CIB Data Protection Correspondent BNP Paribas Risk Hub

GROUP BNP PARIBAS

BNP Paribas Group is the top bank in the European Union and a major international banking establishment. It has close to 185,000 employees in 65 countries. In Spain we are more than 5,100 employees within 13 business lines.

RISK HUB

RISK is an integrated and independent control function of the BNP Paribas Group. It is the second line of defense on the risk management activities of the Group which are under its direct responsibilities, including credit and counterparty risk, market risk, funding and liquidity risk, interest rate and foreign exchange risks in the banking book, insurance risk, operational risk, and environmental and social risks.

RISK aims at being a partner of the businesses by contributing to their sustainable development, but also a gatekeeper to ensure risks taken remain compatible with the Group’s Risk Appetite and its strategy.

RISK Iberian Hub Madrid is a transversal platform servicing the RISK Function by covering added-value activities around credit risk, market risk, operational risk and data protection. Offering a wide range of services to RISK teams, from consulting to cyber security going through data analysis, modelling or artificial intelligence.

ABOUT THE JOB

DPC positioning

BNPP Group Personal Data Protection framework, defined to respond to applicable privacy regulations throughout BNPP territories , relies on the accountability of teams within BNPP entities in their processing of Personal Data (customer, employees, UBOs, representatives of corporate, vendors, etc.)

The 1st Line of Defence (Business, IT and CDO) has the responsibility to embed data protection regulations and Group policies and guidelines in the internal organization and processes within its perimeter (e.g. privacy by design, PIA, security measures, etc.)

DPC is positioned in the 2nd line of Defence (within RISK function) and will report to CIB Business Line DPO.. The DPC must assist CIB BL DPO in supervising the compliance with data protection regulations and Group policies and guidelines, ensuring second level controls and giving the necessary guidance to support the 1st Line of Defence.

Within the scope of your missions, the DPC may have to travel from time to time to some of CIB locations, or to attend conferences in the context of training and upskilling process.

Key direct responsibilities

A DPC will be appointed with the following key direct responsibilities within his / her scope:

Communication with external stakeholders, Data Protection Authorities and data subjects:

Support the DPO by preparing the communication
Participate in exchanges with the relevant DPA and cooperate with the DPA, based on DPO’s instructions.

Matters related to organization and framework related to personal data protection within his / her scope:

Contribute to the monitoring of the regulatory landscape on data protection regulations and the relevant communication performed by LEGAL
Participate in committees on / in relation to personal data protection at global / Business Line level, in cooperation with the 1st line of Defense as well as the worldwide network of Territory DPOs
Assist the BL DPO in overseeing and supervising the overall personal data protection framework on the following topics:

Review and advise on implementation of Group policies and guidelines on Personal Data Protection and monitor consistency in their implementation (Consent collection process, cross border transfers, management of retention or personal data obsolescence)
Review and advise on implementation of Privacy by design principles from the design stage and during the life-cycle of all projects, products, services, activities, processes and systems
Provide advice on Privacy Impact Assessment (PIA), e.g. whether or not to carry out a PIA, what methodology to follow, what safeguards to apply to mitigate risks to the rights and interests of individuals) and monitor that PIAs are performed correctly
Review and advise on implementation of Personal Data Security principles and management of personal data breaches.

Contribute to risk evaluation in case a personal data breach occurred to ensure in a timely manner, and confirm:

Appropriate safeguards (technical and organizational) are set-up to mitigate any risks to the rights and interests of the data subjects
Adequate communication and reporting channels are in place to notify the appropriate stakeholders (e.g. high management, Data Protection Authorities, data subjects)
Oversee the Reporting of personal data breaches to the DPA
Oversee and monitor the Records of processing activities (“Register”)

Support the build and implementation of an awareness program and contribute to the promotion of a data protection culture within his/her scope of responsibility
Help the relevant DPO to assess effectiveness of LOD1 Control framework and operate the second level controls of independent testing on personal data protection framework to be sure compliance with personal data protection legislation and internal policies and guidelines are in plac.

This will involve 2LoD controls testing against GDPR requirements, for: personal data processed across the organization; high risk activities, new products and activities which involve personal data and testing of IT systems in addition to testing of business operations

Prepare independent reporting and inform the DPO on critical points to be escalated to Senior Management

Confidentiality obligation

The DPC will be bound by secrecy or confidentiality concerning the performance of his/her or her tasks, in accordance with applicable laws.

Required skills and experience

Background

8 to 10years’ experience in Data Protection/Privacy/Digital law(banking sector experiences are appreciated
Significant knowledge and experience in Data Protection Impact Assessment including TIA, LIA, LOA, understanding of personal dataflow (data life cycle), business applications and data use
GDPR analytical skills to check & challenge and seek evidences from 1LOD project stakeholders Experience in project management and change management
Experience in transversal management and working
Experience in interacting with regulators (will be a plus)
Experience of managing compliance programs on regulatory requirements
Strong knowledge and interest in Information Technology, digital and new technologies and understanding of information security controls and principles

Behavior and soft skills

Independency, ability to self-lead to question and seek answers
Structural and synthetical writing skills to document a privacy risk opinion
Be self-organized to be able to keep track with various topics and meetings; prepare meetings and write minutes
Objectivity balancing documented pros & cons
Integrity, ability to learn and listen
Excellent communication skills – allowing him/her to act as a communicator across the bank, on behalf of the DPO
Fluent in English (mandatory), national language (language of the country where DPC exercises) – Spanish
Demonstrating a high-level of commitment and self-motivation, combined with enthusiasm and a genuine interest in order to be a successful DPC

Benefits

Training programs, career plans and internal mobility opportunities, national and international thanks to our presence in different countries
Diversity and Inclusion Committee that ensures an inclusive work environment. In recent years, several employee communities have been created to organize diversity and inclusion awareness actions (PRIDE, We Generations and MixCity)
Corporate volunteering program (1 Million Hours 2 Help) in which employees can dedicate time out of their working hours to volunteer activities
Flexible compensation plan
Hybrid telecommuting model (50%).
31 vacation day

CIB Data Protection Correspondent BNP Paribas Risk Hub

Credit Internal Models Porftolio Strategist

Data Scientist Credit Modelling

Operational Risk Manager Payment & Cash Management (PCM) and Client Engagement & Protection (CEP)