What Jobs are available for Data Protection in Hong Kong?

【Job Description】

1. Responsible for the data subject rights request fulfilment, data breach incident handling and reporting, third party vendor assessment and review of contract terms on data and privacy.

2. Maintain data protection and privacy related policies, guidelines, standards; lead the privacy risk assessments; and drive data protection initiatives to mitigate privacy risks.

3. Act as a subject matter expert, provide advice to all related internal stakeholders on data protection and privacy, help them understand the risks associated and solve their problems.

4. Lead the privacy related audit or certificate programmes, including DPTM, CBPR, EU COC, etc.

5. Build and maintain strong relationships with internal and external stakeholders, in particular with business teams, to work on projects related to compliance with data protection and privacy laws.

6. Manage tools/systems to assist internal data protection and privacy related processes.

7. Develop and deliver data protection and privacy trainings to internal teams.

8. Keep abreast of new laws and regulations, as well as technology trends, assess impacts and risks and report to management and leadership.

【Qualification】

1. 8 years or above experience in data protection and privacy compliance.

2. Expert knowledge and experience of Data Protection and Privacy Laws in APAC, Middle East, US and the EU/UK.

3. Relevant privacy qualification (e.g. CIPP/A, CIPP/E, etc.) is a plus.

4. Bachelor degree minimum, preferably with technology background.

5. Strong project management skills, and able to work independently with minimum supervision.

6. Proven and strong capability to communicate privacy and risk-related concepts effectively to the business at all levels, and able to make judgement calls independently.

7. Ability to act with integrity and maintain an ethical mindset.

8. Can use English and Chinese languages in professional settings, and any other languages would be a plus.

9. Can work in a fast-paced environment, and perform well under pressure and strict timeline.

Position Overview:

Do you have a passion for data privacy and a desire to help organizations build trust and resilience in the digital age? We are seeking talented Data Protection Consultants to join our client's dynamic Cyber Risk team.

In this role, you will advise a diverse portfolio of global and local clients on their most critical data privacy challenges. You will be instrumental in transforming their data governance frameworks, ensuring compliance with evolving regulations, and implementing "Privacy by Design" principles into their technology and business processes. This is a unique opportunity to grow as a deep subject matter expert, contribute to cutting-edge thought leadership, and build a career with genuine impact.

Key Responsibilities:

• Lead Privacy Advisory Engagements:
  Conduct data protection impact assessments (DPIAs), benchmark practices against global standards (e.g., GDPR, PIPL, HK PDPO), and identify risks across governance, people, process, and technology.
• Design & Implement Frameworks:
  Advise clients on the end-to-end design and implementation of robust data privacy and governance frameworks, including strategies, policies, procedures, and controls.
• Embed Privacy by Design:
  Guide clients on integrating privacy and security into their technology projects, digital transformations, and new business initiatives from the outset.
• Drive Innovation:
  Contribute to the development of our next-generation data privacy offerings, thought leadership, and eminence in the market.

To Excel, You Will Possess:

• Regulatory Expertise:
  Strong knowledge of the Hong Kong PDPO; knowledge of China's PIPL, GDPR, or other APAC privacy regulations is a significant advantage
• Practical Experience:
  3+ years of experience in implementing privacy and information security programs, including: Data Discovery, Inventory, and Flow Mapping; Privacy Risk Assessments & DPIA; Developing Policies, Procedures, and Incident Response Plans; Privacy Training and Awareness
• Technical Acumen:
  A keen understanding of privacy technologies (e.g., data discovery tools, DLP) and how they are applied. Knowledge of system implementation, programming, or data analytics is a plus
• Strategic Mindset:
  The ability to move beyond compliance to provide strategic advice on building mature, sustainable data governance programs
• Professional Credentials:
  A university degree in a related field (Law, IS, Computer Science, Engineering, etc.). Professional qualifications such as CIPP/E, CIPT, CIPM, CISSP, or CDPSE are highly valued

Why Join Our Team?

• Purpose-Driven Work:
  Make an impact that matters by helping clients navigate complex privacy challenges and build a more responsible digital future.
• Become an Expert:
  We are committed to nurturing deep subject matter experts. You will have access to unparalleled training, resources, and mentorship from industry leaders.
• Work on the Frontline:
  Engage with the latest regulations, technologies, and emerging trends, contributing to our firm's thought leadership and next-gen initiatives.
• Competitive Rewards:
  Enjoy a comprehensive compensation and benefits package tailored to recognize your expertise and contribution.
• Flexible Work Model:
  Benefit from a hybrid work environment designed to support your productivity and well-being.

