Carousell Group is the leading recommerce group in Greater Southeast Asia on a mission to inspire the world to start selling, and to make secondhand the first choice. Founded in August 2012 in Singapore, the Group has a leading presence in eight markets under the brands Carousell, Cho Tot, Laku6, Mudah.my, OneKyat, Ox Street, and Refash, serving tens of millions of monthly active users. Carousell is backed by leading investors including Telenor Group, Rakuten Ventures, Naver, STIC Investments and Sequoia Capital India. 

As a team of passionate individuals working together to solve meaningful problems, there is so much more for you to discover in a career with Carousell. Our culture is made up of hiring, developing, and promoting people who embody our values of solving problems for our users; having a mission-first mindset; being relentlessly resourceful; caring deeply; and staying humble to constantly improve. Together as an organisation, we make magic happen.

The Legal team is responsible for all legal and compliance aspects of Carousell's operations across all countries where Carousell has a local presence including Malaysia, Hong Kong, Taiwan, Indonesia, Philippines, Singapore  and Vietnam. This role will cover multiple markets. 

We are seeking a motivated and commercially aware individual to join our legal team as a Regional Personal Data Specialist. This role presents an excellent opportunity to contribute to a dynamic and growing organisation by providing practical legal advice that empowers the business to achieve its goals.

What We Offer:

• Mentorship and Growth: A supportive team environment with opportunities for professional development and mentorship.

• Impactful Work: The chance to contribute to a growing company and gain exposure to diverse legal matters.

• Collaborative Culture: A team-oriented approach to problem-solving and achieving business goals.

This role will report to the General Counsel

• Stay informed of all relevant laws, regulations, and industry best practices relevant to the Group. This includes tracking legislative changes, regulatory updates, and enforcement actions.

• Provide expert guidance on data protection laws and regulations relevant to the Group, including but not limited to Personal Data Protection Act of Singapore, and other relevant local regulations.

• Conduct personal data impact assessments and data protection risk assessments to identify and mitigate potential privacy and security risks.

• Develop, implement, and maintain the Group’s Personal Data Management Plan, data privacy policies, procedures, and training programs.

• Support the incident response process for data breaches and other security incidents, including conducting investigations and implementing corrective actions.

• Collaborate with cross-functional teams, including legal, engineering, and product, to ensure personal data protection and security are embedded into all aspects of the business.

• Monitor emerging personal data and security threats and trends, and communicate potential impacts to management and relevant stakeholders.

• Identify opportunities to improve processes and policies related to data protection and cybersecurity at scale.

• Provide support and guidance to internal teams on data protection and cybersecurity best practices.

• Provide training and awareness programmes across the Group to strengthen personal data protection culture

• Support customer inquiries and requests related to personal data protection.

• Act as the data protection officer of certain subsidiaries (if the need arises) and as the primary point of contact for supervisory authorities and managing communications with regulators

• Deep understanding of data protection laws in our operating markets.

• A personal data background with a minimum of 3 years of experience in personal data support, a DPO role, privacy consulting, or a similar operational setting.

• Privacy Certifications such as CIPP/E, CIPP/A, CIPM.

• Experience in developing and maintaining a Personal Data Management Plan.

• Customer support experience in a fast-paced and specialised environment with a keen eye for detail.

• Ability to assess risk and impact from a privacy and data protection perspective.

• Ability to work in a very fast-paced environment.

• Ability to identify opportunities to improve processes and policies at scale and communicate emerging risks to management and cross-functional partners.

• Experience in risk assessment and mitigation within a personal data and cybersecurity context.

• Leadership & Project Management Skills: Able to lead others in the performance of assigned duties. Experience in managing projects related to regulatory compliance, process improvement, or organisational change.

• Business-Oriented: Interest in business operations and a proactive approach to problem-solving.

• Effective Communication: Excellent written and verbal communication skills, with the ability to build relationships and explain legal concepts in plain language.

• Growth Mindset: Eagerness to learn and develop skills in a fast-paced environment.

• Self-starter Mindset: Takes Ownership, has a Bias for Action and never-ending obsession to excel in a lean and fast-paced organisation

By proceeding with your application, you are adhering to our PDPA policies. In case you are interested to know more, read about our Candidates Personal Data Privacy Statement.