Role Profile:
The GRC Lead – Privacy, Risk & Access Management will play a pivotal role in strengthening Alshaya Group’s governance, risk, and compliance posture with a core focus on data privacy, enterprise risk management, and identity & access governance. This role will also lead and support cross-functional security projects such as SSO integration and user access reviews, ensuring secure, compliant, and business-aligned identity practices across the enterprise.
The Below Key Performance Areas include but are not limited to:
Develop and implement privacy and data protection policies aligned with GDPR, KVKK, PDPL, and other regional regulations.
Conduct DPIAs, PIAs, and privacy risk assessments to ensure responsible data handling.
Manage enterprise risk through a structured Risk Management Framework and maintain the Enterprise Risk Register.
Define and enforce IAM policies including RBAC, SoD, and user access reviews.
Lead or support IAM initiatives such as SSO integrations, PAM implementations, and access certification campaigns.
Align GRC and IAM practices with standards like ISO 27001, NIST, PCI DSS, and SOX.
Facilitate internal and external audits, assessments, and third-party reviews.
Oversee GRC tools and privacy platforms (e.g., Archer, OneTrust, ServiceNow GRC).
Drive cross-functional projects including policy harmonization and audit remediation.
Prepare executive-level reports and dashboards for governance and compliance oversight.
Act as a liaison for privacy, risk, and IAM discussions across departments.
Promote GRC awareness and training across the organization.
Knowledge:
Strong understanding of global privacy regulations (e.g., GDPR, KVKK, PDPL) and data protection principles.
In-depth knowledge of enterprise risk management frameworks and risk assessment methodologies.
Familiarity with IAM concepts including RBAC, SoD, SSO, PAM, and identity lifecycle management.
Experience with compliance standards such as ISO 27001, NIST, PCI DSS, and SOX.
Proficiency in using GRC and privacy management tools (e.g., Archer, OneTrust, ServiceNow GRC).
Ability to lead cross-functional projects and integrate GRC, IAM, and privacy workflows.
Strong stakeholder engagement and communication skills for executive and cross-departmental collaboration.
Analytical skills for conducting DPIAs, PIAs, and interpreting KRIs and audit findings.
Knowledge of authentication protocols (e.g., SAML, OIDC) and identity governance best practices.
Experience in managing DSARs, breach responses, and audit readiness activities.
Experience:
5-7 years experience in Information Security Domain
Bachelor’s degree in Information Security, Computer Science, Risk Management, or related field. Master’s degree or MBA is a plus.
CIPP/E, CIPM, or other IAPP certifications; CRISC, CISA, or ISO 27001 Lead Implementer; Identity and Access certifications such as Azure, Okta, or SailPoint; ITIL or PMP for project management is a plus.
Skills:
Strong understanding of IAM principles, SSO protocols (SAML, OIDC), and identity lifecycle.
Knowledge of privacy regulations and enterprise risk frameworks.
Excellent stakeholder management, communication, and cross-functional collaboration skills.
Proficient in GRC tools , Privacy Tools & Access management platforms.
