Data Protection Officer

Position Overview:

The Data Protection Officer (DPO) will ensure that the entire group (including all business units across various sectors) complies with the Personal Data Protection Act No. 19 of 2022 (PDPA) of Sri Lanka and other applicable data protection laws and regulations. The DPO will develop and oversee the group’s data protection strategies, ensure data governance from an analytics and GRC perspective, and work closely with the CISO on cybersecurity and risk mitigation measures. The DPO will act as the key contact with regulatory authorities and be responsible for ensuring transparency and compliance in all data-related activities.

Key Responsibilities:

Governance and Compliance:

• Lead the implementation of a comprehensive data governance framework across all business units, ensuring compliance with the PDPA and other relevant data protection laws.
• Collaborate closely with the CISO to integrate data protection principles into cybersecurity strategies, ensuring both privacy and security of all data.
• Ensure that the entire group, including all subsidiaries, aligns with data governance, GRC standards, and legal obligations.
• Ensure that risk management processes are in place and that risks related to data privacy are documented, monitored, and mitigated.

Advisory Role:

• Advise senior management and business units on data privacy issues related to data analytics, including data anonymization, retention policies, and privacy-enhancing technologies.
• Provide ongoing guidance and consultation to business units on data protection impact assessments (DPIAs) and privacy-by-design strategies.
• Work with the legal team to interpret the PDPA and other data protection laws, advising on their application in commercial transactions, partnerships, and customer-facing initiatives.

Policy Development & Implementation:

• Develop and implement data protection policies that cover the entire organization, from analytics and data use to personal data processing, across all subsidiaries and sectors.
• Ensure these policies meet the PDPA requirements and adhere to global data protection frameworks where relevant (e.g., Hemas Pharma – GDPR).
• Regularly review and update data protection policies to reflect changes in laws, technology, and organizational practices.

Data Breach Management and Incident Response:

• Work closely with the CISO to ensure that appropriate measures and controls are in place to manage and report any personal data breaches within the stipulated time frames under the PDPA and other global frameworks.
• Lead the incident response team in investigating any data breaches, ensuring timely notification to regulators and affected individuals as per legal requirements.

Data Governance and Analytics:

• Oversee the governance of personal data from an analytics perspective, ensuring that data is properly classified, anonymized, and used in compliance with applicable laws.
• Lead efforts to ensure that the organization’s use of data for analytical purposes is compliant with privacy regulations and that insights are derived responsibly.

Policy Development & Implementation:

• Draft, implement, and regularly review data protection policies, procedures, and guidelines to ensure the Group meets compliance requirements under the PDPA and applicable international standards.
• Ensure data protection principles are integrated into new projects, products, and services from the design phase, adhering to the concept of privacy by design and by default.

Data Subject Rights Management:

• Ensure processes are in place for data subject rights under the PDPA, including requests for access, rectification, deletion, and portability.
• Develop efficient workflows to handle these requests within regulated timeframes and ensure data accuracy and transparency throughout the group.

Vendor and Third-Party Management:

• Assess and monitor third-party vendors’ compliance with the PDPA and other data protection regulations, ensuring that data handling agreements are in place for all external service providers.
• Coordinate with risk and audit teams to ensure ongoing monitoring of vendor performance and compliance.

Collaboration on Cybersecurity & Analytics:

• Collaborate with the CISO to address cyber risks related to data, focusing on encryption, access control, and secure data storage.
• Take responsibility for data governance from an analytics perspective, ensuring ethical and secure data use across the group’s operations, including marketing, R&D, and customer engagement analytics.

Training and Awareness:

• Lead ongoing training and awareness programs for employees across all sectors on data protection, privacy best practices, and the PDPA.
• Ensure that all relevant staff members understand their roles and responsibilities in maintaining data protection compliance.

Reporting and Auditing:

• Continuously monitor the group’s data processing activities and report regularly to the senior management on compliance status, highlighting risks, breaches, and improvements.
• Work closely with internal and external auditors to ensure that the group remains compliant with the PDPA and relevant global standards, preparing for periodic audits as needed.

Liaison with Regulatory Authorities:

• Serve as the primary point of contact with the Data Protection Authority of Sri Lanka, ensuring the Group complies with all regulatory requirements and directives.
• Ensure that data subjects’ rights (access, rectification, erasure, etc.) are upheld in compliance with the PDPA and that requests are responded to within regulated timeframes.