technology systems.

Key Responsibilities

1. Regulatory Compliance & Advisory

• Inform, advise, and issue recommendations to the organization regarding obligations under global data protection laws (GDPR, CCPA/CPRA, etc.).
• Monitor compliance with applicable regulations and internal policies.
• Track regulatory developments and translate them into operational business processes.
• Act as the primary point of contact with supervisory authorities and regulators.

2. Data Protection Program Leadership

• Develop, implement, and maintain a global data protection program commensurate with the sensitivity, complexity, and volume of data processed.
• Implement privacy technical and organization systems to support the data privacy program.
• Foster a strong data protection culture across all business units.
• Promote and enforce principles such as:
  • Lawful, fair, and transparent processing
  • Data minimization and purpose limitation
  • Privacy by design and by default
  • Security of processing
  • Accountability and governance

3. Risk Management & Assessments

• Provide advice and participate in Data Protection Impact Assessments (DPIAs/PIAs).
• Define methodologies and oversee execution of DPIAs/PIAs.
• Evaluate whether assessments are properly conducted and compliant.
• Recommend appropriate technical and organizational safeguards to mitigate risk.
• Conduct privacy risk assessments across operations, including client engagements.

4. Data Governance & Records

• Maintain and oversee Records of Processing Activities (RoPA).
• Ensure documentation of decisions made in alignment with or contrary to DPO advice.
• Evaluate and monitor data processing activities across the organization.

5. Incident Response & Breach Management

• Provide consultation and oversight during data breaches or privacy incidents.
• Ensure compliance with breach notification and communication requirements.
• Collaborate with security teams on incident response involving personal data.

6. Data Subject Rights Management

• Oversee processes to ensure timely handling of data subject requests.
• Ensure compliance with legal response timelines and obligations.
• Act as a point of contact for data subjects globally.

7. Vendor & Subcontractor Oversight

• Ensure appropriate data protection agreements are in place.
• Liaise with third-party processors and controllers.
• Evaluate third-party data protection posture and compliance.

8. Training & Awareness

• Develop and deliver privacy training programs for employees and subcontractors.
• Promote awareness and accountability across the organization.
• Ensure ongoing education aligned with evolving regulatory requirements.

9. Cross-Functional Collaboration

• Partner with Security, Audit, Legal, Contracts, IT, HR, project managers and business leaders to embed privacy into delivery and operations.
• Review all and redline privacy language in all customer, vendor and subcontractor agreements.
• Participate in strategic initiatives to ensure privacy-by-design implementation.
• Participate in various audit activities.

Expertise & Professional Qualities

• Deep expertise in global data protection laws, including GDPR, CCPA/CPRA, LGPD, and related frameworks.
• Proven experience managing data protection programs aligned with organizational risk and scale.
• Strong understanding of IT systems, data processing operations, and information security practices.
• Familiarity with privacy risk assessments, certifications, and audit frameworks (e.g., SOC 2, ISO 27001).
• Ability to handle highly sensitive information with discretion and confidentiality.
• Ability to professionally undertake and perform during stressful situations.
• Knowledge of the professional services industry and operational data flows.
• Demonstrated leadership and project management experience.
• Ability to communicate effectively with:
  • Executive leadership and decision-makers
  • Customer leadership and delivery management
  • Data subjects and regulators
  • Cross-border stakeholders across cultures
  • Vendors and subcontractors
• High degree of integrity, ethics, and professional judgment.
• Self-awareness to identify knowledge gaps and proactively address them.