GRC & Data Privacy Analyst

We are looking for a detail-focused GRC & Data Privacy Analyst to become a member of our security team. In this position, you will oversee the upkeep of our integrated risk management framework and play a key role in executing and auditing our data privacy program. You will ensure that our operations comply with international regulations (such as GDPR, PDPA, etc.) while identifying and addressing risks throughout the organization.

Key Responsibilities

Governance & Risk Management

• Framework Alignment: Oversee and enhance the organization’s security framework, including standards such as ISO 27001, SOC 2, and Singapore MAS.
• Risk Assessments: Perform annual and project-specific risk assessments; maintain the Corporate Risk Register and monitor remediation activities.
• Policy Management: Create, review, and update internal security policies and standards to ensure they accurately represent current business practices.
• Third-Party Risk Management (TPRM): Assess the security posture of vendors and partners through thorough assessments and due diligence processes.

Data Privacy Implementation

• Privacy Impact Assessments (PIAs/DPIAs): Lead evaluations of new products or processes to ensure "Privacy by Design" is embedded within the development lifecycle.
• Data Mapping: Maintain detailed records of processing activities (ROPA) and create data flow diagrams.
• Privacy Operations: Oversee the Data Subject Access Request (DSAR) process and manage responses to privacy-related inquiries.
• Compliance Monitoring: Keep track of global privacy law changes and translate these into actionable technical or procedural requirements for IT and Product teams.

Compliance & Auditing

• Internal Audits: Conduct regular control testing to confirm ongoing adherence to internal policies and external regulations.
• External Audit Liaison: Act as the main contact for external auditors throughout certification cycles.
• Awareness Training: Design and deliver training programs on security best practices and data handling protocols for all employees.

Required Qualifications

• Experience: 4 to 6 years in GRC, Information Security, or IT Audit, with a minimum of 1 to 2 years focused specifically on Data Privacy.
• Certifications (Preferred): CISA, CRISC, or CISM.
• Technical Skills: Proficiency with GRC tools like Sprinto and a strong understanding of cloud security platforms such as AWS.
• Regulatory Knowledge: Comprehensive knowledge of GDPR, PDPA, and standards including ISO 27001, SOC 2, and Singapore MAS.

Soft Skills for Success

• The "Translator" Ability: Skilled at interpreting complex legal requirements for developers and conveying technical risks to executives.
• Analytical Rigor: Detail-oriented with a passion for documentation and a "trust but verify" approach.
• Adaptability: Comfortable operating within the uncertainties of evolving privacy legislation.

Must-have skills

ISO 27001

GRC

Good-to-have skills

Information Security

General Data Protection Regulation - GDPR