Data Protection Officer

JOB PURPOSE

The Data Protection Officer (DPO) has the responsibility to monitor compliance and data practices to ensure that the organization complies with the applicable legislative requirements under the Data Protection Act (2020). The incumbent is required to ensure compliance with the processing of all personal data utilized by the organization. The incumbent will ensure that all systems, policy and procedures comply with all relevant data privacy and protection law, regulation and policy (including the retention and destruction of data). The DPO will also serve as the primary contact for data subjects and with the Office of the Information Commissioner. 

The DPO will be expected to guide the Authority through the introduction and the implementation of its data protection programme. Both legal knowledge and technical fluency are required as this role will work closely with staff across all functional areas. 

KEY OUTPUTS

• Data Protection/Privacy Governance Frameworks and strategies developed, managed and implemented; 
• Authority’s compliance with Data Protection Laws monitored; 
• Technical guidance on data protection provision provided; 
• Data Protection impact assessment conducted; 
• Records of Processing Activity created, maintained and updated: 
• Data protection breached reported; 
• Systems and procedures monitored; 
• Data protection plan developed and periodic reviews conducted; 
• Reports prepared and submitted. 

KEY RESPONSIBILITY AREAS

Technical & Professional Duties 

• Provides technical guidance and support to Tax Administration Jamaica (TAJ) through the introduction and the implementation of its data protection programme;
• Formulates all necessary documentation including but not limited to impact assessments, to ensure the organization’s compliance with the requirements of the Data Protection Act; 
• Conducts and monitors Data Protection Impact Assessments (DPIAs) organization wide to identify and mitigate risk factors in the data protection process; 
• Generates annual Data Protection Impact Assessment (DPIA) report for submission to the Office of the Information Commissioner (OIC); 
• Implements strategies and a privacy governance framework to manage data processed in compliance with the Data Protection Act and all relevant data protection legislation; 
• Informs and advises the data controller and the employees who are processing personal data of their obligations pursuant to the relevant Data Protection laws and regulations; 
• Collaborates with respective Branch Heads in the maintenance of a data security incident management plan to ensure timely remediation of incidents including impact assessments, security breach responses, complaints, claims or notifications; 
• Collaborates with internal and external Information Security functionaries in the development and implementation of procedures and systems to maintain records of all data assets and management of data security incidents; 
• Provides overall management for the research, development, and implementation of Data Protection policies and procedures for the organization; 
• Makes recommendation for the organization to reform its Systems (specifically ICT and Operations) and procedures to ensure compliance with the Data Protection Act, relevant Regulations and any other relevant laws, statutes or policies; 
• Ensures that internal SOPs and policies are aligned with standards outlined in the Data Protection Act; 
• Ensures that the Authority’s role as a Data Controller operates within the ambit of the Jamaica Data Protection Act (JDPA) by adhering to the 8 standards that govern data management and privacy; 
• Creates a data protection plan and conducts periodic reviews to ensure compliance with domestic and international standard; 
• Provides strategic, legal and regulatory guidance to the Executive, Senior Management and any other functional lead on privacy and data protection issues, laws and trends; 
• Serves as the primary point of contact for the Office of the Information Commissioner on all data protection matters; 
• Collaborates with Enterprise Risk, Internal Audit, Legal and other key stakeholders to monitor, implement and analyze compliance programmes with respect to data privacy: 
• Establishes and implements a process for receiving, documenting, tracking, investigating and taking action on all complaints concerning the TAJ’s privacy policies and procedures; 
• Receives and responds to comments and queries from data subjects related to the processing of personal data; 
• Develops and maintains a database that captures request details of all processing activities; 
• Creates, maintains and updates Record of Processing Activity (ROPA) on all personal data processes carried out by the TAJ; 
• Provides guidance and assistance to data subjects in exercising their rights under the Data Protection Act; 
• Provides technical guidance and advice to TAJ on its obligations under the Act and Data Protection Regulations; 
• Conducts data protection impact assessments by applying data quality controls as prescribed in the Data Governance Framework to determine compliance with regulatory requirements; 
• Keeps abreast of amendments to policies, procedures and legislation and any pertinent developments with respect to data protection;
• Monitors and evaluates the organization’s efforts at corrective actions to ensure that findings and recommendations with respect to data protection matters are effectively addressed and documented; 
• Assumes the role of the main liaison officer for the Authority on all data protection policies and issues; 
• Collaborates with the Human Resource Development Section to facilitate the training of TAJ staff and all relevant stakeholders on the components of the Act, Regulations and policies; 
• Collaborates with respective stakeholders to establish and maintain a data protection and privacy culture within TAJ; 
• Liaises with and reports any allegation of breaches of the data protection standards or any provisions of the Data Protection Act to the Office of the Information Commissioner; 
• Consults with the Office of the Information Commissioner to resolve any doubt about how the provisions of the Data Protection Act and any Regulations made thereunder are to be applied; 
• Identifies and supports risk management in relation to Data Protection within the Authority. 
• Prepares and submits reports as required; 
• Performs any other related duties that may be assigned by the DCG, Legal Support. 

