DATA PROTECCION CORRESPONDENT (DPC)
BNP Paribas Group has a presence in 75 countries with more than 185,000 employees, including 145,000 in Europe. It ranks highly in its two core activities : Retail Banking & Services and Corporate & Institutional Banking.
At BNP Paribas Group, we work continuously on behalf of our clients, helping them to realize their projects around the world.
You can be an important part of this, helping us to serve our clients both in mature and emerging markets, providing them with financial solutions across a diverse range of expertise, products and services.
Strong risk management, combined with the stability that comes from being part of one of the largest banking groups in the world, underpin our success.
Joining us, you’ll become an integral part of a dynamic team that spans nationalities, cultures and backgrounds, drawing together people from around the globe and reflecting our commitment to international placements.
BNPP Group Personal Data Protection framework, defined to respond to the new General Regulation on Data Protection - GDPR coming into effect on 25 May 2018, relies on the accountability of teams within BNPP entities and territories in their processing of Personal Data (customer, employees, UBOs, representatives of corporate, vendors, etc.)
The 1st Line of Defence (Business, IT and CDO) has the responsibility to embed data protection regulations and Group policies and guidelines in the internal organization and processes within its perimeter (e.
g. privacy by design, PIA, security measures, etc.)
DPC is positioned in the 2nd line of Defence (within RISK function), and will be responsible for the scope outlined under his / her responsibility.
The DPC must assist the relevant DPO in supervising the compliance with data protection regulations and Group policies and guidelines, ensuring second level controls and giving the necessary guidance to support the 1st Line of Defence.
In order to ensure consistency with the Group's management structure, a DPC is positioned at Entity level. He / she will report to Data Protection Officer (DPO) of the relevant Business Line.
KEY DIRECT RESPONSABILITIES
A DPC will be appointed with the following key direct responsibilities within his / her scope :
1. Communication with external stakeholders, Data Protection Authorities and data subjects :
Participate in exchanges with the relevant DPA and cooperate with the DPA, based on DPO’s instructions.
2. Matters related to organization and framework related to personal data protection within his / her scope :
A. Contribute to the monitoring of the regulatory landscape on data protection regulations and the relevant communication performed by LEGAL.
B. Participate in committees on / in relation to personal data protection at local level
C. Cooperate with the Country DPO
D. Assist the DPO in overseeing and supervising the overall personal data protection framework on the following topics :
Review and advise on implementation of Group policies and guidelines on Personal Data Protection and monitor consistency in their implementation (Consent collection process, cross border transfers, management of retention or personal data obsolescence).
Review and advise on implementation of Privacy by design principles from the design stage and during the life-cycle of all projects, products, services, activities, processes and systems.
Provide advice on Privacy Impact Assessment (PIA), e.g. whether or not to carry out a PIA, what methodology to follow, what safeguards to apply to mitigate risks to the rights and interests of individuals) and monitor that PIAs are performed correctly.
Review and advise on implementation of Personal Data Security principles and management of personal data breaches.
Monitor the local implementation of Group security strategy in line with Personal Data Protection regulatory requirements.
Contribute to risk evaluation in case a personal data breach occurred to ensure in a timely manner.
Appropriate safeguards (technical and organizational) are set-up to mitigate any risks to the rights and interests of the data subjects.
Adequate communication and reporting channels are in place to notify the appropriate stakeholders (e.g. high management, Data Protection Authorities, data subjects).
Oversee the Reporting of personal data breaches to the DPA Support the relevant DPO to oversee the Records of processing activities ("Register")
Review and advise on rules regarding record of processing activities ("Register")
Monitor record of processing activities ("Register") is kept up to date, filed under the responsibility of the controller / processor, in line with defined rules
Support the build and implementation of an awareness program
Contribute to the promotion of a data protection culture within his / her scope of responsibility
REQUIRED SKILLS AND EXPERIENCE
6 + years’ experience with significant knowledge and experience in Data Protection / Privacy and banking sector
Knowledge of internal organization and processes
Understanding of data processing operations, including business applications and data use
Experience in project management and change management
Experience in transversal management and working
Experience in interacting with regulators (will be a plus)
Experience of managing compliance programs on regulatory requirements
Strong knowledge and interest in Information Technology, digital and new technologies and understanding of information security controls and principles
DPC should demonstrate :
Independency, objectivity and integrity.
Excellent writing and communication skills allowing him / her to act as a communicator across the bank, on behalf of the DPO
Ability to lead, engage and work transversally on behalf of the DPO
Ability to develop teams’ knowledge on data protection and privacy
Fluent in English (mandatory), national language (language of the country where DPC exercises)
Demonstrating a high-level of commitment and self-motivation, combined with enthusiasm and a genuine interest in order to be a successful DPC
Be a role model, supporting and fostering a culture of good conduct
Demonstrate proactivity, transparency and accountability for identifying and managing conduct risks
Consider the implications of your actions on colleagues, partners and clients before making decisions
Take responsibility for your team’s conduct and conduct risks.
Qualification on Data Privacy is highly appreciated. He / she will be required to enrich his / her competencies with additional professional qualifications relevant to Data Protection, such as :
IAPP Information Privacy Professional / Europe (CIPP / E) or Certified Information Privacy Professional / IT (CIPP / IT)
Certified Information Privacy Manager (CIPM)
Practitioner Certificate in Data Protection (PC.dp)
Fellow of Information Privacy (FIP)
ISEB Data Protection
or equivalent data privacy qualification