Cyber Security and Data Protection Specialist

Key Responsibilities:

Data Protection and Compliance Management

• Ensure full compliance with the Data Protection Act 2019 and GDPR standards.
• Conduct Data Protection Impact Assessments (DPIAs) for new or modified data processing activities.
• Maintain an updated record of processing activities, privacy notices, and consent mechanisms.
• Coordinate compliance with Payment Card Industry Data Security Standards (PCI DSS).
• Support the organization in managing and responding to data subject rights requests within statutory timelines
• Oversee implementation of lawful data retention, archiving, and secure disposal policies
• Ensure that international data transfers comply with legal adequacy requirements and secure transfer mechanisms.
• Embed privacy-by-design principles into projects, products, and system developments.

Cyber-Security Governance, Risk, and Compliance Management

• Monitors the legal and regulatory environment for developments.
• Manages the implementation of the cybersecurity programs aimed at identification, management and remediation of threats to improve the cybersecurity posture.
• Assesses potential items of risk and opportunities of vulnerability in the network and on information technology infrastructure and applications.
• A robust, updated cybersecurity framework that is aligned with a Zero Trust paradigm, NIST CSF, CIS Critical Security Controls, Cloud Security Alliance Cloud Controls Matrix, and organizational standards.
• Proactively assess system vulnerabilities and incidents and establish mitigation procedures to minimize impact to business operations.
• Document and test security incident response plans and protocols.
• Plan and oversee periodic penetration testing, ethical hacking, and red/blue team simulations to evaluate incident preparedness.
• Monitor global threat intelligence feeds and proactively adjust defensive postures in response to emerging threats

Incident Response Management

• Lead the development and execution of incident response plans.
• Investigate and document security breaches and recommend corrective actions.
• Collaborate with legal, compliance, and ICT teams for resolution and regulatory reporting.
• Maintain a data breach register and ensure timely notification to authorities and data subjects as required.

Staff Training and Awareness

• Develop and roll out organization-wide training programs on cybersecurity and data privacy.
• Conduct regular workshops and simulated phishing assessments.
• Raise awareness on best practices in data handling, incident reporting, and digital hygiene
• Support internal departments and third parties in aligning data processing with compliance requirements.

Policy Development and Audit

• Draft and maintain ICT security policies, standards, procedures, guidelines, and playbooks.
• Lead internal and external audits for cybersecurity and data protection compliance.
• Provide inputs for organizational policy improvements and governance structures.
• Establish and track data protection performance indicators, and continuously improve internal processes based on audit findings and legal updates.                                               

Stakeholder Engagement and Reporting

• Act as the liaison with the Office of the Data Protection Commissioner and other relevant bodies.
• Provide quarterly risk and compliance reports to senior leadership.
• Contribute to cross-functional security and compliance committees.
• Support internal departments and third parties in aligning data processing with compliance requirements.

KNOWLEDGE/QUALIFICATIONS FOR THE ROLE

Required Professional experience

• Minimum 4 years' experience in cyber security and data protection privacy, advocacy and implementation (INGO/IASC/PIM humanitarian data experience will be an added advantage)
• Expertise in data protection and compliance laws, rules, regulations, risks, specifically privacy and data protection laws, rules and regulations in East Africa
• Awareness of regulatory requirements including local, international and industry standards
• Knowledge and experience in data processing and managing areas relevant to privacy and data protection (information security; data governance; third party risk management; data encryption/decryption)
• Experience with digital security awareness topics and best practices, particularly cybersecurity
• Experience with remote facilitation and training
• Experience within a legal, audit and/or risk function department
• Strong project management skills
• Ability to work well under pressure and manage sensitive and confidential information
• Excellent verbal and written communication skills, with strong attention to detail
• Great interpersonal skills and ability to work well both independently and as part of a team
• Excellent analytic and computer skills

Required Education & Certification

Bachelor’s Degree in any of the following fields; Computer Science, Information Communication Technology, Informatics, Law, Statistics or their equivalent from a recognized and accredited institution; 

Preferred Professional certifications;  

• Any Cyber-Security certifications (CompTIA or any other)
• Any data privacy certification (CISSP/ CISM or any other)

Preferred Knowledge and Qualifications

• Ability to engage at a strategic level with Office of Data Protection Commissioner officials.
• Strong budgetary and financial management skills.
• The person must be results oriented, able to handle public relations, and a team player.
• Good interpersonal, organizational and management skills.
• Ability to maintain performance expectations in diverse cultural contexts, and physical hardship conditions.
• Ability to solve complex problems and to exercise independent judgment