Data Privacy Consultant - Cyber & DPDP Governance

About the SARC's DPDP Practice

SARC Global is a multidisciplinary advisory firm with 40+ years of heritage, 100+ partners, and 500+ professionals across India, UK, USA, Singapore, and UAE. SARC is building India's most comprehensive DPDP assessment practice not adapted from GDPR but built from the DPDP Act upward. Our clients are India's largest enterprises: banks, NBFCs, insurance companies, stock exchanges, fintechs, and technology platforms.

Experience

4-8 years

Location

New Delhi / Hybrid. Client-site travel 40-60% during fieldwork.

Reports To

Engagement Partner - SARC Data Protection Practice

Hiring

Immediately available to Join | Max 30 Days

What You'll Do:

• Conduct structured stakeholder interviews with C-suite and senior management - DPO, Legal Head, Marketing Head, HR Head, Product/Engineering Head. Ask the hard questions, probe when answers are evasive, and score responses against a defined framework in real time.
• Build the Record of Processing Activities (RoPA) from scratch by mapping 30-80 processing activities across the client's data landscape, from core systems to mobile apps to third-party integrations.
• Determine the legal basis for every processing activity: classify each as consent, legitimate use document the justification, and flag where the claimed basis is invalid or insufficiently documented.
• Assess the impact of processing activities on all 7 Data Principal rights - notice, consent, access, correction, erasure, nomination, grievance. Identify which rights cannot be fulfilled for which activities and why.
• Review privacy notices across all channels (web, mobile, branch, paper) for compliance with Rule 3 requirements: itemization of data categories, purpose disclosure, rights information, grievance officer details, retention periods, multilingual availability.
• Inspect consent mechanisms end-to-end.
• Review 20-30 client documents: privacy policies, processor contracts (DPAs), retention policies, breach response plans, training materials, board reports. Annotate gaps and cross-reference to specific DPDP sections and rules.
• Assess processor governance: review DPA contracts for the top 15-20 processors, verify purpose limitation clauses, breach notification obligations, sub-processor controls, audit rights, and data return/deletion terms.
• Map cross-border data transfers: identify every flow where personal data leaves India (cloud hosting, SaaS tools, analytics, SWIFT, GCC access), verify contractual protections, and assess compliance.
• Assess governance and accountability maturity: DPO appointment and empowerment, annual DPIA cadence, privacy-by-design in SDLC, board reporting, training program, privacy KPIs, compliance evidence readiness for DPB inspection.
• Generate and classify findings using a defined risk methodology: Likelihood × Severity scoring, specific escalation rules for children's data and breach readiness gaps, design deficiency vs operating effectiveness classification. Write each finding with: factual observation, statutory reference, evidence, risk to Data Principals, specific remediation with owner/effort/cost/timeline.
• Present draft findings to client management. Handle responses: agreement, partial agreement, and disagreement. Maintain assessment findings under pressure — document disagreements alongside your position without suppressing findings.
• Support the Engagement Partner in delivering the Board/Audit Committee presentation.

What You Must Have:

• 4-8 years in data protection, privacy, IT audit, cyber governance, ITGC, risk advisory, compliance, or regulatory consulting. At least 2 years in a client-facing role where you presented work to senior stakeholders.
• Working knowledge of the DPDP Act 2023 structure - you should be able to explain: what's a Data Fiduciary, what's an SDF, what are the 7 Data Principal rights, what's the 72-hour breach notification requirement, what's Rule 13(2). You don't need to have done a DPDP assessment yet.
• Experience conducting structured assessments: IT audit, IS audit, SOC 2, ISO 27001, ISO 27701, GDPR assessment, or RBI/SEBI compliance review. You understand what evidence-based findings look like.
• Ability to interview senior stakeholders without being intimidated. You'll be asking a DPO about their consent gaps and a Legal Head about their legal basis classification. You need to probe when answers are evasive.
• Strong writing skills. Your reports go to Boards and potentially to the DPB. Every sentence must be precise and defensible.
• Understanding of at least one Indian sector regulatory framework: RBI, SEBI, IRDAI, TRAI, or CERT-In. You don't need all - but you need one deeply.
• Comfortable working within a structured methodology. SARC's operating system has 173 controls, 17 working papers, and detailed procedures. You follow the system consistently — you don't freelance.

What Would Strengthen Your Application:

• CIPP/A, CIPP/E, CIPM, CDPSE, CISA, or ISO 27701 Lead Auditor certification.
• Big 4 or major consulting firm background (risk, privacy, or cybersecurity practice).
• Legal background (CA, LLB, CS) combined with technology exposure rare and extremely valuable.
• Experience with BFSI regulatory compliance: RBI inspection preparation, SEBI CSCRF, IRDAI compliance.
• Experience presenting to Board-level audiences or writing regulatory submissions.
• CA / CS qualification with IT audit exposure (DISA certification).

How to Apply

• Send your resume and a brief note on why this role excites you to [Confidential Information].