PERFORMANCE STANDARDS

This job is satisfactorily performed when: 

• Data Protection/Privacy Governance Frameworks and strategies developed, managed and implemented in keeping with agreed timelines;
• Technical guidance on data protection provision provided according to the Data Protection Act; 
• Data Protection impact assessment conducted in accordance of Governance Framework;
• Data protection breached reported to key stakeholders within established timelines and in keeping with the Data Protection Act; 
• Records of Processing Activity created, maintained and updated in keeping with the Data Protection Act; 
• Compliance with Data Protection Laws monitored in accordance with the Data Protection Act; 
• Systems and procedures monitored in keeping with established guidelines and timeframe;
• Data protection plan developed and periodic reviews conducted in accordance to Data Protection and Privacy Governance Frameworks; 
• Reports prepared and submitted within agreed timeframe and established standards. 

AUTHORITY TO:

• Recommend/Implement (where mandated) new measures and procedures to enhance the TAJ’s strategic and technical capabilities; 
• Monitor internal compliance and advise on data protection obligations; 
• Make recommendations to enhance TAJ’s Privacy Management framework to strengthen the entity's institutional capacity. 

REQUIRED COMPETENCIES

Specific Knowledge 

• Expert knowledge of the Data Protection Act, Regulations and practices;
• Expert knowledge of auditing techniques and practices; 
• Working knowledge of the functions and operations of Tax Administration Jamaica;
• Sound knowledge and understanding of GOJ policies and programmes; 
• Sound knowledge of understanding and interpreting complex legal requirements with regards to data privacy would be an asset. 
• Good knowledge of risk management techniques and strategies; 
• Good knowledge of the development, analysis, revision and implementation of policies, programmes, procedures, guidelines, and legislation; 
• Knowledge of change management principles and practices; 
• Proficiency in the use of the relevant computer applications (e.g.; Microsoft Suite). 

Required Skills and Specialized Techniques 

• Excellent critical thinking, quantitative and qualitative analytical skills;
• Possesses the highest level of confidentiality and integrity; 
• Excellent decision-making, planning and organizing skills; 
• Strong negotiating and persuasive presentation skills; 
• Excellent problem solving and conflict management skills; 
• Strong interpersonal skills/ stakeholder engagement and innovation skills;
• Excellent judgment, communication and analytical skills; 
• Strong environmental scanning, analysis and interpretive skills; 
• Ability to work independently with minimal supervision; 
• Keen attention to details. 

Qualification and Experience 

• Bachelors’ Degree in Law, Computer Science, Management Information System or equivalent qualification from recognized tertiary institution; 
• At least 1 of the listed certification in Data Protection: 
• Certification in Information Security, Data Protection; or 
• Privacy Certification such as: 
  • Certified Information Privacy Professional (CIPP); 
  • Certified Information Privacy Technologist (CIPT); 
  • Certification Information Privacy Manager (CIPM); 
  • Certification from the International Association of Privacy Professionals (IAPP); 
• Paralegal training (where degree is not in Law) would be an asset;
• Three (3) years related work experience. 

WORKING CONDITIONS

• Normal office environment; 
• Work beyond normal office hours and on call;
• Travel (40%).

While we thank all applicants for their interest, only short-listed candidates will be contacted.