Our client is a is a
high-growth fintech company
transforming the finance landscape across the region. With a focus on innovation and technology, the company delivers forward-thinking financial solutions designed to meet the diverse needs of individuals and businesses. Its regional presence and industry expertise enable it to tailor services to local markets while maintaining scalable and sustainable growth. It's currently expanding the team in Hong Kong.

Responsibilities:

• Lead the development and execution of IT compliance and governance programs to ensure companywide alignment with regulatory and industry standards.
• Coordinate and perform internal IT audits, identifying potential compliance risks and preparing the organization for external assessments.
• Establish, review, and update frameworks for regulatory compliance, emphasizing information security, data privacy, and risk management.
• Serve as the organization's primary contact for data protection matters, ensuring robust adherence to privacy regulations and effective incident response.
• Liaise with regulators, auditors, and data subjects regarding IT governance and privacy issues.
• Support company secretarial and corporate governance functions across multiple jurisdictions, ensuring compliance with local and international laws.
• Manage communication and collaboration among internal departments and external partners for compliance-related projects.
• Assist in the implementation of special projects related to IT security, data protection, and corporate compliance.

Requirements:

• Bachelor's degree in Information Systems, Business Administration, Law, or a related discipline.
• 2–5 years' experience in IT compliance, information security governance, or audit roles within regulated industries.
• Familiarity with ISO 27001, SOC 1/2, or similar certification frameworks and audit processes.
• Experience with intellectual property management or cross-border company governance is an advantage.
• Strong analytical skills, attention to detail, and a proactive approach to identifying and resolving compliance issues.
• Excellent organizational and multitasking abilities, with strong interpersonal and communication skills.
• Proficiency in English, Cantonese, and Mandarin is highly valued.
• Comfortable using Microsoft Office and other compliance or audit management tools.

KPMG China provides multidisciplinary services from audit and tax to advisory, with a strong focus on serving our clients' needs and their industries. Not only do we have an overriding commitment to provide the highest quality services for our clients, but we also strive to become a responsible corporate citizen that has a positive impact on our environment and community. At KPMG, you'll translate insights into action and reveal opportunities for all—our teams, our clients and our world.

Service Line Overview

We are seeking Data Governance practitioners to join our Technology Consulting practice. This role focuses on managing data governance issues for our clients by helping them to identify data risks within the organization and defining strategy as well as carry out implementation of solutions to address the risks.

In KPMG's Consulting practice, we don't limit ourselves to either strategy or implementation. Instead, we deliver both.  Our team in Hong Kong represents a young and enthusiastic team that always pushes itself to succeed.  Since our creation, we've developed in-depth knowledge of an incredibly broad spread of sectors and services.

Key Responsibilities

• Assess risks, identify gaps and provide advice on data protection and privacy for our clients
• Evaluate data privacy and data protection practices of our clients
• Conduct Privacy Impact Assessments
• Deploy processes to manage privacy matters and stay compliant with relevant regulations
• Support data governance engagements across the full set of capabilities at KPMG, including data strategy, data privacy governance and policy, privacy by design, personal data protection, personal data lifecycle management, third party management, compliance and risk management
• Identify and communicate engagement findings to management and client personnel
• Simultaneously work on multiple client engagements of varying size, scope and complexity
• Conduct research focused on identifying emerging technology solutions that reduce costs, increase efficiencies, provide more value, provide more capabilities, reduce risks, and increase data protection
• Communicate best practices by giving presentations, working with project teams, and authoring content aimed at educating others about standards, strategies, and otherwise defined best practices
• Work individually and collaboratively with team members to ensure breadth and granularity of strategies, standards and reference architectures for consistency and integration
• Drive preparation of proposals and put together solutions, supporting literature, diagrams, write-up, responses, etc.

Experience & Background

• Bachelor / Master degree from an accredited college / university in Computer Science, Law or other related field
• Privacy and data protection certifications preferred (e.g. CIPP, CIPM, CIPT)
• Minimum of 5 years' experience in data privacy and data protection, ideally within a professional services environment or internal consultancy function delivering privacy related services
• Profound knowledge of data protection regulations, especially Hong Kong's PDPO, European's GDPR and China's Personal Data Protection Law
• Understanding of data privacy, confidentiality and data protection from a process and risk perspective
• Experience and knowledge in performing privacy impact assessments, privacy compliance assessments, design of data privacy policies and guidelines, personal data flow mapping and analysis, implementation of privacy training and awareness programs and advising on privacy by design
• Experience with usage or implementation of privacy tools preferred
• Appetite to develop your privacy skills further
• Excellent written and verbal communication skills in English and Chinese (Mandarin or Cantonese)
• Strong client services orientation and accustomed to taking an active role in executing client engagements
• Candidate with less experience will be considered as Senior Consultant

About KPMG

At KPMG China, we are committed to being an equal opportunity employer, with zero tolerance for any form of discrimination against any persons. It is important for us to create an inclusive, diverse and agile workplace for our people to develop and thrive at both a personal and professional level.

