GAIN - Central IT - Data Protection Officer

Job Title: 

Data Protection Officer 

Location: 

Mumbai 

Reports to: 

Primary Purpose 

To own, maintain and improve our data protection and privacy compliance framework, ensuring lawful, fair and transparent processing of personal data across our processing sites in the UK, EU, India, Philippines, US and Canada. 

Main Responsibilities: 

The Data Protection Officer is responsible for proactively managing and improving our data protection compliance framework, driving privacy accountability and lawful processing across the organisation, partnering with IT, Operations, Engineering, HR, Procurement and business stakeholders to embed practical data protection controls and support compliant growth. 

• Own and maintain the data protection governance framework, including policies, standards, procedures and supporting documentation. 

• Maintain and manage the Record of Processing Activities (ROPA), ensuring processing activities, data flows, systems, suppliers and international transfers are accurately documented and kept up to date. 

• Lead and produce Data Protection Impact Assessments (DPIAs), Legitimate Interest Assessments (LIAs), EU Standard Contract Clauses (SCC) and other privacy risk assessments for new and changed processing activities and transfers. 

• Review, negotiate and advise on client and supplier data processing agreements (DPAs), privacy clauses and international data transfer provisions. 

• Monitor compliance with applicable privacy and data protection legislation across our processing sites in the UK, EU, India, Philippines, US and Canada, escalating gaps and driving remediation actions. 

• Provide practical guidance on lawful bases for processing, data subject rights, retention, minimisation, privacy by design and cross-border transfers. 

• Support the management of personal data breaches, including triage, risk assessment, notification decision-making, client communications and post-incident review. 

• Work with supplier owners and procurement teams to assess third-party privacy risk and ensure appropriate due diligence and contractual controls are in place. 

• Develop and deliver data protection training and awareness to employees and support responses to client privacy questionnaires, audits and compliance requests. 

• Define and report privacy KPIs, incidents, risks, audit findings and action plans to senior leadership, while working with IT, Operations, Engineering and wider business units to identify risks and scale good practice. 

Professional skills/ experience: 

• 5+ years in data protection, privacy compliance or information governance with hands-on responsibility for operational privacy activities. 

• Proven experience reviewing and negotiating client and supplier DPAs and advising on practical contractual privacy requirements. 

• Strong experience producing DPIAs, maintaining ROPAs and supporting data subject rights, retention and international transfer compliance. 

• Working knowledge of UK GDPR, EU GDPR and broader international privacy requirements across the UK, EU, India, Philippines, US and Canada. 

• Professional certification such as CIPP/E, CIPM, EU GDPR Practitioner or equivalent privacy qualification desirable. 

• Able to translate privacy risk into business impact and influence stakeholders at all levels. 

Personal Qualities 

• Problem solver. 

• Great with people, can build trust and rapport across the entire organisation. 

• Good communicator with clients and internally. 

• Team Player commitment and flexible. 

• Ability to prioritise and quickly resolve issues. 

• Attention to detail.