Position Objective:
The Data Protection Officer (DPO) leads and oversees the Company's data protection and privacy program to ensure compliance with the Personal Data Protection Act (Act 709) and other relevant data protection laws. This role supports the organization and its entities in managing personal data processing risks, ensuring regulatory compliance, and promoting a culture of privacy. The DPO also acts as the main liaison for regulatory authorities and a key point of contact for data subjects.
Roles & Responsibilities:
1. Data Privacy & Compliance Oversight
- Draft, review and maintain on an ongoing basis, local policies and guidelines to ensure compliance with both the AIA Group requirements and local regulatory requirements.
- Implement a risk-based data protection program across the Company and embed privacy-by-design in Company's processing operations.
- Work with relevant departments/functions to build up and/or implement controls and provide quality and solutions-focused advice on data protection and privacy risk and control issues relevant to the business units for informed decision-making.
- Maintain and oversee a centralized record of personal data processing activities.
- Maintain a privacy risk register aligned to Enterprise Risk Management taxonomy.
- Review and approve Data Privacy Impact Assessments (DPIAs).
- Conduct periodic monitoring and review on the Company as part of control testing, including internal audits, gap assessments, and policy reviews.
- Coordinate cross-functional teams (e.g., IT, Legal, HR, Operations) to embed privacy requirements into business processes and systems.
- Where appropriate or upon request, provide guidance or share expertise with the DPOs of other entities.
2. Data Subject Rights Management
- Act as the main point of contact for customers, policyholders, employees, agents, and other individuals regarding their personal data and privacy rights.
- Coordinate and manage escalated responses to data access requests, correction requests, withdrawal of consent, and privacy-related complaints.
- Ensure the handling of data subject rights is aligned with legal and regulatory standards.
3. Personal Data Incident / Breach Management
- Establish and maintain data breach response plans, and conduct investigation, documentation, and reporting of breaches within prescribed timelines.
4. Third-Party & Outsourcing Governance
- Review data privacy/protection due diligence for third-party vendors.
- Work with Legal and business units to support the facilitation of Data Processing Agreements by incorporating relevant clauses from Act 709, specifying MCIPD disclosure limitations, defining incident-reporting triggers, and establishing the right to audit.
5. Regulatory Engagement & Reporting
- Act as the primary liaison with the Commissioner and other relevant regulatory bodies.
- Prepare and submit required documentation, reports, and notifications in relation to personal data processing and data breaches.
- Keep the organization informed of regulatory developments, enforcement trends, and compliance obligations.
6. Training, Awareness and Culture
- Work with business unit heads to embed training on data protection and privacy risk subject for employees, sales intermediaries and or third-party service providers. Monitor implementation of an effective training curriculum.
- Conduct data protection and privacy training and communicating obligations to embed a culture of risks and controls within AIA Bhd.
Minimum Requirements:
Education & Certifications
- Bachelor's Degree in Law, Compliance, Business Administration, Information Security, or a related field.
- Preferred certifications:
- Certified Information Privacy Professional (CIPP/A)
- Certified Information Privacy Manager (CIPM)
- Certified Data Protection Officer (CDPO)
- ISACA, IAPP, or similar accreditation
Experience
- Minimum 7 - 10 years of experience in compliance, legal, or information security roles.
- At least 5 years in a data protection role, preferably in the insurance or financial services sector.
- Familiarity with managing group-level or multi-entity privacy governance.
Skills & Attributes
- Deep understanding of Act 709 and global data protection standards (e.g., GDPR).
- Strong grasp of insurance operations, data flows, and third-party engagements.
- Knowledge of information technology and cybersecurity principles.
- High level of integrity, independence, and professional ethics.
- Strong communication, stakeholder management, and problem-solving skills.
- Ability to build awareness and promote a privacy culture throughout the organization.
