Compliance, Licensing & Data Protection Manager (DPO)

Compliance, Licensing & Data Protection Manager (DPO)

Role Overview

The Compliance, Licensing & Data Protection Manager will be responsible for leading MHC's data protection, risk, and compliance framework, including all licence and grant applications, ensuring the organisation meets all regulatory, contractual, and certification requirements.

This role also serves as the appointed Data Protection Officer (DPO) under Singapore's Personal Data Protection Act (PDPA), and is expected to provide clear, practical, and commercially sound advice to the business on data protection, regulatory, licensing, and compliance matters.

The role will work closely with Business Units, Technology, Operations, Finance, and Group Legal, and is critical in ensuring MHC maintains strong governance standards while enabling business growth and unlocking new commercial opportunities through licensing and grant funding.

Key Responsibilities

Data Protection Leadership (DPO Function)

• Serve as the appointed Data Protection Officer (DPO) for MHC
• Ensure compliance with the Personal Data Protection Act (PDPA) and related regulations
• Develop, review, and update:
• Privacy Notices
• Terms of Use
• Data protection policies and procedures
• Provide practical, timely advice to business teams on:
• data sharing arrangements
• client contracts and integrations
• product and platform design (e.g. telemedicine, claims, apps)
• Lead and manage Data Protection Impact Assessments (DPIA)
• Handle data incidents, breaches, and regulatory reporting, including PDPC engagement where required

Governance, Risk & Compliance (GRC)

• Develop, review, and maintain risk and compliance policies and frameworks
• Monitor and advise on regulatory developments, including:
• PDPC (data protection)
• MAS guidelines (e.g. TRM, TPRM where applicable)
• MOH and other healthcare-related regulatory developments where relevant
• Provide business-facing guidance on regulatory implications and risk mitigation
• Support and align with Group ERM and Legal functions

Enterprise Risk Management (ERM)

• Lead and manage MHC's enterprise risk management framework, including:
• Business Continuity Management (BCM) Risk Assessments
• Technology Risk & Vulnerability Assessments (TVRA)
• Anti-Money Laundering Risk Assessments (AML RA)
• Data Protection Impact Assessments (DPIA)
• Business Impact Analysis (BIA)
• Track and report key risks, and ensure mitigation actions are implemented

Certifications & Audit Management

• Lead and support certification and audit activities, including:
• ISO 27001 (Information Security Management System)
• ISO 22301 (Business Continuity Management)
• OSPAR Attestation
• Maintain and update documentation to ensure ongoing compliance
• Support MHC's ambition to achieve Singapore Data Protection Trustmark (DPTM)

Licence & Grant Applications

• Lead all new licence applications required by MHC's business activities, including but not limited to insurance-related licences, healthcare-related approvals, and any other regulatory licences applicable to MHC's products and services
• Identify licensing requirements early in the product / business development cycle and advise the business on regulatory pathways, timelines, and feasibility
• Prepare, coordinate, and submit licence applications, ensuring all supporting documentation, policies, and controls are in place
• Serve as the primary liaison with regulators (e.g. MAS, MOH, PDPC, IMDA, and other relevant authorities) for licence-related matters
• Manage ongoing licence obligations, including renewals, reporting, variations, and notifications
• Lead grant applications relevant to MHC, including but not limited to government grants, innovation grants, digitalisation grants, and sector-specific funding (e.g. EDG, PSG, MAS FSTI, IMDA, Enterprise Singapore schemes)
• Identify and assess grant opportunities, working with Business Units, Technology, and Finance to scope eligible projects and prepare strong submissions
• Manage grant lifecycle: application, approval, claims, milestone reporting, audit, and acquittal
• Maintain a centralised tracker of licences held, licences pending, grant applications, and associated obligations
• Engage external consultants or advisors where appropriate, and manage them to deliver value-for-money outcomes

Data Governance & Legal Support

• Support data governance initiatives in collaboration with Group Legal
• Provide input and review on:
• data-related contractual clauses
• client and partner agreements
• Ensure appropriate controls are in place for data access, sharing, and retention

Client, Vendor & Regulatory Due Diligence

• Support client due diligence requests, audits, and RFP requirements
• Manage vendor due diligence (VDD) assessments, particularly for technology and data vendors
• Represent MHC in client audits and compliance discussions

Incident Management & Corrective Actions

• Lead investigation and management of compliance and data-related incidents
• Manage and track Corrective Action Reports (CAR) to closure
• Ensure root cause analysis and implementation of preventive measures

IT Security & Operational Support

• Work with Technology teams on:
• ISMS (Information Security Management System)
• BCMS (Business Continuity Management System)
• Support security exercises, audits, and risk assessments

Key Requirement (Critical for Success)

• Must be able to advise the business clearly and confidently on data protection, compliance, and licensing matters, including:
• interpreting PDPA in real business scenarios
• guiding commercial decisions involving data
• balancing regulatory compliance with operational practicality
• identifying and pursuing licence and grant opportunities that support business growth

Requirements

• Bachelor's degree or Diploma in Law, Business, Information Security, or a related field
• 8–12 years of experience in data protection, compliance, risk, or governance roles
• Strong working knowledge of:
• Singapore PDPA and PDPC guidelines
• Data protection practices within healthcare, insurance, or financial services sectors
• Must have experience with:
• ISO 27001, ISO 22301, and audit frameworks
• Enterprise risk management processes
• Regulatory audits and client due diligence
• Demonstrated experience in leading licence applications and/or grant applications (e.g. MAS, MOH, IMDA, Enterprise Singapore, or equivalent regulatory / funding bodies) is highly preferred
• Familiarity with MAS Technology Risk Management (TRM) and Third Party Risk Management (TPRM) guidelines is an advantage
• Experience or exposure to Singapore Data Protection Trustmark (DPTM) is preferred
• Strong project management, stakeholder management, and written communication skills, with the ability to manage multiple regulatory and funding workstreams concurrently