Senior Manager, Data Privacy and Regulatory Compliance

Job Description

MAIN PURPOSE OF THE JOB

The role fulfils the responsibilities of the Data Protection Officer (DPO) and provides strategic oversight, advisory support, and assurance to the business on privacy and compliance matters.

KEY RESPONSIBILITY AREAS

• Maintain and improve the data protection framework including policies and procedures to ensure compliance with applicable laws such as UAE PDPL, DIFC DPL, ADGM DPR, EU-GDPR and regulations, policies and standards from healthcare regulators such as ADHICS
• Monitor legislative and regulatory developments on privacy, data protection and other data and cyber laws and lead the implementation of requirements
• Establish and participate in appropriate governance structures in a 2nd-line-of-defence role, and align with other relevant governance stakeholders such as Information Security, Legal, Risk and Internal Audit
• Design, drive and maintain privacy and data protection programs and standards to ensure a consistent practice and a continuous growth of data protection maturity in the company
• Inform senior key stakeholders about data protection responsibilities, risks and related issues
• Maintain an accountability framework for privacy and data protection, including Senior Management, Data Owners, Data Privacy Champions and other roles
• Act as the official Data Protection Officer (DPO) for Mediclinic Middle East and its subsidiaries
• Guide the business on all privacy, data protection and related matters and contribute as subject matter expert for the company
• Establish collaborative networks with internal colleagues in IT, Innovation, Operations, Business Development, Clinical and other key stakeholders to drive and assist the implementation of privacy and data protection requirements
• Manage a framework to assess and mitigate data protection risks and incidents (risk register, data protection impact assessments, personal data breaches), conduct assessments, and report issues and concerns to the relevant senior stakeholders in the company and to regulators (if applicable)
• Manage data breach incidents and support investigations and mitigation actions in cyber security and other incidents affecting personal data.
• Report data breaches to the relevant senior stakeholders in the company and to regulators (if applicable). Member of the Cyber Incident Response Team (CIRT).
• Ensure awareness and training campaigns are conducted and assist in training content development to increase awareness and understanding of and compliance with the framework and laws
• Conduct regular data protection audits and spot checks to ensure compliance and to mitigate risks, and participate as auditee in internal and external audits and inspections related to privacy, data protection and information security
• Oversee and coordinate the implementation and maintenance of legally required data processing registers
• Support the Legal department and contract owners in the review of contracts and agreements and in the implementation of data protection clauses
• Maintain oversight on data security programs and measures and collaborate and align with the Information Security (InfoSec) department in the review and implementation of safeguards and measures regarding data security, data localisation and other requirements

• Implement and maintain the Regulatory Compliance policy and drive the compliance program
• Monitor legal and regulatory developments over all applicable jurisdictions for significant developments impacting the company's risk exposure, ownership and structure, licensing, finances and taxes, and other operations (except clinical and medical)
• Re-assess the compliance and regulatory risks for reporting to internal stakeholders and shareholders
• Ensure regulatory compliance is driven as an integrated part of the enterprise risk management process. This includes the execution and regular updating of compliance assessments for all key functional / business areas in each platform
• Facilitate the embedding of compliance processes into the functional / business areas and ensure managers execute on their compliance plans
• Stay abreast of and continuously monitor top compliance and regulatory updates and changes relevant to the business
• Provide training on Mediclinic compliance framework

• Implement and execute goals, objectives, policies and directions given from Group and senior leadership, and prepare and execute a year plan and programs for privacy, data protection and legal compliance according to Group and Divisional objectives and priorities
• Lead, guide and manage the team
• Lead the network of Data Privacy Champions, including chairing the Data Privacy Committee, develop the skills and expertise of the Champions and provide operational support
• Prepare regular and required feedback reports for submission to Board, EXCO, OPSCO or other relevant governance structures on the status of data protection and regulatory compliance matters
• Participate in and contribute to relevant forums and committees as required by the company's needs and as per assignment
• Establish and proactively participate in networks with external experts in relation to privacy and data protection

• At least 5 years experience in Privacy and Data Protection within Legal, Compliance, Information Security, Risk Management, or Data Governance functions, with demonstrated experience in implementing and managing privacy compliance frameworks and data protection programmes.
• Experience in data protection and regulatory compliance within a complex corporate environment, including engagement with executive and senior stakeholders. Experience within the healthcare sector and/or GCC regulatory environment is highly advantageous.
• Certification in compliance, information security, or risk management is also advantageous.

• Bachelor's Degree in Law, Information Technology, Computer Science, Commerce, Risk Management, Information Security, or a related field.
• Professional certification in Data Privacy or Information Governance from recognized institutions such as IAPP (CIPP/E, CIPM), ISACA, ISO, or equivalent.

• Data privacy and data protection laws, regulations, and practices
• Compliance, governance, and risk management frameworks and methodologies
• Strategic business and operational acumen
• UAE and international legal/regulatory environments
• IT systems, data flows, and organisational governance structures
• Healthcare industry operations and related regulatory requirements
• Incident management, breach response, and remediation processes
• Compliance monitoring and corrective action management
• Third-party/vendor risk and data processing governance
• Training, awareness, and compliance culture development
• Project management and change management principles
• Reporting, analytics, and governance dashboard preparation
• Verbal and written communication skills
• Coaching, mentoring, and team leadership capability
• Stakeholder management and relationship building
• Collaboration and cross-functional partnership