Senior Manager - Data Privacy

Who We Are:

GMG is a global well-being company retailing, distributing and manufacturing a portfolio of leading international and home-grown brands across sport, everyday goods, health and beauty, properties and logistics sectors. Under the ownership and management of the Baker family for over 45 years, GMG is a valued partner of choice for the world's most successful and respected brands in the well-being sector. Working across the Middle East, North Africa, and Asia, GMG has introduced more than 120 brands across 12 countries. These include notable home-grown brands such as Sun & Sand Sports, Dropkick, Supercare Pharmacy, Farm Fresh, Klassic, and international brands like Nike, Columbia, Converse, Timberland, Vans, Mama Sita's, and McCain.

Role Overview:

You will own the privacy framework, ensure regulatory compliance across multiple jurisdictions in GCC and Southeast Asia, drafting and reviewing relevant policies and contracts, partner with business and technology teams, lead risk mitigation, support privacy risk assessments and audits and provide strategic counsel to the executive leadership. You will act as the central authority for data privacy strategy, risk assessments, breach response, RoPA governance, and engagement with regulators. The role will work closely with internal stakeholders to embed privacy best practices across all business functions.

Key Responsibilities:

• Develop, implement, and maintain the organization's data protection and privacy policies and frameworks. aligned to global standards.
• Own and maintain the Privacy Governance Framework: enterprise privacy policy, notices, DPIA/PIA standards, data retention & minimization standard, cross-border data transfer SOPs, records of processing (RoPA), Data Subject Access Requests (DSAR) and incident response playbooks.
• Advise on data privacy laws and regulations impacting the business across jurisdictions.
• Develop and oversee control systems to prevent or deal with violations of internal policies.
• Ensure that the all related regulatory compliance obligations are met.
• Monitor developments in data privacy laws and recommend necessary updates to policies.
• Partner closely with Security, IT, Product, HR, Marketing, and Data teams on minimization, pseudonymization/aggregation, anonymization standards, and secure disposal.
• Review, draft, and negotiate contracts with data protection clauses (e.g., DPAs, SCCs).
• Lead cross-border transfer compliance (e.g., model clauses, transfer risk assessments, adequacy evaluations, supplementary measures)
• Conduct spot checks and audits on user access, retention compliance, and deletion practices.
• Conduct and approve DPIAs/PIAs, legitimate interest assessments, and high-risk processing reviews (biometrics, monitoring, profiling, sensitive data).
• Embed privacy-by-design into project and product lifecycles; review solution architectures, data flows, and purpose limitation.
• Serve as mandatory sign off authority in change management and project governance.
• Design and manage the DSAR handling framework, including verification standards and system-wide search procedures.
• Review complex or high risk DSAR cases.
• Lead incident triage, investigation, and escalation processes in collaboration with IT/Security.
• Define breach classification criteria, notification requirements, regulatory timelines, and forensic documentation standards.
• Support internal investigations and audits related to data privacy.
• Support incident response teams in the event of a data breach.
• Develop and deliver role based training for frontline staff, IT teams, HR, marketing, operations, and healthcare service lines.
• Promote privacy awareness through campaigns, case studies, and compliance reminders.
• Ensure employee and vendor compliance through training and awareness programs.
• Act as the organisation's primary point of contact with data protection authorities.
• Coordinate registrations/notifications (where required), DPO appointments (statutory/voluntary), and regulator engagement.
• Liaise with data protection authorities when required.
• Maintain Data Privacy dashboard and quarterly reporting to the management.

Skills & Experience:

• Bachelor's degree in Law (LLB or equivalent), Information Security or related fields.
• Master's degree in Law or specialization in Information/Data Privacy Law is a plus.
• Minimum 8-12 years of experience in data privacy/compliance roles.
• Demonstrable experience building or scaling a privacy program (governance, DPIA, DSR, transfers, third-party risk, incident response).
• CIPP/E, CIPP/A, CIPP/US, CIPM, or any other recognized data privacy certification is preferred.
• Experience in working across multiple jurisdictions is an advantage.
• Experience with data protection tools (OneTrust, Securiti.AI).
• Strong knowledge of international and regional data protection laws (e.g., GDPR, UAE PDPL, KSA PDPL, Singapore PDPA and Maysian PDPA).
• Familiarity with data privacy tools and privacy impact assessments like OneTrust.
• Experience with data mapping, classification, and cross-border data transfer regulations.
• Demonstrable experience building or scaling a privacy program (governance, DPIA, DSR, transfers, third-party risk, incident response).
• Ability to assess legal risks and propose practical solutions.
• High level of discretion and confidentiality.