Reports to: Associate General Counsel – Privacy, Data & AI Compliance - DPO

The Group Legal and Compliance (GLC) department handles a range of commercial, corporate, employment law, data privacy, competition law and regulatory matters. We also develop and implement Cathay’s compliance policies and programmes, including competition, anti-bribery, sanctions and data privacy.

As the Senior Privacy, Data & AI Compliance Legal Counsel, you will part of a team which supports the Associate General Counsel – Privacy, Data & AI Compliance – DPO to inform and advise the Cathay Pacific Group, including its Privacy and Data Protection Regulations (e.g. Hong Kong Personal Data (Privacy) Ordinance (“PDPO”), the Mainland China’s Personal Information Protection Law (“PIPL”), and the EU General Data Protection Regulation (“GDPR”); the Artificial Intelligence Laws (e.g. EU AI Act and the Mainland China’s Interim Measures for the Management of Generative AI Services); and Data Security Regulations (e.g. the HK Protection of Critical Infrastructure (Computer System) Regulation, the Data Security Law of the PRC), altogether referred in this document as “Data Laws”.

Key Responsibilities

• Support the Associate General Counsel – Privacy, Data & AI Compliance - DPO on the development, implementation and management of the frameworks to comply with the Privacy & Data Protection and Artificial Intelligence Laws
• Manage Cathay’s Incident Response processes (i.e. Personal Data and AI), including its investigation, internal and external reporting, and advise on the implementation of controls to prevent a recurrence; develop and keep updated the Data Protection Addendum (DPA) template and AI compliance clauses and advise on its negotiation and execution
• Manage the relevant process for the timely response to privacy-related individuals’ rights requests (e.g. access, deletion, rectification, etc); as well as oversight the response to data access requirements from law enforcement and other competent authorities (e.g. Police, Immigration, Tax, Securities, etc.)
• Manage and support Cathay’s Business Units on the execution of assessments to comply with the Data Laws, including Privacy Impact Assessment, Legitimate Interest Assessment, Transfer Impact Assessments, AI Impact Assessments, and advise based on the outcome of such exercises
• Advise on the implementation of Cathay transparency controls, including, privacy notices (e.g. for customers, employees, and job applicants), Personal Information Collection Statements (PICS) templates, cookies notices, AI transparency notices (e.g. on chatbots, recruitment filters, etc.) and keep those updated to comply with the Data Laws
• Support the Associate General Counsel – Privacy, Data & AI Compliance - DPO to manage the Cathay Record Retention and Management Policy and the Cathay Data Classification Policy; and keeping the relevant Steering Committees and senior management abreast of the status of Cathay’s obligations under the Data Laws
• Advise IT Risk & Security and other relevant Business Units regarding Cathay’s obligations established on Data Security regulations, including for example, the Hong Kong Protection of Critical Infrastructure (Computer System) Regulation, the Data Security Law of the PRC
• Develop, rollout and keep updated the training modules and awareness communications to keep updated Cathay Pacific Group regarding its obligations under the Data Laws (e.g. general awareness e-modules, role-based trainings, etc.)
• Periodically monitor the appropriate implementation of controls to comply with the Data Laws. Coordinate, in relation to the above responsibilities with other key teams within Cathay Pacific Group, including IMT, People and Digital
• Require legal expertise to make legal interpretations to translate a requirement into operational processes/controls, draft legal documents (e.g., privacy notices, contracts, responses to regulators and other authorities, etc.), negotiating contracts etc

Requirements

• A good knowledge of Hong Kong, the Chinese Mainland, and European data protection laws and practices, and a good understanding of how these regimes relate to both customer and employee personal data. Deep understanding of other privacy and data protection regimes (e.g. Singapore, US) would be an advantage
• Experience advising on AI and data security regulations is preferred
• Law degree with 8+ years of experience specializing in data protection and privacy and holding privacy and AI-related certifications (e.g. CIPM, CIPP, AIGP) will be considered as Privacy, Data & AI Compliance Manager OR an 8+ year PQE lawyer with experience in privacy and/or AI matters gained in a reputable law firm will be considered as Senior Legal Counsel. In-house experience in an organization that has substantial data operations is preferred
• Experience of promoting a data protection culture in a large organisation, and dealing with issues relating to both customer and employee data
• High proficiency in office applications (including Word, PowerPoint, Excel and SharePoint). Experience in using OneTrust and / or other privacy management software is advantageous
• Fluent spoken and written English. Good spoken and written Cantonese and Putonghua is an advantage. Excellent communication and presentation skills and able to interact with Senior Management with polished interpersonal skills
• Able to work and solve problems independently with minimum supervision. High attention to detail, and able to see and understand the bigger picture
• Extremely well organised and good at planning and managing his/her time as well as Mature and has a high sense of responsibility and accountability for their work
• Ability to work flexibly and on multiple tasks and able to work with minimal supervision and guidance
• Excellent team player and able to work with people at all levels across the organisation

Deadline: 02 APR 2025

Personal & Application Information

Cathay Pacific is an Equal Opportunities Employer. Personal data provided by job applicants will be used strictly in accordance with our personal data policy and for recruitment purposes only. Candidates not notified within eight weeks may consider their application unsuccessful. All related information will be kept in our file for up to 24 months. A copy of our Personal Information Collection Statement will be provided upon request by contacting our Data Protection Officer.