We strive to make ESG (environmental, social and governance) a watermark running through our organisation; from empowering our people to become agents of positive change, to providing better solutions and services to our clients to help them achieve their ESG goals. View Our Impact Plan to learn more about our ESG commitments and progress across four key pillars - Governance, People, Planet and Prosperity – and how we make a positive impact on our people, environment and society.

We encourage you to come as you are, and we welcome all qualified candidates to apply, and hope you unlock opportunities with us. Visit KPMG China website for more company information.

You acknowledge and agree that all personal information hereby provided regarding yourself will be used by KPMG China for its candidate selection purposed only. KPMG China collects, uses, processes, and retains your personal information in accordance with KPMG China's Online Privacy Statement and/or KPMG China Privacy Statement (collectively "Privacy Statement"). During the recruitment process, KPMG China may need to store personal information of candidates in a designated third-party application tracking platform.

If you have any questions regarding the information you provided in the form or your job application in general, please contact KPMG China's HR personnel in the location where your application is submitted (see here).

Job Purpose:

Assist Head of Information Security to ensure adequate and effective controls are in place.

Main Responsibilities:

• Support security tools including network firewall, DLP, SIEM, vulnerability scanning,
• micro-segmentation
• Review the firewall rule change requests; conduct the modification or reject if the request
• may expose the Group to unacceptable risk
• Act as project manager role on information security projects
• Provide technical guidance to systems and network team regarding security configurations
• Analyse cybersecurity incidents and make recommendations on remedial actions.
• Define and design adequate security controls to maintain secure control environment.
• Conduct regular security assessment on systems, network and IT infrastructure
• Provide security advisory service to stakeholders on new initiatives and development
• projects.
• Maintain Cyber Incident Response plan and playbook. Assist cyber incident response drill
• in regular basis.
• Monitor and govern external service providers, including both outsourcing service
• providers and connected third parties, to deliver the services as per the Group's security
• requirements.

Incumbent Requirements:

• Minimum 6 years of relevant work experience in technology risk, information security
• and cybersecurity
• University graduate in Computer Science / Information Technology or equivalent.

• One or more certificates listed below:

• ISC2 Certified Information Security Professional (CISSP)

• ISACA Certified Information System Auditor (CISA)
• ISACA Certified Information Security Manager (CISM)
• ISC2 Certified Cloud Security Professional (CCSP)
• Good knowledge in cybersecurity, Intrusion Detection/Prevention System and
• application security of finance/banking systems, in particular hands on experience in
• firewall management
• Experience in regulators' requirement on technology risk management including the
• Cyber Resilience Assessment Framework (CRAF) and Customer Security Controls
• Framework of SWIFT
• Strong information security sense in relation to business requirements
• Mature, independent and able to deliver quality results under tight schedule

Please note that only shortlisted candidates will be notified.

Job Purpose:

Assist Head of Information Security to ensure adequate and effective controls are in place.

Main Responsibilities:

• Support security tools including network firewall, DLP, SIEM, vulnerability scanning, micro-segmentation;
• Review the firewall rule change requests; conduct the modification or reject if the request may expose the Group to unacceptable risk;
• Act as project manager role on information security projects;
• Provide technical guidance to systems and network team regarding security configurations;
• Analyse cybersecurity incidents and make recommendations on remedial actions;
• Define and design adequate security controls to maintain secure control environment;
• Conduct regular security assessment on systems, network and IT infrastructure;
• Provide security advisory service to stakeholders on new initiatives and development projects;
• Maintain Cyber Incident Response plan and playbook. Assist cyber incident response drill in regular basis;
• Monitor and govern external service providers, including both outsourcing service providers and connected third parties, to deliver the services as per the Group's security requirements.

Incumbent Requirements:

• Minimum 6 years of relevant work experience in technology risk, information security and cybersecurity;
• University graduate in Computer Science / Information Technology or equivalent;

• One or more certificates listed below:

• ISC2 Certified Information Security Professional (CISSP)

• ISACA Certified Information System Auditor (CISA)

• ISACA Certified Information Security Manager (CISM)

• ISC2 Certified Cloud Security Professional (CCSP)

• Good knowledge in cybersecurity, Intrusion Detection/Prevention System and application security of finance/banking systems, in particular hands on experience in firewall management;

• Experience in regulators' requirement on technology risk management including the Cyber Resilience Assessment Framework (CRAF) and Customer Security Controls Framework of SWIFT;
• Strong information security sense in relation to business requirements;
• Mature, independent and able to deliver quality results under tight schedule.

