Data Protection Officer

Over the past 17 years, Medanta has created an unrivalled impact in delivering world class multi-specialty care for patients in India. We have hospitals in Gurgaon, Lucknow, Patna, Indore, Noida & Ranchi. In addition, we have clinics in Defence Colony (South Delhi), Cybercity & Subhash Chowk (Gurgaon), and at the Delhi Airport. Medanta is constantly growing and has also ventured in Retail vertical through Diagnostics (Laboratory Services) and Pharmacies. We also have also launched homecare services. We further plan to scale up existing facilities and expand into a few more geographical areas and also identify new avenues (Academics - Medical College) within the Healthcare eco-system. As we continue to scale and grow into new geographies, explore innovative methods of healthcare delivery, we are looking to hire exceptional talent to achieve our vision and grow in the process to achieve their professional aspiration.

Role Summary

The Data Protection Officer (DPO) will be responsible for ensuring the hospitals compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) including formulation, implementation, and monitoring of data protection policies and controls. The role serves as an independent function working collaboratively cross-functionally with and the primary point of contact for regulators and data principals.

Key Responsibilities

• Act as the statutory DPO under DPDPA, GDPR, and applicable healthcare regulations
• Serve as the key contact for regulators, including the Data Protection Board of India and CERT-In
• Provide privacy leadership to executive and compliance committees
• Implement privacy-by-design principles across healthcare operations and digital initiatives
• Conduct Privacy Impact Assessments (PIAs), vendor risk assessments, and manage breach response and notifications
• Oversee data subject rights processes, including access, correction, erasure, consent management, and grievance handling
• Develop and maintain privacy policies, governance frameworks, and compliance controls for healthcare data
• Review privacy obligations in contracts with vendors, insurers, laboratories, and technology partners
• Lead privacy incident investigations, regulatory reporting, root cause analysis, and corrective actions
• Establish privacy monitoring, audit, logging, and reporting mechanisms
• Deliver privacy awareness and training programs across clinical, administrative, and technology teams

Qualifications & Experience

• Bachelors degree in Law, Information Security, Computer Science, Healthcare Administration, or related field
• 2-14 years of experience in data protection, healthcare compliance, information security, or risk management in hospital environment
• Hands-on experience with healthcare data breaches, regulatory audits and investigations will be preferred

Preferred certifications

• CIPP/A and/or CIPM (IAPP)
• ISO IEC 27701 Lead Implementer or Auditor
• ISO 27001 Lead Implementor Auditor

Mandatory Knowledge Areas

• Strong working knowledge of the DPDP Act 2023, including Significant Data Fiduciary obligations, and related sectoral laws crucial for navigating data transfers, contracts, and compliance.
• GDPR health data requirements, DPIAs, and cross border transfers. o HIPAA Privacy Rule and Security Rule
• Healthcare specific consent, medical necessity, and lawful processing frameworks
• Cloud security, logging, monitoring, and breach risks in healthcare systems
• Good grasp of IT processes, data mapping, cybersecurity, and privacy-enhancing technologies
• Expertise in data mapping, consent management, DPIAs, incident response, security safeguards, and handling data principal rights/grievances