Here is a sample job advertisement for these types of roles…
Data Privacy Manager
We have a number of open positions in locations across the United States, primarily in San Francisco, Los Angeles, Miami, and New York City.
- Regulatory Compliance Expertise:
- HIPAA and HITECH
- Vendor Risk Management (VRM):
- Vendor Profiling
- Custom Risk Frameworks
- Risk Assessments
- Remediation Services
- Privacy Office Support Services:
- Program Design and Policy Development
- Data Breach Notification Support
- Cross-Data Border Transfers
- Data Mapping and Risk Assessments
- Conduct project-based, privacy-related assessments and audits for diverse clientele.
- Review Privacy Program policies and practices against leading industry standards.
- Provide privacy and data protection trainings and awareness.
- Assess potential and actual privacy incidents, coordinating, supporting, and/or leading clients’ Incident Response or Data Breach Management processes.
- Prepare reports and other deliverables with strategic, executive- and/or technical-based analysis and findings, communicating these results to project teams and client management.
- Demonstrate Subject Matter Expertise on wide-ranging data privacy client engagements.
- Interact effectively and efficiently with co-workers and clients at every level, fostering and maintaining quality business relationships.
- Perform similar and related duties, as assigned by Practice leadership.
- 2+ years (5+ years for management-level) in a consulting role within the data privacy or closely related field, such as cyber security or IT/Financial Audit
- Experience performing privacy and/or security gap assessments.
- Experience working with:
- International, Federal, and State Privacy Regulations
- IT Security Controls
- Operational Risk Tolerance
- Knowledge of international, federal and state rules and regulations, including but not limited to HIPAA, GLBA, GDPR, and CCPA.
- Knowledge of industry standards, frameworks, and best practices related to security and privacy, including but not limited to NIST, ISO, COBIT.
- Intermediate – Advanced understanding of Microsoft Office Suite
Education & Certifications
- Bachelor’s Degree in information systems, computer science, or related field
- Certified Information Privacy Professional (CIPP) certification, or
- Currently working towards CIPP certification
- Up to 35%, both regional and international
With a deep understanding of 23andMe’s business strategies and strategic priorities, you will identify the implications of product, marketing, business development and research initiatives on privacy and data use, technology architecture and standards and data governance, to ensure 23andMe implements sound decision-making and maintains its focus on transparency and mindfulness of privacy and data protection matters. You will be responsible for ensuring that 23andMe has a comprehensive and effective privacy program, and will conduct privacy education and training at all levels of the company. You will lead on privacy strategies, be an integral cross-functional colleague, work closely with parties on related compliance, policy and governmental affairs matters and lead all privacy programs and policies, in the US and abroad.
Who we are
Since 2006, 23andMe’s mission has been to help people access, understand, and benefit from the human genome. We are a group of passionate individuals pushing the boundaries of what’s possible to help turn genetic insight into better health and personal understanding.
What you’ll do
- Serve as Privacy Officer for 23andMe.
- Own and provide leadership for the privacy function and staff.
- Represent the organization’s privacy and data protection interests with internal and external parties.
- Develop, implement, supervise and monitor 23andMe’s privacy and data protection policies and procedures to ensure the privacy and confidentiality of health information are kept up to date and are tailored to our business model.
- Assess how current and proposed regulations impact business processes, reporting functions, record keeping, or other activities. Assess needs for introduction of new business processes and for consultations or training.
- Conduct critical analysis and articulate how the external environment influences privacy laws, and regulations that impact 23andMe’s businesses.
- Drive complex projects and lead cross-functional teams in setting and handling achievements and deliverables to achieve stated outcomes.
- Guarantee 23andMe privacy policies and practices are included in development of product offerings and business processes including, marketing, market research, customer support, and other operational mechanisms and performance measures.
- Develop strategies, tools, resources and frameworks enabling data use innovation and improvement throughout the company while ensuring operational privacy compliance.
