Manager, Data Privacy and Protection

About the SARC's DPDP Practice

SARC Global is a multidisciplinary advisory firm with 40+ years of heritage, 100+ partners, and 500+ professionals across India, UK, USA, Singapore, and UAE. SARC is building India's most comprehensive DPDP assessment practice not adapted from GDPR but built from the DPDP Act upward. Our clients are India's largest enterprises: banks, NBFCs, insurance companies, stock exchanges, fintechs, and technology platforms.

Experience

4-8 years

Location

New Delhi / Hybrid. Client-site travel 40-60% during fieldwork.

Reports To

Engagement Partner - SARC Data Protection Practice

Availability

Immediate to Max 30 days

Role:

As Manager, Data Privacy & Protection, you will be responsible for the end-to-end delivery of DPDP Act readiness assessments and implementation engagements for Indian enterprises. You will work directly with CISOs, DPOs, Chief Compliance Officers, and Board members of listed companies, PSU banks, NBFCs, and mid-market enterprises. This is not a back-office compliance role. You will be in the room conducting stakeholder interviews, presenting findings, defending your analysis, and advising leadership on their most sensitive data protection decisions. You will also contribute to practice building: refining our assessment methodology, building sector-specific overlays, training junior team members, and supporting business development.

Key Responsibilities:

• Conduct end-to-end DPDP Readiness Assessments for mid-market and large Indian enterprises: Governance, Data Inventory & RoPA, Consent Architecture, Processor Governance, Security Safeguards, Data Principal Rights, Children's Data, Cross-Border Transfers, Breach Management, Training, Technology Enablement, and Ongoing Compliance.
• Lead stakeholder interviews with department heads, CISOs, DPOs, legal teams, HR, marketing, IT, and procurement
• Build Records of Processing Activities (RoPAs)
• Create Data Flow Diagrams (DFDs) for the top 15–20 processing activities, identifying control points, gaps, and cross-border flows.
• Determine legal basis for each processing activity with documented reasoning and statutory references.
• Produce evidence-based DPIA reports with scored findings, DPDP statutory references, risk ratings, and prioritised remediation roadmaps with action owners, timelines, and cost estimates.
• Present findings and remediation recommendations to C-suite leadership, Audit Committees, and Boards of Directors.
• Support post-assessment implementation across key DPDP workstreams: consent architecture redesign, privacy notice drafting (Rule 3 compliant), DPA template development and negotiation, DSR workflow design, breach notification playbook creation, and training curriculum design.
• Advise clients on privacy technology selection - OneTrust, Securiti AI, BigID, Privasapien, or structured manual processes based on their scale, complexity, and budget. Tool-agnostic advisory, not vendor-locked.
• Map DPDP obligations against sector-specific regulatory requirements (RBI Master Directions, SEBI cybersecurity framework, IRDAI guidelines, CERT-In directions) to produce integrated compliance roadmaps.
• Design consent architecture across three layers: Layer 1 (Notice only — Section 7 legitimate use), Layer 2 (Mandatory consent — Section 6 necessary for service), Layer 3 (Optional consent — Section 6 not necessary, customer can refuse).

Experience:

• 4–8 years of experience in data privacy, data protection, information security, or privacy consulting - assessments, audits and implementation
• Minimum 2 years in a client-facing advisory or consulting role - Big 4, consulting firm, or specialist privacy advisory. Internal privacy roles (DPO office, compliance team) are valued but must be supplemented with external advisory experience.
• Demonstrated experience conducting DPIAs, PIAs, or privacy gap assessments - not just participating, but owning the assessment end-to-end: scoping, data collection, analysis, findings, and report writing.
• Experience building RoPAs / data inventories through stakeholder interviews and system mapping not just tool-based automated discovery.
• Experience with privacy technology platform (OneTrust, Securiti AI, BigID, TrustArc, Exterro) configuration, administration, or implementation.
• Strong knowledge of the DPDP Act 2023 and DPDP Rules 2025

Education and certifications:

• B.Tech / B.E. in Computer Science, Information Technology, or related engineering discipline; OR
• LLB / BA LLB / BBA LLB with technology exposure; OR
• MBA with specialisation in Information Systems, Risk Management, or Compliance; OR
• Any graduate degree with 5+ years of relevant privacy/security experience and appropriate certifications.
• At least one of: CIPP/E (IAPP), CIPM (IAPP), DCPP (DSCI/Nasscom), ISO 27701 Lead Implementer, ISO 27001 Lead Auditor.
• OneTrust, Securiti AI, or BigID platform certifications are a strong plus.