IT GRC & Privacy Manager (Acting DPO)

CRITICAL INDEPENDENCE BOUNDARY

PDPA Section 42 requires the DPO to act independently and free from conflict of interest. Combining IT GRC and DPO duties is permitted because both are second-line oversight roles. However, the role-holder must never be assigned any of the following:

• Ownership of any system that processes personal data

• Operational responsibility for Marketing Data, HR Data, or Customer Data

• Sign-off authority on DPIAs that the role-holder has authored

• Approval of audit findings that assess the role-holder's own work

KEY RESPONSIBILITIES:

1. IT Risk & Compliance

• Maintain the IT Risk Register and Risk Heat Map — Quarterly review with Senior Management

• Own the IT Control Framework aligned to ISO 27001 Annex A

• Coordinate Internal and External Audits — Maintain an audit-ready evidence repository at all times

• Draft and maintain a complete set of IT Policies — Security · Access Management · Acceptable Use · Change Management · Incident Response · BCP

• Run Periodic Control Testing — Access Reviews · Change Management Sampling · Backup-Restore Validation

2. Vendor & Third-Party Risk

• Conduct Security and Privacy Due Diligence on all new vendors and SaaS tools

• Maintain the Vendor Risk Register with Criticality Tiering and review cycles

Review Security and Privacy clauses in contracts together with Legal

3. PDPA / Privacy (DPO Duties)

• Serve as designated DPO per PDPA s.41 — Inform, advise, and monitor compliance across the organization

• Maintain Records of Processing Activities (ROPA) — All Controller and Processor activities

• Operate the Data Subject Request (DSR) Workflow — Within PDPA timelines: 30 days, extendable to 60 days

• Conduct Data Protection Impact Assessments (DPIAs) — For new systems, products, and high-risk processing including AI / ML

• Maintain Cross-Border Transfer Mechanisms — SCCs · Adequacy Decisions · Consent frameworks

• Review and negotiate Data Processing Agreements (DPAs) with all processors

• Lead Privacy Breach Response with the Security team — Notify PDPC within 72 hours where required

• Serve as Point of Contact for Data Subjects and the PDPC

4. AI Governance (Cross-Functional)

• Permanent member of the AI Governance Council

• Review Lawful Basis, Data Minimization, and Retention for data used in AI model training

• Assess Privacy and Security risks in LLM and RAG implementations

5. Reporting, Awareness & Training

• Deliver Quarterly IT Risk & Privacy Report to CIO, Audit Committee, and Board

• Produce Monthly KRI / KPI Dashboard — Open Risks · Overdue Remediations · Audit Findings Aging · DSR Backlog

• Lead Annual PDPA and Security Awareness Training for all employees

QUALIFICATIONS:

Education

• Bachelor's degree or above in IT, Computer Science, Law, Accounting, or a related field

• LLM or Master's degree in IT Law or Data Protection is an advantage — not a requirement

Experience

• 5–8 years in IT Audit, IT GRC, Information Security, or Privacy. Depth in at least ONE domain; genuine interest in developing the other.

• Core (Required): 5+ years in any of: IT Audit, IT GRC, Information Security Management, or Privacy / Compliance

• GRC Track: Experience participating in or leading an ISO 27001 program, internal audit, or risk assessment cycle

• Privacy Track: Working knowledge of PDPA B.E. 2562 — especially processing principles, DSR obligations, and DPIA methodology

• Preferred: Big 4 / Consulting background, or In-house Compliance / IT Security experience at a regulated company (Banking, Insurance, Media, Tech)

• Business-level fluency in Thai and English (both required — this is non-negotiable for PDPC communication)

Certifications:

At least 1 active certification from the list. Commitment to obtain a second within 18 months (company-supported). Expired certs with recent renewal intent are accepted.

CISA (Certified Information Systems Auditor)

CISM (Certified Information Security Manager)

CRISC (Certified in Risk & Information Systems Control)

CIPM (Certified Information Privacy Manager)

ISO 27001 Lead Auditor / Lead Implementer (ISMS International Standard)

CDPSE (Certified Data Privacy Solutions Engineer)