- Apply innovation and process improvement skills to implement effective and efficient solutions.
- Collaborate with IT and Security to conduct risk assessments/audits and monitoring to find opportunities, issues and risks and develop appropriate mitigation plans in support of 23andMe Risk Management and Internal Audit deliverables.
- Lead data incident response and resolution teams; work cross-functionally to assess privacy events or potential data breaches and decide on appropriate responses.
Who you are
- JD with excellent academic credentials.
- Member of the California bar.
- +8 years of privacy experience in a law firm, in-house or other legal environment with a track record of providing practical business-friendly advice and management of other attorneys and staff.
- CIPP certification required.
- Skilled knowledge of data protection and information security laws, rules and regulations in the US and globally, including EU GDPR, as well as industry leading-practices and standards, US federal and state privacy laws and regulations including the Genetic Information Nondiscrimination Act (GINA), Fair Credit Reporting Act (FCRA), Health Information Portability and Accountability Act (HIPAA), California Online Privacy Protection Act, Children’s Online Privacy Protection Act (COPPA), and rules and regulations related to mobile applications.
- Knowledge of online and offline advertising and marketing rules and regulations, such as state consumer protection statutes, CAN-SPAM, Telephone Consumer Protection Act (TCPA), Telemarketing Sales Rules (TSR), and FTC marketing guidelines pertaining to areas such as deceptive advertising and endorsements/testimonials.
- Knowledge of and experience with data security, data breach, and data loss prevention tools and statutes.
- Background and skill in responding to press inquiries and public speaking as an authority on wide range of global privacy matters.
- Shown analytical skills as well as the ability to take disparate information and make strategic recommendations quickly.
- Experience with FDA regulatory issues related to privacy, including government requirements for compliance programs preferred.
- A leader with evidence of growing management responsibility throughout career history.
- Ability to develop and deliver presentations to senior management and influence others.
- Impeccable attention to detail and ability to get things done.
- Strong organizational, coordination, multi-tasking, and process improvement capabilities to work with functional groups across the organization including Business Development, Marketing, and Research.
23andMe, Inc. is the leading consumer genetics and research company. Our mission is to help people access, understand and benefit from the human genome. The company was named by MIT Technology Review to its “50 Smartest Companies, 2017” list, and named one of Fast Company’s “25 Brands That Matter Now, 2017”. 23andMe has over 5 million customers worldwide, with ~85 percent of customers consented to participate in research. 23andMe is located in Mountain View, CA. More information is available at www.23andMe.com ( https://www.23andme.com/ ).
At 23andMe, we value a diverse, inclusive workforce and we provide equal employment opportunity for all applicants and employees. All qualified applicants for employment will be considered without regard to an individual’s race, color, sex, gender identity, gender expression, religion, age, national origin or ancestry, citizenship, physical or mental disability, medical condition, family care status, marital status, domestic partner status, sexual orientation, genetic information, military or veteran status, or any other basis protected by federal, state or local laws. If you are unable to submit your application because of incompatible assistive technology or a disability, please contact us at email@example.com ( firstname.lastname@example.org ). 23andMe will reasonably accommodate qualified individuals with disabilities to the extent required by applicable law.
Please note: 23andMe does not accept agency resumes and we are not responsible for any fees related to unsolicited resumes. Thank you.
Work autonomously and independently manage a portfolio of reviews;
Collaborate with internal OEB business areas, technology partners and external stakeholders;
Conduct research on legal and compliance issues related to data privacy and industry best practices, and advise OEB business areas regarding implementation;
Conduct review of policies/procedures associated with the Data Privacy Program;
Conduct due diligence review of vendors and prepare documentation summarizing findings and recommendations;
Support senior leaders in the Office of Employee Benefits as a key resource for data privacy issues and incident response;
Serve as a data privacy resource, conduct briefings and create materials and training for data privacy;
Conduct data privacy training;
Conduct privacy consultations with business areas regarding use of PII, including risk mitigation;
Conduct and maintain an inventory of OEB PII;
Responsible for OEB’s compliance with data privacy record retention requirements.
