Data Protection Officer & IS Compliance lead (DPO&ISCL)

JOB PURPOSE

Identify, design and deploy IT Solutions for Transport and Urban Infrastructure Project Management and delivery of special IT Projects catering to specific business needs Subject Matter specialist for Information security operations Single point of contact for GHB members

The purpose of the position is to manage and enhance data privacy strategy, manage internal and external cybersecurity audits, and ensure compliance with regulatory standards and industry best practices for GMR group. 

As our Data Privacy Officer & Cybersecurity Compliance Lead, this will play a pivotal role in safeguarding our data assets, maintaining regulatory compliance, and enhancing our cybersecurity posture.
 

ORGANISATION CHART

Data Protection Officer & Compliance lead reports directly into Group CISO 

KEY ACCOUNTABILITIES

Data Privacy Strategy and Compliance:
•Develop, implement, and maintain comprehensive data privacy policies, procedures, and guidelines.
•Ensure alignment of data handling practices with Indian data protection regulations (DPDP act 2023).
•Conduct privacy impact assessments (PIAs) and implement risk mitigation strategies.
•Monitor changes in data privacy laws and regulations to ensure ongoing compliance.
•Serve as the primary contact for data privacy inquiries from regulatory authorities, data subjects, and internal stakeholders.

Cybersecurity Audits and Compliance Oversight:
•Plan, coordinate, and manage both internal and external audits of cybersecurity measures.
•Collaborate closely with IT and security teams to facilitate audit processes, provide necessary documentation, and address audit findings.
•Implement recommendations from audits to enhance cybersecurity measures and mitigate risks.
•Stay abreast of emerging cybersecurity threats and industry standards to strengthen organizational defenses.

Regulatory Compliance:

•Monitor compliance with data protection laws, regulations, and other applicable standards (e.g., ISO 27001, NIST,Cert-In, NCIIPC, IT act etc.).
•Conduct regular assessments to identify compliance gaps and implement corrective actions.
•Work closely with legal and compliance teams to interpret regulatory requirements and ensure adherence.

Policy Development and Documentation:
•Draft, review, and maintain GMR cyber policies, procedures, and documentation.
•Ensure policies are communicated effectively across the organization and updated in response to regulatory changes.

Training and Awareness:
•Develop and deliver data privacy and cybersecurity training programs for employees to promote awareness and compliance.
•Provide guidance and support to departments on data protection and cybersecurity best practices.

Effectively represent GMR group in front of Regulators, Audit agencies, and internal Company Board of Directors.  Additionally support in representing GMR in front of Government sectoral and nodal cybersecurity and investigative agencies like Bureau of Civil Aviation Security (BCAS), National Critical Information Infrastructure Protection Center (NCIIPC), Cert-IN, CBI etc.
 

KEY ACCOUNTABILITIES - Additional Details

EXTERNAL INTERACTIONS

Roles you need to interact with outside the organization to enable success in your day to day work:
Consulting partner who manages security solutions and processes of GMR
OEMs whose security solutions are implemented / planned to be implemented
Government agencies such as Cert-IN, NCIIPC, DPDP etc. 
 

INTERNAL INTERACTIONS

Roles you need to interact with inside the organization to enable success in your day to day work:
Human Resources (Manager or other applicable roles) – To enable processes related to user awareness
Facilities Management (Manager or other applicable roles) – To enable processes related to Physical Security. 
Legal and Compliance (Manager or other applicable roles) – To enable implementation of Legal and Compliance requirements such as IT Act. 
Ethics and Integrity (Manager or other applicable roles) – To facilitate investigations. 
External Corporate Communications (Manager or other applicable roles) – To ensure public facing websites are secure. 
 

FINANCIAL DIMENSIONS

•Annual Budget for IT Security technical controls
•Enterprise IT budget of TUI Sector (approximate Six Crore INR)

OTHER DIMENSIONS

•Not applicable (No team)
•Indirect reporting through contracts (vendor resources etc.)

EDUCATION QUALIFICATIONS

Proven experience 5+ years as a Data Privacy Officer, 
In-depth knowledge of data protection laws (DPDP) and cybersecurity standards (e.g., ISO 27001, NIST).
10+ years of experience managing internal and external audits of cybersecurity measures.
Strong understanding of information security principles and practices.
Excellent communication and interpersonal skills with the ability to collaborate effectively across departments.
Certification as a Data Protection Officer (CIPP/E, CIPM, CIPT) or relevant cybersecurity certifications (e.g., CISSP, CISM) is a plus.
Ability to work independently, prioritize tasks, and handle confidential information with discretion.

RELEVANT EXPERIENCE

Relevant experience – 10+ years in Audit, Compliance
Relevant experience – 5+ years in data privacy 
Total experience –   approx. 10 – 15 years
Proven experience (15 years) as a Data Privacy Officer, Cybersecurity Compliance Manager, or similar role.

COMPETENCIES