Title:  Senior Manager, Compliance Officer for Data Privacy Governance

The Senior Manager, Compliance Officer for Data Privacy Governance is an officially sanctioned by the National Privacy Commission as a deputy officer of the Group Data Protection Officer (DPO), which will be responsible for the overall governance, execution, implementation, validation, assessments, testing and monitoring of the Jollibee Group’s Data Privacy Governance and Controls Standards and the Data Privacy Framework and Policies ensuring compliance across platforms globally. As a supplemental definition of the role, per National Privacy Commission, a Compliance Officer for Privacy (COP) is an individual who perform some of the functions of a DPO and shall be under the supervision of the DPO. The role also requires the ownership of Privacy Management Platforms that facilitates operational compliance. The role will heavily provide governance consulting and guidance over Privacy requirements, will ensure DPA (and local territory equivalent) compliance requirements and sustainability, especially pertaining to Regulatory requirements, and will be the primary point person other than the DPO for Privacy-related particulars of the company. The role will have heavy interaction with appointed Privacy Point Person in various Territories with Privacy Regulations, Business Technology, Digital Technology, Legal, Human Resources and other relevant functions across regions.

Key Responsibilities:

GLOBAL PRIVACY GOVERNANCE & COMPLIANCE – PRIVACY STANDARDS, ADVISORY, & CONSULTING

• DATA PRIVACY STANDARDS - Periodic review and appraisal of policies and guidelines of the Data Privacy Standards and Privacy Handbook in coordination with Business Technology, Digital Technology, Internal Audit, and Legal ensuring that functional policies are aligned with GISP, Local Regulatory Laws and Privacy IRR, and most recent updates in the Regulatory Requirements.
• LEAD PRIVACY SWEEP / PRIVACY MATURITY ASSESSMENT - Design and Implement sustainable periodic Compliance Sweep methodologies to ensure that all relevant platforms and projects that have Privacy stakes are pro-actively checked & tested for effectiveness and / completeness, in partnership with Internal Audit, Digital Technology, and Business Technology across all Regions and Functions.
  • Lead, Conduct, Measure and Follow through global and regional Data Privacy Risks Assessments Action Plans and glidepath strategies creating visibility, synergy, optimization, and effectiveness of solutions across Regions and Technology Areas.
  • Lead and drive function-based, and risk-based Data Privacy assessments or sweeps / audits to determine adequacy of Privacy controls & adherence to principles
• PRIVACY OPERATIONS OVERSIGHT - ensure operational compliance and updates for the Company-wide Data Privacy Act requirements especially on Systems and Information Security across all business channels ensuring adherence to governance standards & regulatory requirements in coordination with Global / Regional Legal
• PRIVACY ADVISORY & CONSULTING - Go-to General Advisor and Consultant for Global Privacy Inquiries and Level 2 escalation for Data Privacy (Privacy Impact Assessment etc.) and related incidents.
• EXECUTIVE PRESENTATIONS - Prepare and conduct Executive Presentations to discuss Privacy Risk posture, recommendations, glidepath, remediation plans, and follow-through based on Privacy standards and compliance requirements
• GOVERNANCE CHAMPION - Support and champion operational Privacy Policies and Guidelines from BT/DT & relevant functions i.e. HR, Marketing

PRIVACY MANAGEMENT & GOVERNANCE TOOLS & PLATFORMS OWNER

• PRIVACY MANAGEMENT PLATFORMS OWNER – owner and in-charge in the management, gatekeeping, developments, and maintenance of the utilization and upkeep of Privacy Management Tools (like Trust Arc or equivalent platforms) such as but not limited to Privacy Central, Data Risk Manager, and Privacy Assessment Modules, that facilitate various Privacy Governance undertaking for the company.
• SYSTEM DEVELOPMENT, AUTOMATIONS, & CONTINUOUS IMPROVEMENT – lead proactive updates, optimization, and automation initiatives to effectively and efficiently support Privacy Governance across all territories of JFC in close collaboration with the DT Privacy Operations team, ensuring the Privacy Management systems and monitoring mechanism are sustainable, fully maximized, and / or are updated based on the industry and regulatory demands
• CROSS-REGIONAL CAPABILITY RE-APPLICATION - Help facilitate cross-regional privacy governance standardization and capability rationalization holding Regional and BT / DT heads accountable for operationalizing solutions to address identified privacy risk areas from Privacy Impact Assessment & Privacy Sweep Exercises.
• PROJECT MANAGEMENT – lead / supervise various DPO-driven / DPO supporting initiatives which may require Project Management skills and change management covering people – process- technology

GLOBAL PRIVACY IMPACT ASSESSMENT OWNER

• GLOBAL PIA PROGRAM OWNER – lead and facilitate ALL Privacy Impact Assessment Exercise across regions and functional initiatives making sure due diligence is executed before project launch, and all pending / conditional items are properly monitored and followed-through after go-live. LVL 2 approver of all PIA before endorsed to DPO for final approval. The role also authorizes that some PIA can be approved up to this roles level, in lieu of a DPO approval since as COP, most of the responsibilities of the DPO can be delegated to the COP. As the global owner of PIA, this role is also the owner of the Assessment Manager and Data Risk Manager (or any equivalent platform) that facilitates the monitoring and archiving of all privacy impact assessment exercise in case needed for regulatory needs.
• ASSESSMENT COMPLIANCE CO-APPROVER – together with the DPO, acts as reviewer & approver (or as final reviewer/approver for select initiatives) for Initiatives that have Privacy-related activities ensuring that the Initiative Proponents effectively conducts the required assessment exercises before go-live ensuring due-diligence is conducted.
• ASSESSMENT MONITORING DRIVER – compliance monitoring and assessment progress decks are maintained for all initiatives undergoing the conduct of Privacy Impact Assessment. The tracker helps drive accountability, ensures all open item requirements are followed through and are fulfilled, and all supporting documents to the requirements and functional approvals are properly organized and archived.