Bachelor’s degree and approximately 5-7 years of work experience in a compliance, risk management, privacy or regulatory related function; exposure to data privacy related activities highly desired;
Experience collaborating and consulting across business lines and with external stakeholders;
Background using critical thinking skills and adding value through thoughtful analysis
Experience utilizing data privacy principles to protect information is preferred;
Demonstrated program and project management skills, including the ability to meet tight deadlines and manage multiple projects simultaneously, and influence outcomes ;
Proven ability to work autonomously and identify opportunities for enhanced risk mitigation;
Knowledge of information security frameworks and controls is desired, as the position will work closely with the information security team;
Strong research, writing and presentation skills including the ability to prepare clear and concise reports.
The Chief Privacy Officer (“CPO”) will ensure full compliance with all applicable privacy laws and regulations globally. The CPO will lead the Company’s Privacy Office and oversee all ongoing activities related to the development, implementation and maintenance of the Company’s privacy program and policies in accordance with applicable laws. In particular, the CPO will provide strategic direction to the Company regarding existing and emerging privacy and data protection laws.
- Build and enhance a strategic and comprehensive privacy program, including appropriate policies and procedures, to enable consistent, effective data privacy practices, to minimize privacy risk and to ensure the confidentiality of personal data. Ensure privacy forms, policies, standards, and procedures are up-to-date and compliant with laws applicable to the organization.
- Working closely with the Chief Information Security Officer (CISO) and Chief Compliance Officer (CCO) and other individuals with privacy and data handling responsibilities in the organization to set strategy, and develop global and regional approaches to complex privacy matters involving systems, data handling and data processing activities.
- Work with senior management and the CCO to establish governance for the privacy program.
- Collaborate with the Information Technology (IT) department to ensure alignment between security and privacy compliance programs including policies, practices, and investigations.
- Establish, with the IT department, systems to track, investigate and report inappropriate or unauthorized access, loss or disclosure of personal data.
- Collaborate with the Company’s business development/transactions and contracting teams to address data privacy issues with third parties.
- Maintain and periodically update the Company’s data processing documentation including privacy risk assessments/analysis, mitigation and remediation.
- Cooperate and collaborate with the Company’s compliance monitoring team in connection with periodic compliance and operational assessment of the Company’s privacy program.
- Oversee and develop ongoing privacy training and communications to ensure that the Company’s employees understand how to comply with applicable privacy laws.
- Where necessary or appropriate, represent the Company before data protection authorities and other relevant regulators and agencies.
- Manage all required breach determination and notification processes under laws applicable to the organization.
- Serve as the Company’s data privacy resource and expert regarding sharing of personal information and for all privacy related issues/activities.
- In collaboration with the Compliance Department’s investigations team, establish and administer a process for investigating and acting on privacy and security complaints and potential violations of the Company’s privacy policies.
- Initiate, facilitate and promote activities to foster data privacy awareness within the organization and related entities.
- Must be knowledgeable of applicable global data privacy and security laws including federal, state and international privacy laws such as the GDPR.
- Monitor advancements in information privacy technologies to ensure organizational adaptation of beneficial emerging technologies.
- Work with the Legal and Compliance Departments, government affairs, and other related internal functions to represent the Company’s interests with regulators regarding data privacy legislation, regulations, or standards.
- Manage and Chair the Company’s Privacy Steering Committee and report on a periodic basis regarding the status of the Company’s privacy program and privacy risks to senior management.
