Senior Manager Data Protection And ESG

Role Summary

The Senior Manager, Data Protection and ESG is accountable for the design, implementation and continued effectiveness of the Group’s data protection and ESG compliance frameworks across all Astra Tech entities licensed locally and internationally, including the regulatory perimeter of the Central Bank of the UAE (CBUAE), the Financial Services Regulatory Authority (FSRA) of Abu Dhabi Global Market (ADGM), and the Dubai Financial Services Authority (DFSA) of the Dubai International Financial Centre (DIFC) in the UAE, and elsewhere in other jurisdictions.

The role serves as the Group’s single point of accountability for personal data processing activities and for ESG related disclosure, governance and reporting obligations. The incumbent works in close partnership with Business, Product, Technology, Procurement, Human Resources, Legal and Risk teams to embed data protection principles into customer journeys, products, vendor arrangements and operational processes.

The Senior Manager, Data Protection and ESG is the primary liaison for internal assurance functions (Internal Audit and Compliance Monitoring and Testing) and for external regulators (including CBUAE thematic reviews and examinations, FSRA and DFSA supervisory engagements, and data protection commissioners in ADGM and DIFC) on all matters related to data protection and ESG locally, as well as international regulatory reviews/ queries.

Responsibilities

Data Protection: Regulatory Gap Assessment and Remediation

• Conduct an initial end to end gap assessment of the Group’s data protection posture against all applicable regulatory requirements set out in Section 2, separately for each Astra Tech entity.
• Benchmark current state against international standards where relevant (GDPR, ISO/IEC 27701, ISO 14001, IFRS S1/S2, TCFD, GRI) to anticipate regulatory direction of travel.
• Document findings in a structured Gap Assessment Report, with prioritised, risk rated remediation actions, owners and target dates.
• Define, mobilise and track the multi-year Data Protection Remediation Roadmap, ensuring delivery within agreed timelines and reporting progress.
  
  

• Discharge the formal Data Protection Officer (DPO) responsibilities required under applicable laws and regulations, including monitoring compliance, advising on processing operations and acting as the contact point for data subjects and supervisory authorities.
• Maintain the Group Record of Processing Activities (RoPA), data inventory and data flow maps across all in scope entities, processes and systems.
• Draft, maintain and obtain approval for all Data Protection policies, standards and procedures, ensuring alignment with the CBUAE CPR data and confidentiality provisions, UAE PDPL, ADGM DPR 2021 and DIFC DPL and benchmarked against international standards.
• Review, update and version control all data related customer facing documentation, including Data Privacy Notice/ Policy, Cookie Notices, Data and Marketing related Consents, Terms and Conditions (data clauses), product disclosures, marketing opt in mechanisms and data subject rights communications.
• Embed data protection clauses (controller and processor allocations, sub processor controls, cross border transfer mechanisms, audit rights, breach notification, return and deletion) into Master Service Agreements (MSAs), Data Processing Agreements (DPAs), inter affiliate agreements, vendor contracts and employee contracts, in coordination with Legal and Procurement.
• Lead the design, business case, vendor selection and implementation of an Enterprise-wide Consent Management (ECM) system covering web, mobile, branch, call centre and third-party channels.
• Define consent taxonomies, lawful bases, purpose registers, retention rules and re consent triggers, ensuring these are reflected consistently in the ECM platform and downstream systems.
• Operate the Data Protection Impact Assessment (DPIA), Transfer Impact Assessment (TIA) and Legitimate Interest Assessment (LIA) processes for new products, services, technologies, AI and model use cases, vendor engagements and material changes.
• Perform a Data Protection Impact Assessment (DPIA) for every initiative submitted to the Group’s Initiatives Review and Approval (IRA) process, ensuring the DPIA is completed prior to IRA approval and forms part of the formal IRA submission pack; track DPIA outcomes, mitigations and conditions to closure, and report DPIA coverage and exceptions to the Head of Compliance Strategy and Transformation.
• Operate the Data Subject Rights (DSR) handling framework across access, rectification, erasure, portability, objection and restriction requests, within statutory timelines.
• Lead privacy incident triage, investigation, containment, root cause analysis and remediation, in coordination with Information Security, Technology, Legal, Communications and Operational Risk; assess regulatory thresholds and lead breach notifications to the UAE Data Office, CBUAE, FSRA, DFSA, ADGM Office of Data Protection and DIFC Commissioner of Data Protection, and to affected data subjects where required.
  
