Head Data Protection

Department: Information Security

Reports To: Head ISRM

Job Grade: SVP

Total Positions: 01

Job Location: Head Office, Islamabad

What is Head Data Protection - MMBL?

Mobilink Microfinance Bank Limited seeks a visionary and technically proficient Data Protection Officer (DPO) to lead the bank's enterprise-wide data protection and privacy program. Reporting directly to the Head of Information Security, the DPO will be responsible for establishing the governance, architecture, and operational execution of the Bank's privacy and data protection obligations. This leadership role will oversee the implementation of a formal Data Protection and Governance Program, manage the lifecycle of sensitive and regulated data, deploy advanced Data Loss Prevention (DLP) systems, and ensure full compliance with relevant State Bank of Pakistan (SBP) regulations, Pakistan's Personal Data Protection Act (when enacted), and applicable international standards, including ISO/IEC 27001 and PCI DSS. The DPO will serve as the Bank's authority on privacy, act as a secondary liaison to regulators and law enforcement via the Compliance function, and serve as the internal champion for all privacy-by-design and data accountability initiatives.

What Head Data Protection - MMBL Does?

Strategic Privacy Program Design & Leadership:

• Develop, own, and drive the enterprise privacy and data protection strategy in alignment with SBP's regulatory expectations and international best practices.
• Establish and operationalize a centralized Data Protection Office, defining its charter, structure, roles, and reporting lines.
• Define a bank-wide data protection operating model, integrating privacy requirements into enterprise risk management and governance frameworks.
• Champion data ethics, responsible data handling, and privacy-by-default principles across the organization.

Regulatory Compliance & Privacy Risk Management:

• Ensure continuous compliance with SBP's Framework on IT Governance and Risk Management, o SBP's Cybersecurity Framework, o Pakistan's Personal Data Protection Bill, o ISO/IEC 27001, PCI DSS, and GDPR (where applicable).
• Act as the bank's focal point or designated secondary liaison with SBP and other relevant regulatory bodies through the Compliance and Legal departments.
• Lead Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs) for new systems, products, and processes.
• Monitor changes in local and global data privacy regulations and proactively adjust compliance strategies.

Data Governance & Inventorization:

• Lead implementation of data classification, tagging, and ownership models across data types and systems.
• Oversee and maintain accurate and up-to-date Records of Processing Activities (RoPAs) in line with SBP and global privacy standards.
• Ensure policies for data minimization, retention, disposal, and lifecycle management are in place and enforced.

Technology & Data Loss Prevention (DLP) Oversight:

• Collaborate with IT, SOC, and Information Security teams to ensure privacy-by-design and privacy-by-default in systems architecture.
• Oversee the deployment, configuration, and monitoring of DLP solutions across all critical data touchpoints—endpoints, email, file storage, and networks.
• Ensure technical controls are aligned with SBP's cybersecurity baseline controls.

Vendor, Third-Party & Contractual Privacy Assurance:

• Evaluate third-party vendors, partners, and outsourcing arrangements for privacy and data protection risks.
• Ensure Data Processing Agreements (DPAs), SLAs, and contractual clauses reflect regulatory and internal privacy requirements.
• Conduct vendor risk assessments and ensure privacy obligations are embedded in procurement and onboarding processes.

Privacy Incident Management & Breach Handling:

• Develop, maintain, and test the Privacy Incident Response Plan in alignment with SBP's incident handling guidelines.
• Maintain a personal data breach register and ensure timely notification to SBP and affected stakeholders in case of qualifying breaches.
• Work with SOC, IT, and Legal to coordinate breach response and containment.

Awareness, Training & Culture Building:

• Develop and roll out privacy awareness programs, including mandatory and role-specific training modules for staff.
• Promote a culture of privacy through KPIs, employee engagement campaigns, and executive support.
• Regularly assess training effectiveness and incorporate feedback from business units.

Reporting & Stakeholder Communication:

• Provide periodic updates to senior management and the Board of Directors on the maturity and effectiveness of the data protection program.
• Contribute to internal audits and regulatory examinations, ensuring evidence of compliance is maintained and auditable.
• Generate dashboards and metrics on privacy risks, incident trends, and regulatory compliance status.

What are we looking for and what does it require to be Head Data Protection - MMBL?

Educational Background:

• Bachelor's or Master's degree in Information Security, Law, Cybersecurity, Risk Management, or related field.

Experience:

• Experience in privacy and security governance.
• Previous experience in regulatory compliance, risk management, or data protection roles.

Technical Proficiency:

• Certifications (preferred):
• CDPO (Certified Data Protection Officer)
• CIPM (Certified Information Privacy Manager)
• CIPP/E (Certified Information Privacy Professional/Europe)
• CISA (Certified Information Systems Auditor)
• CISSP (Certified Information Systems Security Professional)
• CRISC (Certified in Risk and Information Systems Control)
• ISO/IEC 27001 Lead Implementer
• PCI DSS (Payment Card Industry Data Security Standard) knowledge

Soft Skills:

• Strong analytical and problem-solving skills.
• Excellent communication and stakeholder management skills.
• Ability to work independently and in teams.

About MMBL:

Mobilink Microfinance Bank Ltd. is providing banking services to over 48 million registered users including 20+ million monthly active customers across Pakistan. With a hybrid model that combines traditional microfinance with mobile/digital banking technologies, the bank now operates with over 114 branches and 270,000 branchless banking agents and provides a USSD (GSM) based digital channel offering savings, micro enterprise (MSME) loans, small housing loans, remittances, collection (utility bills and loan instalments), mobile wallets, insurance, G2P, B2B & B2P payments; thus, playing a leading role in the promotion of financial inclusion. MMBL is committed to fostering a positive and productive workplace, and our core values reflect this focus. These values include promoting innovation and entrepreneurship, encouraging teamwork and collaboration, and prioritizing a customer-centric approach in all aspects of our business.

Why Join MMBL?

This is an opportunity for someone who is passionate about making a difference and playing a key role in driving transformative change. Our team is committed to empowering millions with the tools necessary to succeed in the digital age, and we're looking for a talented individual to join us in this endeavour.