Please note that only shortlisted candidates will be notified.

Position Overview

We are seeking an experienced and strategically minded Information Security Officer to join our organization. In this role, you will be the key architect and executor of the company's information security strategy, responsible for building, maintaining, and continuously optimizing our information security framework.

Your work will play a critical role in protecting our core trading systems, sensitive client data, and essential business infrastructure—ensuring that our operations remain secure, stable, and compliant with global financial regulatory standards.

Key Responsibilities

Strategy and Governance

• Develop, implement, and continuously refine the company's overall information security strategy, roadmap, and policy framework.
• Report the organization's security posture, major risks, and governance updates to senior management and the board of directors.
• Establish and promote a strong information security culture across the organization through comprehensive training and awareness programs.

Compliance and Risk Management

• Lead and ensure compliance with all applicable financial industry laws, regulations, and supervisory requirements (including CSRC, Cybersecurity Law, Data Security Law, Personal Information Protection Law, GDPR, etc.).
• Oversee internal and external security audits and compliance reviews and ensure timely remediation of audit findings.
• Conduct regular information security risk assessments to identify threats and vulnerabilities affecting trading platforms, client data, and company assets, and drive the implementation of risk mitigation measures.

Technical Security and Defence

• Supervise the implementation and operation of security controls across network, system, application, and data layers—including but not limited to firewalls, IDS/IPS, SIEM, WAF, and endpoint protection.
• Ensure the confidentiality, integrity, and availability of the production trading environment.
• Manage security relationships with cloud service providers (such as Azure) and third-party partners, including security posture assessments.

Security Operations and Incident Response

• Lead the Security Operations Centre (SOC) team in monitoring, analyzing, and responding to security incidents.
• Develop and maintain a comprehensive incident response plan and organize regular simulation exercises.
• Serve as the overall incident commander during actual security events, ensuring effective containment, eradication, and recovery.
• Oversee the vulnerability management process, coordinating with technical teams on scanning, assessment, prioritization, and remediation.

Data Security and Privacy Protection

• Design and implement data classification and protection programs, including DLP, encryption, and access control policies.
• Ensure the full lifecycle protection of sensitive data such as client transaction data and personally identifiable information (PII).

Qualifications

Basic Requirements

• Bachelor's degree or above in Computer Science, Information Security, or a related field.
• Over 8 years of experience in information security, with at least 3 years in a managerial or equivalent role within the financial industry (especially securities, futures, or trading platforms).
• Holder of internationally recognized security certifications such as CISSP, CISM, or CISA.

Knowledge and Skills

• Financial Industry Compliance Expertise: Deep understanding of cybersecurity and IT governance requirements set by domestic and international financial regulators.
• Strong Technical Foundation: Proficient in network security architecture, operating system security (Linux/Windows), database security, and application security. Familiarity with trading system technology stacks is a strong plus.
• Hands-on Security Experience: Extensive experience in security incident investigation, incident response, and threat hunting; well-versed in common attack techniques and defense strategies.
• Leadership and Communication: Excellent leadership, communication, and coordination skills; capable of leading cross-functional collaboration with technology, business, risk, and compliance teams.
• Strategic Thinking: Ability to align business objectives with security goals and develop practical, effective security strategies.

We Offer

• Highly competitive compensation package and performance-based bonuses.
• The opportunity to play a key leadership role in shaping cybersecurity at the forefront of the fintech industry.
• A professional, open, and intellectually challenging work environment.
• Comprehensive benefits and a structured career development pathway.

工作類型: 全職

薪酬: 最多每月 $60,000.00

Work Location: 親身到場

Job Purpose

You will be responsible for carrying out information security functions and activities for the Technology function.

