Data Protection Officer

Department: Information Security

Reports To: Chief Information Security Officer

Grade: VP

No of Position: 01

Location: Head Office (Islamabad)

What is Data Protection Officer - MMBL?

Mobilink Microfinance Bank Limited seeks a visionary and technically proficient Data Protection Officer (DPO) to lead the bank’s enterprise-wide data protection and privacy program. Reporting directly to the Chief Information Security, the DPO will be responsible for establishing the governance, architecture, and operational execution of the Bank’s privacy and data protection obligations.

What Data Protection Officer Does - MMBL?

1. Strategic Privacy Program Design & Leadership

• Develop, own, and drive the enterprise privacy and data protection strategy in alignment with SBP regulatory expectations and international best practices.
• Establish and operationalize a centralized Data Protection Office: define its charter, structure, roles, and reporting lines.
• Define a bank-wide data protection operating model integrating privacy requirements into enterprise risk management and governance frameworks.
• Champion data ethics, responsible data handling, and privacy-by-default principles across the organization.

2. Regulatory Compliance & Privacy Risk Management

Ensure continuous compliance with:

• SBP’s Framework on IT Governance and Risk Management
• SBP’s Cybersecurity Framework
• Pakistan’s Personal Data Protection Bill
• ISO/IEC 27001, PCI DSS, and GDPR (where applicable)
• Act as the bank’s focal point or secondary liaison with SBP and other regulatory bodies through Compliance and Legal departments.
• Lead Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs) for new systems, products, and processes.
• Monitor local and global data privacy regulations and proactively adjust compliance strategies.

3. Data Governance & Inventorization

• Lead implementation of data classification, tagging, and ownership models across data types and systems.
• Oversee and maintain accurate Records of Processing Activities (RoPAs) per SBP and global privacy standards.
• Ensure enforcement of policies for data minimization, retention, disposal, and lifecycle management.

4. Technology & Data Loss Prevention (DLP) Oversight

• Collaborate with IT, SOC, and Information Security teams to ensure privacy-by-design and privacy-by-default in systems architecture.
• Oversee deployment, configuration, and monitoring of DLP solutions across endpoints, email, file storage, and networks.
• Ensure technical controls align with SBP’s cybersecurity baseline controls.

5. Vendor, Third-Party & Contractual Privacy Assurance

• Evaluate third-party vendors, partners, and outsourcing arrangements for privacy and data protection risks.
• Ensure Data Processing Agreements (DPAs), SLAs, and contractual clauses meet regulatory and internal privacy requirements.
• Conduct vendor risk assessments and embed privacy obligations in procurement and onboarding processes.

6. Privacy Incident Management & Breach Handling

• Develop, maintain, and test the Privacy Incident Response Plan aligned with SBP incident handling guidelines.
• Maintain a personal data breach register and ensure timely notification to SBP and affected stakeholders for qualifying breaches.
• Coordinate breach response and containment with SOC, IT, and Legal teams.

7. Awareness, Training & Culture Building

• Develop and roll out privacy awareness programs, including mandatory and role-specific training modules.
• Promote a culture of privacy through KPIs, employee engagement campaigns, and executive support.
• Regularly assess training effectiveness and incorporate feedback from business units.

8. Reporting & Stakeholder Communication

• Provide periodic updates to senior management and the Board on data protection program maturity and effectiveness.
• Contribute to internal audits and regulatory examinations, ensuring evidence of compliance is maintained and auditable.
• Generate dashboards and metrics on privacy risks, incident trends, and regulatory compliance status.

What are we looking for and what does it take to be Data Protection Officer - MMBL?

• Bachelor’s or Master’s degree in Information Security, Cybersecurity, Law, Risk Management, or a related field.
• Professional Certifications (preferred): CDPO, CIPM, CIPP/E, CISA, CISSP, CRISC, ISO/IEC 27001 Lead Implementer.
• Knowledge of PCI DSS and other relevant data security frameworks and standards.

About MMBL:

Mobilink Microfinance Bank Ltd. is providing banking services to over 48 million registered users including 20+ million monthly active customers across Pakistan. With a hybrid model that combines traditional microfinance with mobile/digital banking technologies, the bank now operates with over 114 branches and 270,000 branchless banking agents and provides a USSD (GSM) based digital channel offering savings, micro enterprise (MSME) loans, small housing loans, remittances, collection (utility bills and loan instalments), mobile wallets, insurance, G2P, B2B & B2P payments; thus, playing a leading role in the promotion of financial inclusion. MMBL is committed to fostering a positive and productive workplace, and our core values reflect this focus. These values include promoting innovation and entrepreneurship, encouraging teamwork and collaboration, and prioritizing a customer-centric approach in all aspects of our business.

Why Join MMBL?

This is an opportunity for someone who is passionate about making a difference and playing a key role in driving transformative change. Our team is committed to empowering millions with the tools necessary to succeed in the digital age, and we're looking for a talented individual to join us in this endeavor.