GRC & Data Privacy Analyst

Role Overview

We are seeking a detail-oriented GRC & Data Privacy Analyst to join our security team. In this role, you will be responsible for maintaining our integrated risk management framework while taking a lead role in implementing and auditing our data privacy program. You will ensure that our operations remain compliant with global regulations (GDPR, PDPA, etc.) while identifying and mitigating risks across the organization.

Key Responsibilities

Governance & Risk Management

• Framework Alignment: Maintain and mature the organization’s security framework (e.g., ISO 27001, SOC 2 and Singapore MAS).

• Risk Assessments: Conduct annual and project-based risk assessments; maintain the Corporate Risk Register and track remediation efforts.

• Policy Management: Draft, review, and update internal security policies and standards to ensure they reflect current business processes.

• Third-Party Risk Management (TPRM): Evaluate the security posture of vendors and partners through assessments and due diligence reviews.

Data Privacy Implementation

• Privacy Impact Assessments (PIAs/DPIAs): Lead the evaluation of new products or processes to ensure "Privacy by Design" is integrated into the development lifecycle.

• Data Mapping: Maintain a comprehensive record of processing activities (ROPA) and data flow diagrams.

• Privacy Operations: Manage the Data Subject Access Request (DSAR) process and coordinate responses to privacy-related inquiries.

• Compliance Monitoring: Monitor changes in global privacy laws and translate them into actionable technical or procedural requirements for the IT and Product teams.

Compliance & Auditing

• Internal Audits: Perform regular control testing to ensure ongoing compliance with internal policies and external regulations.

• External Audit Liaison: Serve as the primary point of contact for external auditors during certification cycles.

• Awareness Training: Develop and deliver training content on security best practices and data handling requirements for all employees.

Required Qualifications

• Experience: 8 - 10 years in GRC, Information Security, or IT Audit, with at least 2–4 years specifically focused on Data Privacy.

• Certifications (Preferred): CISA, CRISC, or CISM.

• Technical Skills: Familiarity with GRC tools (Sprinto) and a solid understanding of cloud security (AWS).

• Regulatory Knowledge: Deep understanding of GDPR, PDPA, and industry standards like ISO 27001, SOC 2 and Singapore MAS

Soft Skills for Success

• The "Translator" Ability: Can explain complex legal requirements to developers and technical risks to executives.

• Analytical Rigor: A passion for documentation and a "trust but verify" mindset.

• Adaptability: Comfortable navigating the gray areas of emerging privacy legislation.