Head Data Protection

Department: Information Security

Reports To: Head ISRM

Job Grade: SVP

Total Positions: 01

Job Location: Head Office, Islamabad

What is Head Data Protection - MMBL?

Mobilink Microfinance Bank Limited seeks a visionary and technically proficient Data Protection Officer (DPO) to lead the bank's enterprise-wide data protection and privacy program. Reporting directly to the Head of Information Security, the DPO will be responsible for establishing the governance, architecture, and operational execution of the Bank's privacy and data protection obligations. This leadership role will oversee the implementation of a formal Data Protection and Governance Program, manage the lifecycle of sensitive and regulated data, deploy advanced Data Loss Prevention (DLP) systems, and ensure full compliance with relevant State Bank of Pakistan (SBP) regulations, Pakistan's Personal Data Protection Act (when enacted), and applicable international standards, including ISO/IEC 27001 and PCI DSS. The DPO will serve as the Bank's authority on privacy, act as a secondary liaison to regulators and law enforcement via the Compliance function, and serve as the internal champion for all privacy-by-design and data accountability initiatives.

What Head Data Protection - MMBL Does?

Strategic Privacy Program Design & Leadership:

• Develop, own, and drive the enterprise privacy and data protection strategy in alignment with SBP's regulatory expectations and international best practices.
• Establish and operationalize a centralized Data Protection Office, defining its charter, structure, roles, and reporting lines.
• Define a bank-wide data protection operating model, integrating privacy requirements into enterprise risk management and governance frameworks.
• Champion data ethics, responsible data handling, and privacy-by-default principles across the organization.

Regulatory Compliance & Privacy Risk Management:

• Ensure continuous compliance with SBP's Framework on IT Governance and Risk Management, o SBP's Cybersecurity Framework, o Pakistan's Personal Data Protection Bill, o ISO/IEC 27001, PCI DSS, and GDPR (where applicable).
• Act as the bank's focal point or designated secondary liaison with SBP and other relevant regulatory bodies through the Compliance and Legal departments.
• Lead Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs) for new systems, products, and processes.
• Monitor changes in local and global data privacy regulations and proactively adjust compliance strategies.

Data Governance & Inventorization:

• Lead implementation of data classification, tagging, and ownership models across data types and systems.
• Oversee and maintain accurate and up-to-date Records of Processing Activities (RoPAs) in line with SBP and global privacy standards.
• Ensure policies for data minimization, retention, disposal, and lifecycle management are in place and enforced.

Technology & Data Loss Prevention (DLP) Oversight:

• Collaborate with IT, SOC, and Information Security teams to ensure privacy-by-design and privacy-by-default in systems architecture.
• Oversee the deployment, configuration, and monitoring of DLP solutions across all critical data touchpoints—endpoints, email, file storage, and networks.
• Ensure technical controls are aligned with SBP's cybersecurity baseline controls.

Vendor, Third-Party & Contractual Privacy Assurance:

• Evaluate third-party vendors, partners, and outsourcing arrangements for privacy and data protection risks.
• Ensure Data Processing Agreements (DPAs), SLAs, and contractual clauses reflect regulatory and internal privacy requirements.
• Conduct vendor risk assessments and ensure privacy obligations are embedded in procurement and onboarding processes.

Privacy Incident Management & Breach Handling:

• Develop, maintain, and test the Privacy Incident Response Plan in alignment with SBP's incident handling guidelines.
• Maintain a personal data breach register and ensure timely notification to SBP and affected stakeholders in case of qualifying breaches.
• Work with SOC, IT, and Legal to coordinate breach response and containment.

Awareness, Training & Culture Building:

• Develop and roll out privacy awareness programs, including mandatory and role-specific training modules for staff.
• Promote a culture of privacy through KPIs, employee engagement campaigns, and executive support.
• Regularly assess training effectiveness and incorporate feedback from business units.

Reporting & Stakeholder Communication:

• Provide periodic updates to senior management and the Board of Directors on the maturity and effectiveness of the data protection program.
• Contribute to internal audits and regulatory examinations, ensuring evidence of compliance is maintained and auditable.
• Generate dashboards and metrics on privacy risks, incident trends, and regulatory compliance status.

What are we looking for and what does it require to be Head Data Protection - MMBL?

Educational Background:

• Bachelor's or Master's degree in Information Security, Law, Cybersecurity, Risk Management, or related field.

Experience:

• Experience in privacy and security governance.
• Previous experience in regulatory compliance, risk management, or data protection roles.

Technical Proficiency:

• Certifications (preferred):
• CDPO (Certified Data Protection Officer)
• CIPM (Certified Information Privacy Manager)
• CIPP/E (Certified Information Privacy Professional/Europe)
• CISA (Certified Information Systems Auditor)
• CISSP (Certified Information Systems Security Professional)
• CRISC (Certified in Risk and Information Systems Control)
• ISO/IEC 27001 Lead Implementer
• PCI DSS (Payment Card Industry Data Security Standard) knowledge

Soft Skills:

• Strong analytical and problem-solving skills.
• Excellent communication and stakeholder management skills.
• Ability to work independently and in teams.

About MMBL:

Mobilink Microfinance Bank Ltd. (MMBL) is a leading financial institution providing comprehensive banking services to over 42 million registered users, including more than 16 million monthly active customers across Pakistan. Leveraging a hybrid model that integrates traditional microfinance with cutting-edge mobile and digital banking technologies, MMBL operates with a robust network of over 100 branches and 200,000 branchless banking agents.

The bank offers a wide array of financial services through a USSD (GSM) based digital platform, including savings accounts, microenterprise (MSME) loans, small housing loans, remittances, utility bill and loan installment collections, mobile wallets, insurance, G2P, B2B, and B2P payments. These services position MMBL as a key player in advancing financial inclusion across the country.

At MMBL, fostering a positive, equal and productive workplace is a priority, underpinned by core values that emphasize innovation, entrepreneurship, teamwork, collaboration, and a steadfast commitment to a customer-centric approach in every aspect of our business.

Why Join MMBL?

This position offers a unique opportunity for a self-driven, professional and passionate individual to create a meaningful impact and driving transformative change. As part of our team, you will contribute to empowering millions with the tools and resources needed to thrive in the digital age. We are seeking a talented individual eager to make a difference and play a pivotal role in our mission of innovation and progress.