Senior Specialist, Data Privacy & Compliance

Do meaningful work with us. Every day.

At Amplify Health, we’re looking for individuals with ambition, resilience and passion for healthcare, insurance, wellness  and digital technology. As a fast-growing business with the ambition of making people and communities across Asia healthier, we have exciting career opportunities available to help us achieve our vision.

The Senior Specialist, Data Privacy & Compliance will serve as Amplify Health’s principal privacy and compliance specialist, responsible for establishing and maintaining a comprehensive data privacy governance framework while driving broader compliance, data governance, and risk management capabilities across all operating markets.
Reporting to the General Counsel and Chief Risk Officer, this role anchors on data privacy (approximately 60% of scope) while extending into data and AI/ML governance, vendor and information security risk management, and enterprise-wide compliance policy and training.
You will lead privacy impact assessments, manage data breach response protocols, oversee data subject access requests, and serve as the primary liaison with data protection regulators. Beyond the privacy core, you will shape data classification and retention policies, support AI/ML governance frameworks, conduct vendor risk assessments, and drive compliance training and contract support across the organisation. This position is critical to safeguarding stakeholder trust and ensuring Amplify Health maintains the highest standards of data stewardship as the organisation scales its health data and AI capabilities across the region.

Responsibilities

1) Data Privacy Governance & Framework

• Design, implement, and continuously improve Amplify Health’s data privacy governance framework, policies, and procedures across all operating markets in Asia.
• Develop and maintain the organisation’s data protection policies, privacy notices, and consent frameworks in alignment with applicable regulations in our core markets Singapore, Hong Kong, Thailand, Malaysia, Philippines, Indonesia and India.

2) Privacy Impact Assessments, Incident Response & Regulatory Liaison

• Conduct Data Protection Impact Assessments (DPIAs) for new products, services, and data processing activities, ensuring privacy-by-design principles are embedded from inception.
• Identify, assess, and mitigate data privacy risks across the organisation, maintaining the privacy risk register and reporting to senior leadership on risk posture.
• Review and assess third-party vendors and partners for data privacy compliance, including due diligence on data processing agreements and cross-border data transfer mechanisms.
• Lead the data breach response process, including investigation, containment, notification to regulators and affected individuals, and post-incident remediation.
• Serve as the primary point of contact with data protection authorities (including Singapore’s PDPC) and manage all regulatory inquiries, audits, and reporting obligations.
• Manage the data subject access request (DSAR) process, ensuring timely and compliant responses to access, correction, and deletion requests.

3) Data Governance & AI/ML Governance

• Develop and maintain data classification schemes, data ownership frameworks, and retention policies that govern the organisation’s health data assets across all markets.

• Support the development of AI/ML governance frameworks, including model risk assessment, algorithmic fairness and explainability requirements, and responsible AI policies aligned with emerging regulatory expectations.

• Establish and maintain data lineage documentation, ensuring traceability of data flows across systems and third-party integrations to support both privacy compliance and broader data quality objectives.

4) Vendor Risk & Information Security Governance

• Lead third-party and vendor risk management processes, including data processing agreement reviews, vendor security assessments, subcontractor oversight, and cross-border data transfer mechanism evaluations.
• Contribute to information security governance at the policy level, including access control frameworks, incident response planning, and cloud risk assessment, working collaboratively with the technology and security teams.

5) Policy, Training & Awareness

• Design and deliver enterprise-wide compliance training programmes spanning data privacy, information security awareness, and regulatory obligations, ensuring all employees understand their responsibilities.
• Draft and maintain enterprise-wide compliance policies, standards, and procedures, championing a culture of accountability and ethical data use across the organisation.

6) Internal Audit & Controls

• Design and execute control testing across privacy and broader compliance domains, maintaining audit-ready evidence and managing remediation of findings.
• Support internal and external audit processes, including regulatory examinations, by preparing documentation, coordinating responses, and tracking remediation actions to closure.

Candidate Profile

Experience and Qualifications

• Over 8+ years of experience in data privacy, data protection compliance, or a related regulatory/governance role, ideally within health, technology, or a data-intensive environment. Experience spanning adjacent domains such as data governance, vendor risk management, or information security governance is highly valued.
• Demonstrated success in building or significantly enhancing data privacy and compliance governance frameworks, policies, and operational processes within a multi-jurisdictional environment across Asia-Pacific (e.g., SG PDPA, MY PDPA, Thailand PDPA, Philippines DPA, India DPDPA).
• Proven experience in conducting Data Protection Impact Assessments (DPIAs), managing data breach incidents, handling regulatory inquiries, managing data subject access request processes, and conducting vendor risk assessments or third-party due diligence.
• Bachelor’s degree in Law, Information Technology, or related field required.
• Professional certifications such as CIPP/A, CIPM, CIPT, CISA, or equivalent are highly desirable. Familiarity with AI/ML governance concepts, responsible AI principles, or ISO 27001/27701 frameworks is a plus.

Competencies & Core Characteristics:

We are seeking a leader who embodies the following competencies and characteristics essential for success in our scale-up environment:

• Technical Domain Expertise: Demonstrates deep mastery of data protection laws, privacy frameworks, and broader compliance methodologies across Asia-Pacific jurisdictions. Applies regulatory and governance knowledge with precision to solve complex privacy, data governance, and vendor risk challenges, and guides the organisation through evolving requirements including emerging AI/ML regulation.
• Strategic Architect: Translates business and regulatory requirements into a cohesive privacy and compliance strategy that enables the organisation to innovate responsibly. Anticipates regulatory trends across data protection, AI governance, and insurance compliance, and proactively shapes frameworks that position Amplify Health as a trusted custodian of health data.
• Data-Driven Decisiveness: Uses privacy metrics, incident data, audit findings, and risk analytics to inform compliance priorities and demonstrate programme effectiveness across privacy, governance, and vendor risk domains. Balances quantitative evidence with regulatory context to drive timely, well-reasoned decisions.
• Resilient Operator: Thrives under pressure during data breach incidents, regulatory inquiries, and audit cycles, maintaining composure and sound judgment. Adapts quickly to shifting regulatory landscapes across multiple markets and manages concurrent compliance, governance, and vendor risk workstreams with rigour and attention to detail.
• Customer-Obsessed Advocate: Actively partners with product, technology, data, and commercial teams to ensure privacy and compliance considerations are embedded into the customer and partner experience without creating unnecessary friction. Champions data subject rights, responsible AI practices, and transparent stakeholder communication.

You must provide all requested information, including Personal Data, to be considered for this career opportunity. Failure to provide such information may influence the processing and outcome of your application. You are responsible for ensuring that the information you submit is accurate and up-to-date.