Director - Data Privacy & Information Security

Role Overview

The Director / Associate Director Data Privacy & Information Security will lead the organisation's information security governance and data protection programs, ensuring that enterprise systems, digital assets, and personal data are protected across global operations.

The role is responsible for designing, implementing, and managing the organisation's Information Security Management System (ISMS) and data privacy governance frameworks, ensuring compliance with global security standards, regulatory requirements, and client security expectations.

Working closely with Enterprise Risk, Legal & Compliance, Technology, Internal Audit, and business leadership, the role will strengthen the organisation's cybersecurity posture, safeguard personal data, manage cyber risk exposure, and embed security and privacy principles across technology platforms and business processes.

Key Responsibilities

Information Security Governance

• Establish and maintain the organisation's Information Security Management System (ISMS) aligned with global standards such as ISO 27001, NIST Cybersecurity Framework, and CIS Controls.
• Develop and enforce enterprise-wide information security policies, standards, and procedures.
• Ensure the confidentiality, integrity, and availability of enterprise information assets and IT systems.
• Conduct periodic security risk assessments and support enterprise security control reviews.

Cybersecurity Operations & Risk Management

• Monitor cybersecurity threats, vulnerabilities, and enterprise cyber risk exposure.
• Oversee vulnerability management programs, threat monitoring, and security control implementation.
• Lead response and remediation activities for cybersecurity incidents and security breaches.
• Track security incidents and coordinate with Enterprise Risk Management to ensure cyber risks are reflected in enterprise risk registers.

Data Privacy & Personal Data Protection

• Implement and manage the organisation's data privacy governance program.
• Ensure compliance with applicable data protection regulations including GDPR, UK GDPR, India DPDP Act, and other global privacy frameworks.
• Maintain records of processing activities, privacy policies, and data protection governance documentation.
• Conduct Data Protection Impact Assessments (DPIAs) for new systems, technologies, and data processing initiatives.
• Ensure appropriate safeguards for cross-border data transfers and vendor data processing activities.

Vendor Security & Data Protection Risk Management

• Conduct security and privacy risk assessments for third-party vendors and service providers handling company systems or data.
• Evaluate vendor cybersecurity practices and privacy controls against enterprise security standards.
• Ensure vendors comply with organisational security and data protection requirements.
• Collaborate with procurement and legal teams to ensure appropriate security and data protection clauses are included in vendor contracts.

Privacy & Security by Design

• Embed security-by-design and privacy-by-design principles into enterprise systems, products, and digital platforms.
• Collaborate with engineering and IT teams to implement secure architecture, encryption, and access control mechanisms.
• Provide guidance on data classification, data retention, and secure data handling practices.

Incident Response & Breach Management

• Lead investigation and response to cybersecurity incidents and personal data breaches.
• Coordinate cross-functional incident response with Legal, Enterprise Risk, and Technology teams.
• Support regulatory breach notification processes where required.
• Conduct post-incident reviews and implement improvements to strengthen security posture.

Security & Privacy Compliance and Audits

• Support internal and external security and privacy audits, including ISO 27001 certification, client security assessments, and regulatory inspections.
• Maintain documentation and evidence required for security certifications and regulatory reviews.
• Track remediation actions arising from security and privacy audit findings.

Security & Privacy Awareness

• Develop and implement security and privacy awareness programs across the organisation.
• Promote responsible data handling practices and strengthen organisational cyber awareness culture.

Cross-Functional Collaboration

The role will collaborate closely with key governance and operational functions:

Chief Legal, Risk & Compliance Officer

Overall governance oversight and regulatory alignment.

Enterprise Risk Management

Integration of cyber and privacy risks into enterprise risk frameworks.

Compliance & Legal

Regulatory compliance, breach notification obligations, and privacy governance.

Technology / IT Teams

Implementation of security controls, infrastructure protection, and secure architecture.

Internal Audit

Independent assurance over security and privacy governance frameworks.

Key Qualifications

• 1214+ years of experience in information security, cybersecurity, data privacy, or technology risk roles.
• Experience managing enterprise information security or privacy programs within multinational or technology-driven organisations.
• Strong understanding of ISO 27001, NIST Cybersecurity Framework, CIS Controls, or equivalent security standards.
• Knowledge of global data protection regulations including GDPR and emerging privacy frameworks.
• Experience managing cybersecurity incidents, vulnerability management programs, and security governance frameworks.
• Strong stakeholder management and cross-functional leadership capabilities.

Preferred Certifications

Candidates with the following certifications are preferred:

• CISSP Certified Information Systems Security Professional
• CISM Certified Information Security Manager
• CISA Certified Information Systems Auditor
• CIPP / CIPM Privacy Certifications
• ISO 27001 Lead Implementer / Lead Auditor

Reporting to: Chief Legal, Risk & Compliance Officer

Location: Bangalore (No Remote)