Senior Manager, Data Protection & ESG

Role Summary

Data Protection: Regulatory Gap Assessment and Remediation

• Conduct an initial end to end gap assessment of the Group’s data protection posture against all applicable regulatory requirements set out in Section 2, separately for each Astra Tech entity.
• Benchmark current state against international standards where relevant (GDPR, ISO/IEC 27701, ISO 14001, IFRS S1/S2, TCFD, GRI) to anticipate regulatory direction of travel.
• Document findings in a structured Gap Assessment Report, with prioritised, risk rated remediation actions, owners and target dates.
• Define, mobilise and track the multi-year Data Protection Remediation Roadmap, ensuring delivery within agreed timelines and reporting progress.

Data Protection: Specific Responsibilities

• Discharge the formal Data Protection Officer (DPO)

responsibilities

• required under applicable laws and regulations, including monitoring compliance, advising on processing operations and acting as the contact point for data subjects and supervisory authorities.
• Maintain the Group Record of Processing Activities (RoPA), data inventory and data flow maps across all in scope entities, processes and systems.
• Draft, maintain and obtain approval for all Data Protection policies, standards and procedures, ensuring alignment with the CBUAE CPR data and confidentiality provisions, UAE PDPL, ADGM DPR 2021 and DIFC DPL and benchmarked against international standards.
• Review, update and version control all data related customer facing documentation, including Data Privacy Notice/ Policy, Cookie Notices, Data and Marketing related Consents, Terms and Conditions (data clauses), product disclosures, marketing opt in mechanisms and data subject rights communications.
• Embed data protection clauses (controller and processor allocations, sub processor controls, cross border transfer mechanisms, audit rights, breach notification, return and deletion) into Master Service Agreements (MSAs), Data Processing Agreements (DPAs), inter affiliate agreements, vendor contracts and employee contracts, in coordination with Legal and Procurement.
• Lead the design, business case, vendor selection and implementation of an Enterprise-wide Consent Management (ECM) system covering web, mobile, branch, call centre and third-party channels.
• Define consent taxonomies, lawful bases, purpose registers, retention rules and re consent triggers, ensuring these are reflected consistently in the ECM platform and downstream systems.
• Operate the Data Protection Impact Assessment (DPIA), Transfer Impact Assessment (TIA) and Legitimate Interest Assessment (LIA) processes for new products, services, technologies, AI and model use cases, vendor engagements and material changes.
• Perform a Data Protection Impact Assessment (DPIA) for every initiative submitted to the Group’s Initiatives Review and Approval (IRA) process, ensuring the DPIA is completed prior to IRA approval and forms part of the formal IRA submission pack; track DPIA outcomes, mitigations and conditions to closure, and report DPIA coverage and exceptions to the Head of Compliance Strategy and Transformation.
• Operate the Data Subject Rights (DSR) handling framework across access, rectification, erasure, portability, objection and restriction requests, within statutory timelines.
• Lead privacy incident triage, investigation, containment, root cause analysis and remediation, in coordination with Information Security, Technology, Legal, Communications and Operational Risk; assess regulatory thresholds and lead breach notifications to the UAE Data Office, CBUAE, FSRA, DFSA, ADGM Office of Data Protection and DIFC Commissioner of Data Protection, and to affected data subjects where required.

ESG: Specific Responsibilities

• Maintain a consolidated ESG regulatory obligations register covering the CBUAE Principles for Sustainability Related Disclosures, the ADGM ESG Disclosures Framework, DIFC ESG and sustainability initiatives, FSRA and DFSA sustainable finance guidance, and applicable UAE federal climate and sustainability requirements as well as international ESG related regulations in other jurisdictions, as applicable.
• Coordinate the preparation of ESG disclosures across in scope entities, including climate related financial disclosures, Group sustainability reporting, and entity level regulatory ESG submissions.
• Support the integration of ESG risk considerations into credit, investment, product, procurement and third-party risk management frameworks.
• Provide assurance over the integrity of ESG data flows, controls and reporting, including managing greenwashing risk and ensuring fair, balanced and substantiated sustainability claims in customer facing materials.
• Embed ESG related clauses (sustainability representations, ESG data sharing, climate risk obligations) into MSAs, vendor contracts and, where relevant, financing and product documentation.
• Represent Astra Tech in industry ESG working groups and forums, including UAE SFWG linked initiatives where appropriate.
• Training and Awareness
• Design and deliver a Group wide Data Protection and ESG training curriculum, with separate, dedicated modules for each domain, including mandatory annual training, role based deep dives and targeted briefings for Senior Management and the Board.
• Deliver tailored training and awareness sessions, independently and in coordination with Business, Product, Technology, Procurement, HR and Marketing teams, to embed practical understanding of obligations into day-to-day operations.
• Maintain training completion records and report on the same.

Third Party and Outsourcing Oversight

• Define data protection and ESG due diligence requirements for vendor onboarding, ongoing monitoring and exit.
• Review and approve material third party arrangements from a data protection and ESG standpoint, including cross border data transfer mechanisms and sub processor chains.

Reporting, Regulatory Filings and Liaison

• Produce periodic Data Protection and ESG reporting for the Head of Compliance Strategy and Transformation, the Group Chief Compliance Officer, Executive Management and relevant Board committees, covering KRIs, KPIs, incidents, regulatory developments and remediation status.
• Own end to end preparation of regulatory filings, incident reporting and ad hoc submissions on data protection and ESG matters to regulators.
• Act as the principal point of liaison with Internal Audit and Compliance Monitoring and Testing on data protection and ESG reviews, facilitating walkthroughs, evidence requests, management responses and remediation tracking.
• Act as the principal point of liaison with external regulators on data protection and ESG matters, including CBUAE thematic reviews and on-site examinations, FSRA and DFSA supervisory engagements and RFIs.
• Track regulatory developments (CBUAE circulars, FSRA and DFSA notices, ADGM and DIFC amendments, UAE federal updates and international trends) and translate them into actionable changes within the Group.

Requirements

• Minimum 10+ years of relevant experience in data protection, privacy, ESG, compliance or regulatory advisory, commensurate with Senior Manager grade, with at least 5 years in a dedicated data protection or DPO or ESG lead capacity.
• Significant experience within financial services, ideally including entities regulated by the CBUAE, the FSRA (ADGM) and the DFSA (DIFC).
• Demonstrable track record of leading a regulatory gap assessment and end to end remediation programme covering data protection and ESG obligations.
• Proven experience implementing an Enterprise-wide Consent Management capability across digital channels.
• Experience handling CBUAE, FSRA and DFSA examinations, thematic reviews, information requests and remediation tracking.
• Experience operating in a multi entity, multi jurisdiction group, with a clear understanding of the interaction between onshore (CBUAE) and financial free zone (ADGM with FSRA, and DIFC with DFSA) regimes.
• Experience working with Internal Audit and Compliance Monitoring and Testing on data protection and ESG themed reviews.