- Law degree and/or Masters degree in regulatory/healthcare compliance preferred
- At least 12+ years’ experience in the legal / privacy profession, including time in or advising pharmaceutical companies on healthcare privacy related activities
- In-depth knowledge of global privacy laws related to the pharmaceutical industry and genetics
- In-depth knowledge of legal, regulatory, compliance and business environment for the pharmaceutical industry
- Experience with building and implementing a global privacy program
- Experience dealing with European entities and data protection authorities
- Demonstrated ability to work collaboratively within an organization and with all levels of the workforce
- Excellent oral and written communication skills
Support and enable our existing data privacy and protection compliance program within legal and ethics and compliance. Serve as a key member of a team that drives ethical behavior, shapes our culture of ethics and integrity, designs and implements compliance programs, enforces compliance initiatives, and builds awareness for employees around ethics and compliance. Manage the day-to-day operations of the data privacy program, including incident response and drafting privacy impact assessments and data subject access requests. Participate in the design, development, and implementation of data privacy program enhancements and process improvements necessary to achieve the program’s objectives. Coordinate and work with the program management office to support project planning activities, including drafting and maintaining robust project plans, documenting decisions and dependencies, and spotting and remediating potential gaps or weaknesses in program controls. Work with the data privacy counsel to maintain standards and controls to comply with state, national, and international data privacy regulations and laws.
- 8+ years of experience in a professional work environment
- 5+ years of experience with working in a data privacy program
- Experience with drafting privacy impact assessments
- Knowledge of incident response processes, procedures, and requirements
- Ability to comprehend and work with new and emerging technologies
- Ability to collaborate effectively with diverse stakeholders, including business-focused teams, legal and compliance teams, and finance and accounting teams
- Ability to work with the data privacy counsel in communicating regulatory guidance
- BA or BS degree required
- Experience with using Microsoft Office, including PowerPoint and Excel
- Ability to implement processes and procedures with precision and attention to details
- Ability to track, organize, and coordinate projects independently to achieve results
- Ability to be a team player who fosters professionalism, integrity, and confidentiality in all actions and help the team on a wide variety of tasks, as needed
- Ability to be flexible, when required, achieve against tight deadlines, and organize and prioritize work
- Possession of excellent analytical skills, including attention to detail
- Possession of excellent interpersonal skills, including developing collegial relationships with colleagues at all levels
- Possession of excellent oral and written communication skills
We’re an EOE that empowers our people—no matter their race, color, religion, sex, gender identity, sexual orientation, national origin, disability, veteran status, or other protected characteristic—to fearlessly drive change.
Assess, process and facilitate Facebook’s cross-functional processes for internal and external people data access requests
Collaborate with cross-functional internal and external points of contact, including global legal partners, to ensure regulatory compliance and mitigate risk
Effectively communicate needs and insights to different levels of cross-functional audiences
Incorporate feedback and interpret results in a fast-paced ambiguous environment, adapting quickly
Help define and enforce best practices and alignment with privacy framework and operations
Support response to people data requests related to data privacy with minimal guidance or oversight
Meet multi-tiered internal SLAs associated with critical due dates
Document, track and report relevant program metrics and milestones
Contribute to continuously improving processes and procedures around data privacy relevant aspects across People teams
Partner closely with a variety of internal stakeholders to design, development, and deploy a data management and archiving process
Proactively identify opportunities to enhance policies relating to the retention and archiving of different types of data and implementation of automated solutions for managing the life cycle of generated data
Maintain strict confidentiality and privacy
6+ years experience in Human Resources or Legal Compliance and/or Operations
Experience developing command of regulations and compliance related concepts
Experience communicating issues to cross-functional partners at all levels
Problem solving and conceptual thinking experience
Demonstrated experience issue spotting and assessing information for risk mitigation
Experience working independently and as part of a team, across different regions and time zones
Experience in roles that demand accuracy and quality, prioritization and execution against deadlines
Knowledge of MS Office
Experience with organizing, coordinating, multi-tasking, and process-improvement
In depth knowledge of data privacy (including GDPR) and risk/compliance management concepts in a global context
Experience working in a global, large-scale, complex, and fast-paced environment
Experience with privacy law, policy, or other related field
Experience working within case management systems with strict SLAs
Knowledge of global data retention implementation strategies