Data Privacy Program Manager
🇺🇸 USA Only
RoleAll Other Remote
Data Privacy Program Manager
LetsGetChecked is a leading at-home health testing company, with a platform that allows consumers to discover and access personalised health information conveniently, confidentially and accurately. We empower people to take an active role in their health to live longer, happier lives. LetsGetChecked was founded in 2015 and has corporate offices located in New York City and Dublin.
This is an excellent opportunity for a Data Privacy Program Manager to join our rapidly growing team, and to support our company in the ongoing audit, enhancement and day-to-day management of our privacy compliance programs. The Data Privacy Program Manager reports to the VP of Data Compliance and Privacy, and is expected to work across multiple business functional teams while liaising with Legal, Compliance, Information Security and the VP of Data Compliance and Privacy.
The role ensures successful and consistent delivery of privacy compliance program activities, facilitates privacy-compliant business decision making, performs audit and assurance activities over the privacy and security programs, and serves to advise and give guidance to the business on how to align with various privacy and data protection requirements. Particular focus areas will include supporting the DPO, Compliance, and Information Security colleagues with maintaining up-to-date privacy notices and records of data processing activities, assisting with third party risk management (due diligence of prospective service providers, business associates, etc.), responding to client requests for information (RFIs) regarding our own privacy and security posture, and supporting the DPO in the performance of data privacy program audits and data privacy impact assessments to help our growing and evolving business identify and mitigate privacy and security risks as they emerge.
To be successful in this role, you will have proven ability and at least 3 years experience in promoting awareness, understanding, and practical application of privacy and data protection principles and best practices across organizations, enabling them to align their operations with the requirements of global privacy laws and regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), or EU General Data Protection Regulation (GDPR). You will have an in-depth knowledge of these regulations, industry standards, and compliance-related frameworks (HITRUST, SOC2, ISO27, NIST, etc.), and experience performing audits and gap analysis. Familiarity with the healthcare, genetics, or medical device industries and the nature of their data processing activities would be a significant plus, as would experience with implementing or managing privacy compliance programs or key domains within them. Experience with contract and Data Processing Addendum (DPA) reviews, Information Security controls testing or IT Audit, and communication of policies and procedures would all also be helpful to the successful candidate.
• Support the DPO in performance of privacy and security program audits, identifying areas of risk or non-compliance and supporting in mitigation and/or remediation to ensure alignment with global privacy regulations and security frameworks in use at LetsGetChecked.
• Continual identification, documentation, and evaluation of the company’s data processing activities as part of the Records of Processing (GDPR Article 30).
• Conduct formally documented Data Protection Impact Assessments (DPIAs), Legitimate Interest Assessments (LIAs) and Transfer Impact Assessments (TIAs) in collaboration with the DPO and business stakeholders, to help manage risks introduced by evolving business activities processing sensitive personal information.
• Support Legal, Compliance, Information Security, and the DPO in performing due diligence and contracting with new third parties. This will involve assessing privacy and information security controls and standards, reviewing and recommending privacy and data protection contractual requirements, and coordinating across the business to communicate and remediate risks associated with new third party relationships.
• Support in Compliance Audit activities, for example working closely with IT Compliance colleagues to ensure continued alignment to HITRUST requirements, or performing audits related to the privacy program.
• Support in management of Data Subject Request program, helping DPO in responding to privacy requests made by data subjects wishing to exercise their rights under regulations such as HIPAA, CCPA, and GDPR.
• Act as point of contact with internal teams to promote awareness and understanding of privacy regulatory requirements, as well as company policies and procedures.
• Support the DPO in identifying business processes or aspects of the privacy compliance program that will require the drafting, updating, and communicating of new or enhanced privacy and data protection policies. This will serve to strengthen the privacy compliance program, and extend its reach within our business.
• Offer support to the DPO and Information Security teams in responding to incidents or suspected privacy breaches.
• Support in the ongoing delivery of training on GDPR, CCPA, and HIPAA compliance for employees.
• Support the DPO in further developing our HIPAA Privacy and Security Rules compliance program.
• Other duties as assigned by Legal, DPO, or Information Security.
• Experience in privacy and security audits and assessments.
• Experience in third party risk management.
• Experience in performing data protection impact assessments, or similar privacy risk analysis.
• Solid knowledge of/experience with global privacy regulations and how they apply to data processing operations in the medical device or healthcare sector.
• Familiarity with audit methodologies, including auditing computer security systems/critical security controls and related industry standards for privacy and security, such as HITRUST requirements and their implementation.
• Ability to handle confidential information.
• Ethical, with the ability to remain tactful, impartial and escalate all instances of noncompliance through established reporting channels.
• Organizational skills with attention to detail.
Additional Skills/Certifications (preferred)
• Security or IT Audit certifications such as CISSP, CIPM, CISA, or CRISC.
• Privacy certifications such as CIPP/US, CIPP/E, CIPM, CIPT, or FIP.
• Third Party Risk, Paralegal or other experience working within a Legal department (e.g. contract review).