Personal Data Management and Information Security Officer

The European Bank for Reconstruction and Development (EBRD) is seeking a Personal Data Management and Information Security Officer to support the Head of Information Security in managing the Bank's information security and personal data protection landscape. You will play a dual role-leading on the Bank's Personal Data Protection efforts and supporting the InfoSec agenda. Your work will ensure that the Bank maintains high standards of security, privacy, and compliance, contributing to our mission of promoting sustainable development across our regions of operation.

Operational Risk Management (ORM) is part of the Bank's Risk Management group and forms the second line of defence. ORM is responsible for independently identifying, assessing, and supporting the mitigation of key operational risks, including those related to information security and personal data protection. ORM works in close collaboration with the IT Department and business units across the Bank.

You will act as the Bank's:

• Primary Personal Data Protection Officer (PDPO) and contact point.
• Key advisor on privacy and information security risks.
• Manager of critical programmes, including the Bank's InfoSec and Personal Data Protection Frameworks and Training & Awareness initiatives.
• Coordinator for internal/external reviews related to InfoSec and privacy compliance.

You will work closely with IT and business functions to identify risks, manage incidents, and advise on good practices aligned with ISO 27001 and/or NIST.

Key Responsibilities:

• Develop, review, and update the Bank's Information Security and Personal Data Protection (PDP) Frameworks (policies, directives, guidance, and procedures).
• Manage and implement internal training for staff and Bank users, including writing training materials and managing the Bank's eLearning platform.
• Conduct compliance assessments to evaluate adherence to InfoSec and privacy policies and procedures.
• Advise the Bank and data subjects on implementing, applying, and complying with the PDP Framework.
• Provide support on incident remediation, especially in cases involving personal data breaches.
• Respond to data subject requests and support the Personal Data Review Panel on personal data-related complaints.
• Advise on IT and business projects with respect to InfoSec and privacy risks.
• Maintain risk registers, provide ongoing risk analysis, and contribute to risk mitigation plans.
• Support completion and review of Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs).
• Manage BAU activities, including social engineering exercises, supplier assurance assessments, and risk assessments for business processes and technologies.
• Research emerging threats and evaluate applicability to the Bank's operations.
• Monitor changes in regulations and best practices, document and propose updates, agree on changes with the Head of Information Security, and implement project plans.
• Work extensively with IT, particularly the IT Security team, to address technical security and risk issues with a sound understanding of underlying technologies.

Required Qualifications & Experience:

• Education: Bachelor's or Master's degree, ideally in IT, Security, Risk Management, or a related field (other fields will also be considered).
• Certifications: At least one recognised information security qualification (e.g., CISM, CISA, CISSM, ISO 27001 Lead Auditor/Implementer). At least one data protection certification (e.g., EU-GDPR-P, CIPP/E).
• Technical and Professional Skills:

• Excellent written and verbal communication and presentation skills in English.
• Ability to present technical information in business and risk language.
• Strong project management and problem-solving skills.
• High attention to detail and accuracy.
• Ability to work independently and handle multiple priorities.
• Strong relationship management and influencing skills across all levels.

• Information security tools and practices (e.g., mobile device security, information classification).
• Supplier assurance, social engineering testing, and security awareness training.
• Privacy principles, including Privacy by Design, DPIAs, handling data subject requests, and investigating personal data breaches.

Why Join EBRD?

• Contribute to sustainable impact in 30+ countries.
• Be part of a values-driven institution that fosters transparency, innovation, and inclusion.
• Collaborate with experienced professionals in a dynamic and supportive environment.
• Access development opportunities and an attractive compensation package.

Our agile and innovative approach is what makes life at the EBRD a unique experience! You will be part of a pioneering and diverse international organisation, and use your talents to make a real difference to people's lives and help shape the future of the regions we invest in. The EBRD environment provides you with:

• Varied, stimulating and engaging work that gives you an opportunity to interact with a wide range of experts in the financial, political, public and private sectors across the regions we invest in.
• A working culture that embraces inclusion and celebrates diversity.
• An environment that places sustainability, equality and digital transformation at the heart of what we do.

Diversity is one of the Bank's core values which are at the heart of everything it does. A diverse workforce with the right knowledge and skills enables connection with our clients, brings pioneering ideas, energy and innovation. The EBRD staff is characterised by its rich diversity of nationalities, cultures and opinions and we aim to sustain and build on this strength. As such, the EBRD seeks to ensure that everyone is treated with respect and given equal opportunities and works in an inclusive environment. The EBRD encourages all qualified candidates who are nationals of the EBRD member countries to apply regardless of their racial, ethnic, religious and cultural background, gender, sexual orientation or disabilities. As an inclusive employer, we promote flexible working and expect our employees to attend the office 50% of their working time.

Please note, that due to the high volume of applications received, we regret to inform you that we are unable to provide detailed feedback to candidates who have not been shortlisted.