Médecins Sans Frontières (MSF) is an international humanitarian aid organization that provides assistance in more than 60 countries to populations in distress, to victims of natural or manmade disasters and to victims of armed conflicts, without discrimination and irrespective of religion, creed, or political affiliation.
The MSF movement is built around five operational centers supported by MSF’s 21 sections, 24 associations and other offices together worldwide. MSF Greece is one of the European MSF Sections. Given the nature of the Organization’s activities, MSF Greece processes medical data, HR data, donor data and communications data including testimonies (which at times contain racial or ethnic origins and religious and/or political opinions) and photographs. As in Greece there are operations of the Operational Centers Geneva and MSF Greece’s data flows will include also cross-border transfers of data.
The new General Data Protection Regulation (GDPR) entered into force in May 2016 and will be applicable from May 2018. In this transitional period, Médecins Sans Frontières is preparing and is taking the necessary measures to be in a position to comply with the provisions of the GDPR. Within this context, MSF Greece is looking for a Data Protection Officer to assist in the implementation of the requisite measures for compliance and to monitor and ensure GDPR compliance going forward in accordance with Articles 37 to 39 of the Regulation.
Overall, the primary purpose of the DPO will be to ensure that MSF Greece is compliant with the legal framework applicable to data protection. The DPO function is key to ensuring the self-regulation of the Section as intended by the GDPR.
Manage Data Protection Compliance
- Develop, implement and enforce a suitable and relevant data protection policy and ensure it is reviewed on an annual basis.
- Establish a formal Data Privacy Team tasked with ensuring ongoing oversight of all data protection requirements.
- Update procedures and internal guidance where necessary relating to the processing of personal information.
- Act as the contact point for the Data Protection Authority (DPA). This should include collating information which may be required by the DPA in the course of any investigation or enforcement action.
- Ensure that related requests for information or action, be they from data subjects, the police, the DPA, or other authorized bodies are dealt with correctly and efficiently as required by law. This will include checking the validity of such requests, coordinating and ultimately approving responses before they are sent. The DPO will also be responsible for maintaining a log of all such requests, and producing summary reports as required.
- Maintain a register documenting all personal information processing activities within the Section. Define and maintain information flow maps within the Section, and between the Section and its third-party partners, both within the MSF Movement and externally. Establish and maintain an inventory of information owners for sets of information (e.g. paper files, databases) and educate the information owners on their responsibilities (what is the data, how is it used, who has access to it).
- Maintain a log of any data protection incidents and remedial recommendations and actions.
- Develop or advise on the development of new policies and/or best practice with regard to data sharing internally between departments, within the Movement between Sections or with external third parties.
- Ensure that data protection impact assessments are performed when appropriate (eg major system or product developments etc.). Advise those performing such impact assessments as necessary.
- Inform the President and the General Director of any risks identified in the day-to-day handling of personal data within the Section, including risks stemming from failure to abide by relevant policies or recommendations made by the DPO.
- Establish and maintain full data protection documentation for the purposes of abiding by the principle of accountability under the GDPR and ensure that such documentation is accessible by the relevant Data Protection Authority as required.
Monitor Data Protection Compliance
- Develop and implement a procedure for regular reviewing of compliance with relevant legislation and related organizational policies, doing so in a fully independent manner. The reviews should include third-party data processors used by the Section.
- Highlight and develop solutions for any issues relating to the fair obtaining, use and storage of personal data, information quality and integrity, technical and organizational security.
- Liaise with the team in charge of internal auditing to ensure that personal data processing is included as appropriate within the annual audit program. Occasional participation in or assistance with internal audits may be required.
- Act as the contact point for the International GDPR Steering Committee responsible for monitoring the overall compliance of the MSF Movement, providing updates on the status of MSF Greece as requested, and participate in intersectional discussions regarding such compliance.
- Provide comprehensive annual reports on the Section’s data protection compliance, training and awareness to the President and the General Director.
Training & Awareness
- Provide advice and training to staff and managers to raise awareness and understanding about their responsibilities regarding data protection and other associated legislation or good practice.
- Develop and implement a strategy to ensure that data protection is part of the culture within the Section and is understood as an opportunity rather than just a constraint.
- Develop and implement a data protection awareness and training program.
- Maintain and update own knowledge of developments in data protection issues, information management and related legislation.
- Be a resource for all employees by providing expert advice on related law and other relevant issues.
- Ensure written information on data protection is available for provision to customers and employees, including appropriate privacy notices etc.
- Provide a consultancy service for all departments, including liaison, assessing problems, queries, procedures and practices and take responsibility for advice given.
- Continue to keep abreast of developments in the field of data protection by attending appropriate conferences and continuing personal development, as necessary. Keep the President and the General Director informed of new developments and make recommendations for changes to policies and procedures where appropriate.
- Genuine interest in and commitment to the humanitarian principles of MSF; adhere to our managerial values: Respect, Transparency, Integrity, Accountability, Trust and Empowerment
- Relevant academic degree or equivalent significant experience within the area (Law, IT, audit, risk analysis, compliance).
- Experience within an organization that treats special categories of data such as medical data.
- A comprehensive understanding of the practical application of relevant legislation (including the GDPR) and official guidance relating to processing of personal data.
- Experience in legal and technical training and in awareness raising
- A good understanding of information technologies and data security
- Ability to audit data management systems.
- Ability to exercise professional judgement in the processing of requests for various types of information from various sources, manage the collection of the relevant information and produce a professional response within the requirements of the relevant legislation.
- Demonstrated communication skills to speak to a wide-ranging audience, from the Board of Directors to data subjects, from managers to IT staff and lawyers including strong written communication skills.
- Demonstrated negotiation skills to interface successfully with DPAs
- Confidence in providing advice to staff at all levels across the Organization and to take and defend a minority position where necessary.
- Ability to develop and deliver guidance, advice and training to staff about their responsibilities regarding data protection.
- Sufficient IT knowledge and understanding in terms of data storage, retrieval and information security. The DPO will be required to discuss requirements and solutions confidently with IT staff and to be able to think critical about such questions.
- Fluency in spoken and written Greek and English.
- Ability to work in a multi-cultural environment as part of a team in a stressful environment; possessing maturity, patience and understanding;
- Tact, diplomacy, and tenacity as well as the ability to build and maintain a strong network within the MSF Movement.
- Probity, objectivity, autonomy, impartiality, integrity and the ability to make and defend decisions in a fully independent manner.
- Strong communication skills and the ability to explain complex matters in simple terms.
- A comprehensive understanding of MSF Greece and of the MSF Movement: its systems, structure, stakeholders and culture (desirable).
- The possession of a certification by the International Association of Privacy Professionals (IAPP) is considered as an asset (ie, Certified Information Privacy Association (CIPP) and Certified Information Privacy Professional/ Information Technology (CIPP/IT), (desirable).
- Position based in the Médecins Sans Frontières Greece – Athens Headquarters
- Indefinite contract part time position (20hours/week)
- Annual gross salary: Based on MSF Salary Grid plus secondary benefits
- Starting date: asap
Please submit your CV and a Motivation letter in English in one file under the reference “DATA PROTECTION OFFICER” by email to: firstname.lastname@example.org
Closing date: November 30th, 2018
Only applications with CV and Motivation Letter will be considered.
Only shortlisted candidates will receive a written reply
All applications will be treated in strictest confidentiality