Over the past 2 decades, this hospital chain has created an unrivalled impact in delivering world class multi-specialty care for patients in India. As they continue to scale and grow into new geographies, explore innovative methods of healthcare delivery, they are looking to hire exceptional talent to achieve our vision and grow in the process to achieve their professional aspiration.

Role Summary

The Data Protection Officer (DPO) will serve as the statutory DPO and executive owner of organization (hospital chain)'s data protection and privacy program, ensuring compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and other applicable global and healthcare specific regulations.

This is a hands-on, execution-oriented role responsible for designing, implementing, operationalising, and sustaining privacy and data protection practices across complex hospital environments. The DPO will work independently while collaborating closely with clinical, operational, HR, IT, and leadership teams, and will act as the primary point of contact for regulators and data principals.

Key Responsibilities

Statutory & Regulatory Accountability

- Act as the statutory Data Protection Officer under the DPDP Act, GDPR (Articles 37-39), HIPAA, and applicable healthcare regulations.

- Serve as the primary interface with the Data Protection Board of India, CERT-In, global regulators, and relevant health authorities.

- Ensure Organization (hospital chain)'s obligations as a Significant Data Fiduciary (where applicable) are met and demonstrable.

Strategic Leadership & Governance

- Serve as the executive-level Privacy Subject Matter Expert (SME) to the Operations Committee and Audit / Compliance Committees.

- Embed privacy by design and by default into clinical workflows, hospital operations, digital health platforms, diagnostics, telemedicine, and research initiatives.

- Develop, own, and manage the annual Privacy Program roadmap and budget, prioritising high-risk areas such as patient data, consent, and breach preparedness.

- Establish enterprise-wide data protection governance frameworks, policies, procedures, and standards tailored for hospital environments.

Healthcare Data Management & Risk

- Conduct and operationalise Data Privacy Impact Assessments (DPIAs/PIAs), vendor and cloud risk assessments, and ecosystem risk reviews with a strong focus on patient data.

- Define and document lawful bases for processing sensitive health data beyond consent, including medical necessity, public health, research, and legal obligations.

Operational Execution & Ownership

- Design, implement, and operationalise core foundational privacy processes, including:

a) Consent management

b) Data retention and deletion

c) Grievance redressal and data principal rights handling

d) Breach detection, response, and notification

- Own Data Subject Rights (DSR) processes covering access, correction, erasure, consent withdrawal, portability, and lawful retention decisions.

- Review, negotiate, and guide data protection obligations in contracts with vendors, insurers, laboratories, technology partners, and research collaborators.

- Lead privacy incident investigations end-to-end, including root cause analysis, corrective actions, and regulatory notifications under DPDP Act, GDPR, and HIPAA.

- Establish logging, monitoring, and audit-trail requirements across healthcare systems to ensure regulatory defensibility.

Audit, Monitoring & Reporting

- Design and manage continuous privacy monitoring and assurance programs to assess compliance, control effectiveness, and risk posture.

- Prepare and deliver regular and ad-hoc reports to senior leadership, committees, and regulators.

- Support and manage regulatory audits, inspections, and investigations.

Behavioural Change, Training & Stakeholder Management

- Drive a privacy-aware culture across hospitals and corporate functions.

- Design and deliver regular training and awareness programs for clinicians, nursing staff, operations, HR, IT, and vendor teams.

- Act as a trusted advisor while retaining ownership and accountability for execution.

- Enable behavioural change by introducing pragmatic, workable privacy practices

Qualifications & Experience

Education:

- Bachelor's degree in Law, Information Security, Computer Science, Healthcare Administration, or a related field.

Experience

- 8-12 years of total experience, with at least 5-7 years of hands-on implementation experience in data protection, privacy, or information governance programs.

- Demonstrated experience designing, implementing, and sustaining privacy programs, not limited to advisory or consulting roles.

- Strong preference for prior experience in healthcare, hospitals, life sciences, insurance, pharma, or similarly regulated environments.

- Hands-on experience managing healthcare data breaches, regulatory audits, and investigations is strongly preferred.

- Mandatory hands on experience in handling large and complex patient data

- Strong stakeholder management capabilities and the ability to drive behavioural change across long established teams and operational leaders

Preferred Knowledge & Skills

- DPDP Act, 2023 (including Significant Data Fiduciary obligations)

- GDPR health data requirements and DPIAs

- HIPAA Privacy and Security Rules

- Healthcare consent and medical necessity frameworks

- Data mapping, consent management, DSR workflows, and incident response

- Cloud security, logging, monitoring, and privacy risks in healthcare systems

Preferred Certifications

- CIPP/A or CIPM (IAPP)

- ISO/IEC 27701 Lead Implementer/Auditor

- ISO 27001 Lead Implementer/Auditor