REGULATORY AND STATUTORY COMPLIANCE FACILITATION, MONITORING, APPRAISAL, & DELIBERATION

• ANNUAL SECURITY INCIDENT REPORTING – facilitate the Incident Reporting Tracking; Coordination with all Regional BT to collate, organize, and moderate Security Incident logging and tracking; facilitate requirements and support DPO and Legal deliberation of incidents to declare & justify.
• NPC REGISTRATION SYSTEM COMPLIANCE – ensure the timely submission & completion of Annual Registration and certification renewal process with the NPC across ALL Businesses / Entities Registered together with the Group / Local DPO’s. Thereafter ensure all digital platforms and physical locations post and reflect Seals / Certificates (or as per Regulation). Ensure to facilitate registration of New Businesses intended to be registered with the Privacy Authority with all requirements pertinent requirements. All these are in collaboration with Legal & directed by DPO.
• ANNUAL DATA PRIVACY & SECURITY SUSTAINABILITY REPORTING – with the IT IC Head, help facilitate collation of qualitative, quantitative, and other pertinent requirements needed for Jollibee Group Sustainability Reporting related to Data Privacy and Security section Annually, attend meetings, monitor cross-regional compliance and follow throughs before submission to DPO / GIC Head for finalization
• LOCALIZED / TERRITORY-BASED PRIVACY REQUIREMENTS – orchestrate and facilitate requirements for emerging territories with new or updated privacy regulations ensuring JFC adapts and complies with minimum requirements which may include such but not limited to 1) Appointment of POC / DPO / COP in territories 2) Governance over Data Subject Rights; 3) Consent and other Personal Information Activities, 4) Cross-Boarder data transfers and 5) Vendor Data Process Agreements in partnership with Legal.
• CORE COUNCIL – INCIDENT & BREACH MANAGEMENT – active member and consultant of the Global Incident & Breach Management Council, ensuring regulatory and statutory reporting requirements are facilitated and fulfilled, assisting the DPO in such obligations
• GLOBAL INDUSTRY / REGULATORY STANDARDS APPRAISAL - Continuous & Proactive Appraisal of Data Privacy Knowledgebase for continuous review and coordination with Business and Digital Technology across Regions. Appraise & deliberate with the DPO of new trends and developments & interpretation of New Industry & Regulatory Standards, Circulars, Statutes, and/or equivalent across all JFC territories

PRIVACY AWARENESS PROGRAMS, Trainings, Information Drives, Campaigns & People Management

• PRIVACY COMPLIANCE CULTURE BUILDING – Together with the IT Controls & Governance Manager – Co-Own and Spearhead compliance trainings & awareness drive anchoring to the Global Information Security Policy particularly the Data Privacy Standards through Annual eLearning Exercises, and the corresponding Annual Renewal requirements
• Privacy Webinar Trainings / Courses – Enterprise-wide and / or Function-Based Information Security and Data Privacy Trainings
• Privacy Awareness drive through Infomercial Campaigns on a regular periodic basis, in cooperation with Business and Digital Technology.
• Tailor-fit materials based on Local Privacy Regulation Requirements
• BUSINESS PARTNERING - Continuously explore areas of privacy risks, that needs policies and guidelines and proactively coordinate with Business Technology, Digital Technology, and / or relevant Business Functions e.g., Restaurant Systems, HR, JWS, Facilities Management, etc.
• PEOPLE MANAGEMENT – guide, strategize, train, direct, subordinates (direct report – both organic or consulting) and help drive objectives and targets of the DPG tower, ensure talent growth and development plans are in place, and be an instrument to drive not only the compliance culture but also the spirit of family and fun in and among the GIC Team.

Job Qualifications:

• College Graduate with any Business Management, Accounting, Finance, with IT Proficiency and / or any IT-Related Courses

• Must at least have 7 to 12 years of combined Information Security and Data Privacy Governance / Compliance Operations, Information Security Audit / Advisory, or Information Security Governance from the following background:
  • Preferred:
    FMCG / Food and Beverage Industry
    Bank or Financial Institution Industry
    Cybersecurity/ IT risk assurance / consulting expertise
    Basic Coding and Dev Ops background (Can read and interpret Codes esp. of Risk-Related)
    IT Audit / Governance preferred
    Master’s degree or related certifications in IT or Information Security Controls (CIA, CISA, CICA, CIPP, CIPM etc. and related IT Certifications), project management (PMP, MPM, Lean Six Sigma) and ITIL Certifications are a plus.
• Must be willing to work in Ortigas, Pasig (Hybrid Work Setup)
  
  

Jollibee Foods Corporation is the hiring entity for this requisition.