Data Privacy Officer

Strategy and Governance

• Develop, implement, and maintain the EBKL’s data protection strategy, policies, standards, and procedures.
  

• Establish a Bank-wide data governance framework, creating a central authority for all data protection matters.
  

• Serve as the primary point of contact for data protection authorities and other regulators on data.
  

• Advise the Board and senior management on data protection and privacy matters, ensuring they are informed of their obligations, risks, and the strategic implications of regulatory changes.
  

• Oversee the creation and maintenance of a comprehensive data inventory and data flow maps for all personal data processed by EBKL and its third-party ecosystem.
  

Compliance and Risk Management

• Monitor compliance with all relevant data protection laws (e.g., GDPR, Kenya Data Protection Act, etc.) and internal policies.
  

  
  

• Conduct and oversee Data Protection Impact Assessments (DPIAs) for new products, systems, and business processes, especially those involving data sharing across licenses (e.g., sharing bank KYC data with the insurance arm).
  

• Develop and manage a comprehensive record of all data processing activities (ROPA).
  

• Establish a framework for managing and responding to data subject requests (e.g., access, rectification, erasure) in a timely and compliant manner.
  

• Act as the primary point of contact for all data protection authorities and regulators on data matters.
  

• Ensure all necessary registrations and notifications are made to the relevant data protection authorities.
  

• Oversee the management and review of data subject rights requests (e.g., access, rectification, erasure) to ensure they are handled efficiently and in compliance with the law.
  

• Identify, assess, and mitigate data protection risks across EBKL, and its third-party ecosystem.
  

• Ensure that third-party contracts and data sharing agreements have adequate data protection clauses and that due diligence is performed on all partners handling personal data.
  

Data Sharing Enablement

• Design and implement legal and technical mechanisms to facilitate lawful and secure data sharing between EBKL and its stakeholders including third parties, stakeholders and related entities.
  

• Review the Intra-Group Data Sharing Agreements that clearly define the purpose, legal basis, and safeguards for sharing customer data to reduce onboarding friction.
  

• Advise the business on data anonymization, pseudonymization, and other privacy-enhancing techniques to minimize risk while achieving business objectives.
  

Incident Management

• Develop and manage EBKL data breach incident response plan.
  

• Lead the investigation, mitigation, and reporting of any data breaches or privacy incidents in collaboration with IT security and legal teams.
  

• Develop and implement a data breach response plan and lead the investigation and reporting of any personal data breaches.
  

Training and Awareness

• Develop and roll out a mandatory data protection training program for all employees and contractors across the Bank.
  

• Promote a culture of "privacy by design" and data protection awareness throughout the organization.
  

• Provide expert advice and guidance to business units (Banking, Insurance, Mobile Payments, Foundation) on data protection best practices for their specific operations.
  

• Work closely with IT and Information Security teams to ensure that appropriate technical and organizational measures are in place to protect personal data.
  

• Establish metrics and reporting mechanisms to monitor the effectiveness of the data protection program and report on compliance to senior management and the Board.
  

• Partner with Group and other stakeholders in the engagement with regulators on draft regulations, providing insightful input to shape a practical and effective data protection framework.