  

• Maintain a consolidated ESG regulatory obligations register covering the CBUAE Principles for Sustainability Related Disclosures, the ADGM ESG Disclosures Framework, DIFC ESG and sustainability initiatives, FSRA and DFSA sustainable finance guidance, and applicable UAE federal climate and sustainability requirements as well as international ESG related regulations in other jurisdictions, as applicable.
• Coordinate the preparation of ESG disclosures across in scope entities, including climate related financial disclosures, Group sustainability reporting, and entity level regulatory ESG submissions.
• Support the integration of ESG risk considerations into credit, investment, product, procurement and third-party risk management frameworks.
• Provide assurance over the integrity of ESG data flows, controls and reporting, including managing greenwashing risk and ensuring fair, balanced and substantiated sustainability claims in customer facing materials.
• Embed ESG related clauses (sustainability representations, ESG data sharing, climate risk obligations) into MSAs, vendor contracts and, where relevant, financing and product documentation.
• Represent Astra Tech in industry ESG working groups and forums, including UAE SFWG linked initiatives where appropriate.
  
  

• Design and deliver a Group wide Data Protection and ESG training curriculum, with separate, dedicated modules for each domain, including mandatory annual training, role based deep dives and targeted briefings for Senior Management and the Board.
• Deliver tailored training and awareness sessions, independently and in coordination with Business, Product, Technology, Procurement, HR and Marketing teams, to embed practical understanding of obligations into day-to-day operations.
• Maintain training completion records and report on the same.
  
  

• Define data protection and ESG due diligence requirements for vendor onboarding, ongoing monitoring and exit.
• Review and approve material third party arrangements from a data protection and ESG standpoint, including cross border data transfer mechanisms and sub processor chains.
  
  

• Produce periodic Data Protection and ESG reporting for the Head of Compliance Strategy and Transformation, the Group Chief Compliance Officer, Executive Management and relevant Board committees, covering KRIs, KPIs, incidents, regulatory developments and remediation status.
• Own end to end preparation of regulatory filings, incident reporting and ad hoc submissions on data protection and ESG matters to regulators.
• Act as the principal point of liaison with Internal Audit and Compliance Monitoring and Testing on data protection and ESG reviews, facilitating walkthroughs, evidence requests, management responses and remediation tracking.
• Act as the principal point of liaison with external regulators on data protection and ESG matters, including CBUAE thematic reviews and on-site examinations, FSRA and DFSA supervisory engagements and RFIs.
• Track regulatory developments (CBUAE circulars, FSRA and DFSA notices, ADGM and DIFC amendments, UAE federal updates and international trends) and translate them into actionable changes within the Group.
  
  

• Minimum 10+ years of relevant experience in data protection, privacy, ESG, compliance or regulatory advisory, commensurate with Senior Manager grade, with at least 5 years in a dedicated data protection or DPO or ESG lead capacity.
• Significant experience within financial services, ideally including entities regulated by the CBUAE, the FSRA (ADGM) and the DFSA (DIFC).
• Demonstrable track record of leading a regulatory gap assessment and end to end remediation programme covering data protection and ESG obligations.
• Proven experience implementing an Enterprise-wide Consent Management capability across digital channels.
• Experience handling CBUAE, FSRA and DFSA examinations, thematic reviews, information requests and remediation tracking.
• Experience operating in a multi entity, multi jurisdiction group, with a clear understanding of the interaction between onshore (CBUAE) and financial free zone (ADGM with FSRA, and DIFC with DFSA) regimes.
• Experience working with Internal Audit and Compliance Monitoring and Testing on data protection and ESG themed reviews.