Associate Director - Data Protection

Compliance & Risk Management – Records of Processing

Dubai Holding is looking to hire an Associate Director – Data Protection in the Legal Department. The role holder will report to the Head of Data Protection and be responsible for managing and continuously enhancing the organization’s data protection framework to ensure compliance with applicable data privacy laws and internal standards. This includes oversight of policy governance, operational procedures, records of processing, vendor risk, data subject rights, and privacy-by-design initiatives. The role holder will have to ensure effective incident management, conducts assurance reviews, and collaborates cross-functionally to embed privacy practices across the business. Additionally will also lead enterprise-wide training and awareness programs to foster a privacy-conscious culture and ensure alignment with strategic data protection objectives.

• Regularly review templates with Legal and business users for usability and compliance alignment.
• Builds Relationships
• Advise and guide internal teams on Data Protection Impact Assessments and Privacy by Design/Default
• Investigate data incidents to identify root causes and collaborate with relevant teams to implement corrective and preventive actions.
• Oversee the end-to-end management of data subject requests (DSRs), ensuring accurate handling, timely responses, and full compliance with applicable regulatory timelines
• Maintain an up-to-date risk register with prioritized risks and clear mitigation timelines
• Ensure L&D delivers a comprehensive data privacy onboarding module for new hires, tracking completion rates and monitoring key performance indicators (KPIs) for training effectiveness
• Maintain the library of standardized templates (DPIAs, Vendor due diligence, DPAs, ROPA, Breach Logs)
• Conduct regular self-certification and assurance reviews based on risk profiles of verticals to ensure compliance with data processing frameworks
• Oversight and collaboration for data protection training, awareness campaigns, and continuous improvement to enhance compliance and foster a Privacy-Conscious culture
• Ensure business owners have documented evidence of data deletion or return at contract end.
• Review all policies at least annually or following major regulatory or organizational changes and ensure the updates are approved in accordance with the Group DOA, changes clearly communicated and acknowledged by all relevant Stakeholders.
• Maintain a centralized data breach and incident registry to support regulatory reporting, internal audit, and ongoing compliance monitoring.
• Ensure that updates to the RoPA are reflected in relevant privacy notices published in the Privacy Centre.
• Maintain a DPIA registry and ensure it reflects current systems and processes
• Work with L&D to develop and evaluate post-training assessments to track knowledge retention and ensure continuous improvement.
• Maintain comprehensive records of data processing activities (RoPA) and alignment with publicly available privacy notices provided through the Group Privacy Centre
• Organise and run monthly privacy awareness campaigns (e.g., Data Privacy Day, Red Flag Day, "Ask the DPO" sessions) to foster a privacy-conscious culture.
• Ensure ongoing compliance and risk mitigation in data processing activities through regular assurance reviews, risk assessments, and collaborative corrective actions across business functions
• Planning and Organizing
• Act as the central authority for reviewing and approving all DPIAs before project launches or system implementations
• Comprehensive Management of Data Subject Requests, Incident Resolution, and Breach Monitoring for Compliance and Risk Mitigation
• Conduct Privacy Due Diligence assessments during onboarding using standardized questionnaires
• Lead the coordination and resolution of data protection incidents, including initial triage, risk assessment, and implementation of appropriate mitigation measures
• Collaborate with Vertical Heads of L&D to design and implement data protection training programs, ensuring they align with best practices, regulatory requirements, and the organization's data protection strategy
• Undertake ongoing monitoring, ensuring all high-risk vendors are reviewed every three years and that all requests to amend sub -processors or changes to geographic location are reviewed and approved ahead of change being made
• Organize and conduct quarterly awareness sessions with Vertical Data Champions to reinforce data protection principles across departments
• Manage vendor risk to ensure that all third-party suppliers handling personal data comply with applicable data protection laws, contractual obligations, and internal privacy standards
• Manage, and continuously enhance the organization’s data protection framework, ensuring that all policies, procedures, and templates are up-to-date, practical, and aligned with applicable data protection laws and business needs
• Develop a risk-based assurance plan that covers all data domains, systems, and business functions
• Evaluate controls, identify risks, and collaborate with business owners to document and implement corrective actions
• Ensure DPAs with standardised clauses are signed before data sharing and that Transfer Impact Assessments are conducted for all cross-border data transfers.
• Conduct regular reviews to ensure RoPA and privacy notices remain accurate, complete, and transparent.
• Work closely with Business functions and IT teams during the ideation and design phases to ensure that privacy principles are integrated from the outset
• Carry out on-site and remote assurance reviews to assess compliance with regulatory standards (e.g., GDPR, PDPL) and internal policies
• Monitor current DPIA templates, workflows, and quality results to ensure that the process is operating in compliance with the framework
• Collaborate with business units to capture changes in processing purposes, legal bases, recipients, retention periods, and safeguards
• Develop tiered training programs tailored to employee roles based on their risk profile (e.g., general staff vs. high-risk roles like Marketing, IT, etc.)
• Manage and maintain SOPs for key operational processes (DSR, DPIAs, VRM and ROPA) ensuring they are practical, role-specific, and embedded in BAU operations.
• Manage and maintain the Verticals RoPA in compliance with Article 30 of GDPR or other equivalent data protection laws
• Facilitate workshops to guide teams through complex DPIA cases
• Ensure all framework components are available to staff and that training on correct usage is available through workshops/ videos and quick-reference guides.
• Ensure vendors report data incidents and breaches promptly

• Sense of Urgency
• Problem Solving & Decision Making
• Certified Information Privacy Professional (CIPP/E) or equivalent certification is required
• Minimum 8 years of relevant experience as a Data Protection Officer within a multinational organisation.
• Experience with OneTrust or similar compliance management tools
• Strong knowledge of data protection laws, risk frameworks, and compliance processes
• Understanding of AI governance, data processing techniques, and vendor risk management
• In-depth knowledge of EU GDPR, with an understanding of China PIPL, KSA PDPL, the EU AI Act, and industry control frameworks (NIST, ISO 27001, etc.)
• Bachelor’s degree in law, Information Security, Data Protection, Risk Management, or a related field
• Communication Skills