IT GRC & Data Privacy Lead

Amartha is a technology company focused on creating shared prosperity by developing digital financial solutions for the grassroots economy. Founded in 2010 as a microfinance institution, Amartha connects rural, women-led micro-enterprises with affordable capital. Amartha is expanding as a tech company, building a microfinance ecosystem that connects to the growing digital economy through capital, investment, and payment services. By boosting the competitiveness of micro and small entrepreneurs, Amartha empowers women-led MSMEs, creates jobs, and fosters inclusive economic growth.

About The Team:

The Information Security team in Amartha is a group of dynamic, highly-analytical individuals who are highly mindful in driving security and privacy by design within the various aspects of product lifecycle and engineering processes. We are the team who are highly passionate to be the security enabler of Amartha’s systems

Roles and Responsibilities:

GRC Framework Development and Maintenance:

• Develop, implement, and maintain a comprehensive GRC framework that aligns with industry best practices and regulatory requirements.
• Conduct regular risk assessments to identify potential threats and vulnerabilities.
• Develop and implement risk mitigation strategies and action plans.
• Monitor and report on compliance with internal policies and external regulations.

Data Privacy Compliance:

• Ensure compliance with applicable data privacy regulations and data protection laws.
• Manage data breaches and incidents, including notification processes and remediation activities.
• Conduct data privacy impact assessments (DPIAs) for new projects or initiatives.
• Develop and implement data privacy policies and procedures.

Vendor Management:

• Assess the security and privacy practices of third-party vendors and suppliers.
• Negotiate and manage vendor contracts to ensure compliance with security and privacy requirements.
• Manage all RFI / RFP / security questionnaire responses.
• Provide standardized documentation (e.g, compliance reports, penetration testing
• summaries).

Regulatory Compliance:

• Stay up-to-date with evolving regulatory requirements and industry best practices.
• Provide guidance and support to the organization in meeting compliance obligations.
• Maintain and update the full security policy library (ISO 27001, SOC 2, PDP, etc.).
• Ensure version control, approval workflows, and cross-departmental adoption.
• Lead regular policy reviews and align with new business or regulatory needs.

Identity and Access Management (IAM):

• Develop and maintain IAM policies, standards, and procedures.
• Implement and manage IAM systems and tools (e.g., identity provisioning, access control, single sign-on).
• Ensure the effective administration of user accounts and privileges.
• Conduct regular IAM audits and reviews to identify and address security gaps.
• Manage access certifications and segregation of duties controls.

Security Process Governance:

• Define and enforce structured approval workflows for new tools, processes, and architecture changes.
• Integrate approvals into relevant tools and documentation for traceability.
• Collaborate with other teams for end-to-end governance.

Awareness & Training

• Drive company-wide security awareness campaigns.
• Onboard new hires with security and compliance training.
• Ensure all employees understand their compliance obligations.

Metrics & Reporting

• Define metrics for compliance maturity, audit readiness, and risk reduction.
• Deliver quarterly GRC posture updates to relevant stakeholders

• 10+ years of related job experience with the minimum of 3 years of leading a team
• Strong analytical and interpersonal skills
• Excellent communication both in written and spoken (English)
• Demonstrated ability to lead small to medium size team
• Ability to express information clearly at different organizational levels
• Strong understanding of industry standards such as ISO 27001, 27701, NIST Cybersecurity Framework, GDPR, UU PDP
• Experience in the financial services industry (esp. Lending, Funding, Microfinance, Payments, etc)
• Having relevant certification are preferable (e.g. CRISC, CIPP, etc)
• Experience with IAM technologies and frameworks (e.g, Active Directory, LDAP, OAuth, SAML)

At Amartha, we are dedicated to creating a workplace that celebrates diversity, ensures equity, and fosters inclusion. We believe that diverse perspectives—shaped by factors such as gender, age, race, ethnicity, education, culture, and life experiences—drive innovation and growth.

We actively welcome individuals from all backgrounds to join us in building an environment where everyone feels respected, valued, and empowered. Our commitment is to provide equal opportunities and foster a sense of belonging that enables our employees to thrive and make meaningful contributions.