IDB Invest Data Privacy Officer
Location: Washington, DC.
The IDB Group is a community of diverse, versatile, and passionate people who come together on a journey to improve lives in Latin America and the Caribbean. Our people find purpose and do what they love in an inclusive, collaborative, agile, and rewarding environment.
About this position
The IDB Invest privacy function (the “PF”) operates within FNA/AKI. The PF will be led by the IDB Invest Data Privacy Officer, who will report to the Managing Director of FNA/AKI, with a dotted line reporting to the Chief Finance and Administration Officer (the “CFO”).
The PO will provide leadership and will represent the PF in discussions with the other IDB Group Institutions’ data privacy teams on Personal Data related issues as deemed appropriate by the PO. This includes coordinating, providing input, and driving consensus on Personal Data protection activities performed by shared services and representing IDB Invest Personal Data privacy interests on relevant IDB Group committees.
What you’ll do:
Under the leadership of the PO, the PF is responsible for providing advice and guidance to IDB Invest Management and IDB Invest Organizational Units on all four areas of the Program:
Data Privacy Strategy and Governance Strategic Development: Defines and coordinates the Data Privacy strategy, scope, and manner of execution of the IDB Invest’s implementation of the Program. Training and Awareness: Supports and provides proper resources to ensure the required personal data privacy training, and awareness programs for employees are conducted on periodically. Promotes a personal data privacy culture at IDB Invest. Implementing Instruments: Identifies requirements for, and coordinates with the relevant Organizational Units creation of and updates to, Implementing Instruments. Data Privacy Operations Contract language: Supports IDB Invest Legal Department in the definition of Data Privacy language for contract templates and assists IDB Invest organizational units with Data Privacy clauses in negotiations with contractual counterparties. Notice & Consent: Supports IDB Invest Legal Department in the definition of template language for privacy notices and consent, ensuring they are in place; advises IDB Invest organizational units on the appropriate use of both. Personal Data Classification: Coordinates with IDB Group institutions’ data privacy offices and other organizational units to provide IDB Invest organizational units direction on classification and appropriate protection of personal data. Policy Interpretation & Implementation: Provides guidance on the interpretation and implementation of the Privacy Policy, including, where appropriate, in consultation with IDB Invest Legal Department. Personal Data Inventory Management: Coordinates and provides business requirements for creating and maintaining personal data inventories and guidance on appropriate metadata tagging. Creates and maintains an updated ledger of all personal data processing activities conducted within IDB Invest (ROPA) and provides reasonable assistance to Organizational Units in the creation and maintenance of ROPAs. Data Privacy Protection Tools: Provides tools for IDB Invest organizational units to identify and minimize Data Privacy-related incidents in their projects and activities, including, without limitation, through Data Privacy impact assessments (DPIAs) and coordinates their execution, including, with IDB Invest Risk Department. Data Privacy by Design and by Default Implementation: Provides guidance to IDB Invest organizational units on the use of privacy by design and privacy by default. Coordinates with the appropriate stakeholders the enhancement of Data Privacy controls and personal data protection requirements at every stage of a project, product, or system’s lifecycle. Review and Redress Mechanism: Acts as the first point of contact for Data Subjects regarding the Review and Redress Mechanism. Other Data Privacy Operations Tasks: Performs other responsibilities as may be assigned to it in separate Implementing Instruments. Data Privacy Protection Management Information Security Controls: Coordinates and collaborates with IDB Group technology teams and IDB Invest risk department regarding the definition, implementation and assurance of appropriate technical controls for the protection of Personal Data. Third Party Risk Management: Advises on appropriate sharing of Personal Data with external parties (e.g., clients, partners, vendors, and donors), including, where appropriate, with support from and in consultation with IDB Invest Legal department. Incident Response Coordination: Advises Management on the response to incidents involving personal data and ensures action plans to mitigate Personal Data breaches are implemented, in accordance with relevant Implementing Instruments and other applicable IDB Invest policies and procedures, in collaboration with IDB Invest Risk Department. Access Governance: Advises IDB Invest organizational units in the appropriate access rights to personal data. Data Privacy appropriate access rights to personal data: Data Retention and Disposal: Provides inputs to IDB Group Record Management team on Records Retention and Disposition rules covering Personal Data relevant to IDB Invest. Data Privacy Oversight Management Reviewing and self-assessment: Coordinate the reviews of IDB Invest’s Personal Data processing activities, audits, and reports to management on the status of compliance with the Program. Independent risk and control assessments: Collaborates with IDB Invest Risk unit to provide insights into risks and control assessments (RCAs) of IDB Invest’s processes, products, projects, and systems that involve the processing of personal data. Audit and Risk Liaison: Coordinates and promotes the liaisons and synergies with the Office of the Executive Auditor (AUG) and Internal Risk on audits and risk assessments of Program implementation and operation. Audit and Risk Reporting: Report promptly to IDB Invest Management and Operational Risk Management Committee regarding AUG privacy findings and internal risks assessment results and coordinate the implementation of improvements to mitigate the personal data privacy risks identified across the organization.What you'll need
Education: Master’s degree (or equivalent advanced degree) in information management, information systems, law, computer science, or related field. Experience: 4+ years of experience working experience of running and managing a robust Data Privacy and Protection program for a multi-region organization. Should have in-depth knowledge including practical implementation experience of regulatory frameworks for data privacy including the EU GDPR. Expertise that aligns with the international organization's data processing operations, and familiarity with the nature of its data processing activities