Data Protection Officer

Role & responsibilities

Legal & regulatory compliance (Core):

• Interpret and operationalize obligations under the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 across hospital functions (clinical, admin, billing, HR, labs, radiology, patient portal etc.).
• Maintain records and registers required by the Act / Rules and ensure the hospitals processing inventory is up to date.

Data fiduciary duties / privacy governance:

• Design and maintain a hospital privacy framework (policies, SOPs, retention & deletion schedules, consent workflows, lawful basis mapping).
• Advise on privacy-by-design for new systems (EMR/HIS, PACS, LIS, telemedicine apps, mobile apps, patient portals) and procurement (privacy & security contract clauses).

Data principal rights & request handling:

• Operate and streamline processes to receive, verify and respond to data principal requests (access, correction, portability, erasure or objections) within statutory timeframes.

Data protection impact assessments (DPIAs) & risk management

• Conduct DPIAs for high-risk processing (e.g., large-scale clinical research, AI decision tools, biometric/identity verification) and recommend mitigation controls.
• Maintain a hospital-wide risk register for data protection risks and coordinate remediation with IT/Security/Clinical teams.

Incident & breach management

• Lead incident response for suspected/confirmed data breaches: investigation, containment, root-cause analysis, remedial action and required notifications to affected data principals and the Data Protection Board as per Act/Rules.

Third-party / vendor management

• Assess data protection compliance of vendors (cloud providers, billing processors, labs, insurance partners), manage Data Processing Agreements (DPAs), and carry out periodic vendor audits.

Training, awareness & culture

• Design and deliver mandatory privacy and cyber-hygiene training for doctors, nurses, allied health professionals, admin staff and contractors; run periodic tabletop exercises for breach response.

Liaison & reporting

• Serve as the hospitals point of contact for the Data Protection Board of India, regulators and external auditors; prepare compliance reports and brief senior management/board periodically.
• Responsible for management, monitoring, and documentation of consents obtained from employees, patients, consultants, and other data principals in compliance with the DPDP Act, 2023.
• Maintain detailed and up-to-date documentation of all data processing activities in accordance with applicable data protection laws and internal policies.
• Work closely with senior management and key stakeholders to formulate, update and ensure hospital-wide implementation of data privacy, data protection and information governance policies.

Preferred candidate profile

Qualification: LLB / [ B.E. / B.Tech. (IT)]

Required skills sets:

1. Strong working knowledge of DPDP Act, 2023 and DPDP Rules, 2025 and their practical application in healthcare.

2. Experience with hospital IT systems (EMR/HIS, PACS, LIS), clinical workflows and a clear understanding of sensitive health data handling.

3. In-depth understanding of data protection regulations (GDPR, HIPAA) and cyber security best practices.

4. Technical literacy: encryption, access control, logging, secure transfer, cloud security basics.

5. Risk assessment, DPIA, incident management, vendor due diligence, audit experience.

6. Excellent communication skills able to explain legal / technical issues.

7. High level of independence, no conflict of interest and strong analytical skills

Salary will be paid as per industry standards.