Responsibilities

• Protect the confidentiality, integrity and availability of all assets and systems through monitoring, detection, and analysis activities
• Review and assess information security requests to determine compliance with organizational policies and standards.
• Prepare and present cybersecurity-related reports, highlighting risks, incidents, and remediation efforts.
• Facilitate the annual recertification process for user access and security controls.
• Collaborate with IT teams to implement security measures, and remediate the audit findings
• Participate in and manage security-related projects to enhance overall security posture.
• Support Information security team to develop and implement security policies, procedures and guidelines
• Validate information security controls effectiveness and agreed deliverables to assure security standards/plans are achieved.
• Review the current IT Security solution and Security Policy to identify potential gaps within the organisation
• Undertake monitoring of security controls and policy adherence in line with Bupa policies based on ISO27001 and NIST Cybersecurity
• Monitor the security controls for security breaches and investigate violations
• Conduct risk and vulnerability assessment at the network, system and application level, and assess resulting impact on risk

Qualifications, Training and Experience

• Relevant Bachelor's/Master's degree holder from a recognized university
• 3-5 years of relevant work experience on managing security technologies
• Work experience in cloud security solution experience (Wiz preferred)
• Work experience in web proxy / SASE solutions (Palo Alto Prisma SASE preferred)
• Work experience cloud platforms (Azure, GCP preferred)
• Experience in managing security solutions, such as Wiz, Palo Alto Prisma, Zscaler, MS Defender, Imperva, Cloudfare
• Scripting skills, such as Terraforms, MS PowerShell, Python
• Good communication skills and the ability to collaborate well with across departments
• Able to demonstrate a positive, logical, and proactive approach while executing the assigned tasks
• Certification holder in information security (CISSP, CISA, etc.) will be an advantage.
• Ability to prioritize work and design schedules to meet the desired requirements

Bupa offers 5 days' work per week and comprehensive remuneration packages including base salary, study assistance plan, company pension plan, life and medical benefit, dental benefit, annual leave, examination leave, etc.

Bupa is an equal opportunity employer and welcomes applications from qualified candidates. Information provided will be treated in strict confidence and only be used for consideration of application with Bupa.

Personal data collected will be used for recruitment purposes only. Bupa will be in touch for any opportunities that matches your profile. All personal data of unsuccessful application will be destroyed 24 months from the date of receiving the application. Full version of Data Privacy Notice available upon request.

Develops and leads one or more of the following highly technical and specialized areas within information security: Security Engineering, Security Architecture, Forensics Analysis, Threat Analysis, Threat Hunting and Penetration Testing. Manages the development, deployment and execution of enterprise security controls and defenses. Monitors, analyzes and exploits system vulnerabilities to detect potential threats. Executes containment, mitigation and protection processes to safeguard against real time threats while maintaining critical documentation and evidence. Determines risk and exposure from security breaches and resolves incidents while providing guidance to business decision-makers.

• Tracks and supports the delivery of information security solutions. Manages the tactical activities of installing and configuring of security systems, software and applications. Coordinates responses to intrusions and provide remediation guidance and support.
• Coordinates resources on highly complex development projects including approval of design specifications and scope. Provides input to short-term security technology roadmaps regarding applicability of new technologies. Disseminates updates to InfoSec Architectural policies, standards and guidelines to team members.
• Reviews forensic investigations and analysis of reported cyber incidents to evaluate root cause vectors and necessary control measures needed to prevent future occurrence. Implements appropriate countermeasures to recover deleted, hidden or lost user data.
• Coordinates research and analysis of threat actor profiles and associated indicators to detect potential threats. Implements recommended actions and security tools to identify, monitor and mitigate attacks. Coordinates with external security organizations to exchange threat intelligence.
• Coordinates complex threat assessment to evaluate incident impact and risk exposure. Reviews cyber operations intelligence and/or indications and warnings intelligence products (e.g., threat assessments, briefings, intelligence studies, country studies), and draws conclusions on possible implications or applicability. Guides the threat intelligence collection process to enhance analytical capabilities.
• Manages execution of penetration testing activities on core systems. Articulates the outcome of stimulated attacks and underlying security issues or system weaknesses. Recommends and institutes remediation techniques or improvements to protect and maintain security frameworks and controls.
• Supports the evaluation and selection of security applications and systems. Manages the implementation of access control defenses. Provides quality review on the evaluation and documentation of team procedures. Manages development, deployment and support activities for multiple critical security technologies to include problem resolution and management, application maintenance, project requests and system enhancements.
• Not an exhaustive list; other duties as assigned.

Minimum Qualifications

• Bachelor's Degree. Relevant Experience or Degree in: Information Security or Computer Science preferred. Other majors will be considered.
• Typically a minimum of 6 years experience.
• related professional experience and prefer a minimum of 1-2 years experience in a supervisory position.
• One or more of the following-CISSP, CISA, CISM, PCI-QSA, PA-QSA, PCIP, CRISC, CGEIT, Certified Forensic Computer Examiner (CFCE), Certified Cyber Threat Analyst (CCTA), Certified Computer Examiner (CCE)

Preferred Qualifications

• Prior payment or technology industry experience is preferred.
• Master's Degree in a related field of study from an accredited university.