Background information about the job or company (e.g., role context, company overview)

In the beginning: it was a quiet day in 1992, seven shareholders got together and formed Tausi Assurance Company limited. The Company opened its doors quietly but confidently for business in 1993 in Westlands, with a Paid up capital of Kshs 20million and a staff of nine. Not many companies in the market have experienced the kind of growth that Tausi has d...

The bearer of the role will work closely with the Compliance, Risk, and IT functions to develop, implement, and monitor data protection policies, standards, and governance frameworks applicable to the business in compliance with the Data Protection

The Data Protection Officer will monitor internal compliance and data processing practices to ensure that the business, its subsidiaries, and all functions comply with applicable data protection and privacy requirements

She/He will be responsible for staff training, oversight of Data Protection Impact Assessments (DPIAs), and will act as the primary contact point for the ODPC and for individuals whose personal data is processed by the organization

Responsibilities or duties

• Establish and maintain the organization’s data protection governance framework, including the implementation roadmap, policies, and standardized templates for data collection, consent management, and data mapping.
• Provide advisory support to business units on the implementation of data protection requirements, ensuring compliance with the Data Protection Act, CAP 411C, and embedding privacy principles across processes, systems, and digital platforms.
• Develop, maintain, and ensure audit readiness of the Records of Processing Activities (ROPA) and related documentation, covering processing purposes, data categories, retention periods, and lawful bases.
• Design and deliver data protection training programs, ensuring continuous staff awareness in line with regulatory developments and emerging risks. Conduct and review Data Protection Impact Assessments (DPIAs) for new and high-risk processing activities, including products, systems, and digital platforms.
• Perform periodic compliance reviews and audits to assess adherence to internal policies and regulatory requirements, and drive timely remediation of identified gaps.
• Collaborate with IT to ensure effective data protection and security controls, including maintenance of data asset registers and implementation of incident management frameworks.
• Oversee and coordinate data breach and incident response processes, including breach detection, containment, investigation, impact assessment, regulatory notification, communication to affected data subjects, and post-incident remediation.
• Maintain the company’s personal data breach register.
• Manage data subject rights requests (including access, rectification, objection, restriction, and deletion), ensuring compliance with statutory timelines and proper documentation of responses.
• Support the development, review, and implementation of privacy notices across all data collection points, ensuring transparency and compliance.
• Serve as the primary liaison with the Office of the Data Protection Commissioner (ODPC) and other relevant stakeholders, including regulators, data controllers/processors, and data subjects, during inspections, audits, investigations, and ongoing engagements.
• Monitor regulatory developments, industry trends, and best practices in data protection, and provide proactive guidance to ensure continuous organizational compliance.
• Prepare and submit periodic and annual reports, including compliance reports, risk updates, and work plans to senior management, Board committees, and the ODPC.

Qualifications or requirements (e.g., education, skills)

Academic Qualifications

• Bachelor’s degree in Law, Information Technology, Computer Science, Information Systems, or a related discipline from a recognized institution.

Professional Qualifications

• Certification in Data Protection and Privacy (mandatory), such as: Certified Information Privacy Professional (CIPP/E, CIPP/IT, or equivalent) – IAPP Certified Information Security Professional (CISSP) Certified Information Systems Auditor (CISA) Certified Information Security Manager (CISM)

Skills and Attributes

• Strong expertise in data protection law, regulatory compliance, and privacy governance
• Excellent understanding of insurance operations and data lifecycle management
• Strong analytical and risk assessment capability
• High level of integrity, independence, and professional judgment
• Excellent communication, stakeholder engagement, and influencing skills
• Strong training and awareness-building capability
• Strategic thinking and decision-making ability
• Strong organizational and project management skills
• Ability to manage competing priorities under tight timelines
• High attention to detail and documentation discipline
• Negotiation and conflict resolution skills
• Data analytics and reporting capability
• Software and systems proficiency (including governance tools, compliance systems, or GRC platforms)
• Discretion and strict confidentiality in handling sensitive data.

Experience needed

• Minimum of 5 years’ relevant experience in compliance, risk, legal, audit, or information governance within financial services (preferably insurance or banking).
• Demonstrated experience in conducting or supporting at least one Data Protection Impact Assessment (DPIA).
• Experience engaging with regulators, auditors, or supervisory authorities is highly desirable.
• Exposure to insurance operations (claims, underwriting, medical data, or fraud systems) will be an added advantage.

Any other provided details (e.g., benefits, work environment, team info, or additional notes)

Discover more

Kenyan industry jobs

Scholarship database

Language Learning Software

Check how your CV aligns with this job

• Establish and maintain the organization’s data protection governance framework, including the implementation roadmap, policies, and standardized templates for data collection, consent management, and data mapping.
• Provide advisory support to business units on the implementation of data protection requirements, ensuring compliance with the Data Protection Act, CAP 411C, and embedding privacy principles across processes, systems, and digital platforms.
• Develop, maintain, and ensure audit readiness of the Records of Processing Activities (ROPA) and related documentation, covering processing purposes, data categories, retention periods, and lawful bases.
• Design and deliver data protection training programs, ensuring continuous staff awareness in line with regulatory developments and emerging risks. Conduct and review Data Protection Impact Assessments (DPIAs) for new and high-risk processing activities, including products, systems, and digital platforms.
• Perform periodic compliance reviews and audits to assess adherence to internal policies and regulatory requirements, and drive timely remediation of identified gaps.
• Collaborate with IT to ensure effective data protection and security controls, including maintenance of data asset registers and implementation of incident management frameworks.
• Oversee and coordinate data breach and incident response processes, including breach detection, containment, investigation, impact assessment, regulatory notification, communication to affected data subjects, and post-incident remediation.
• Maintain the company’s personal data breach register.
• Manage data subject rights requests (including access, rectification, objection, restriction, and deletion), ensuring compliance with statutory timelines and proper documentation of responses.
• Support the development, review, and implementation of privacy notices across all data collection points, ensuring transparency and compliance.
• Serve as the primary liaison with the Office of the Data Protection Commissioner (ODPC) and other relevant stakeholders, including regulators, data controllers/processors, and data subjects, during inspections, audits, investigations, and ongoing engagements.
• Monitor regulatory developments, industry trends, and best practices in data protection, and provide proactive guidance to ensure continuous organizational compliance.
• Prepare and submit periodic and annual reports, including compliance reports, risk updates, and work plans to senior management, Board committees, and the ODPC.

• Strong expertise in data protection law, regulatory compliance, and privacy governance
• Excellent understanding of insurance operations and data lifecycle management
• Strong analytical and risk assessment capability
• High level of integrity, independence, and professional judgment
• Excellent communication, stakeholder engagement, and influencing skills
• Strong training and awareness-building capability
• Strategic thinking and decision-making ability
• Strong organizational and project management skills
• Ability to manage competing priorities under tight timelines
• High attention to detail and documentation discipline
• Negotiation and conflict resolution skills
• Data analytics and reporting capability
• Software and systems proficiency (including governance tools, compliance systems, or GRC platforms)
• Discretion and strict confidentiality in handling sensitive data.

• Bachelor’s degree in Law, Information Technology, Computer Science, Information Systems, or a related discipline from a recognized institution.
• Certification in Data Protection and Privacy (mandatory), such as: Certified Information Privacy Professional (CIPP/E, CIPP/IT, or equivalent) – IAPP Certified Information Security Professional (CISSP) Certified Information Systems Auditor (CISA) Certified Information Security Manager (CISM)