Job Details

Data Privacy Officer (LAW FIRM)

London, United Kingdom
  • Employment Type: Direct Hire

Our client is looking for a Privacy Data Officer for their New York or London office. This is a global position covering all the jurisdictions in which the firm operates. The Privacy Officer will be the initial point of contact, both internally and externally, for all privacy matters of the firm. The Privacy Officer will facilitate compliance with applicable laws and regulations, including the European Union’s GDPR. The right candidate will have strong analytical and problem resolution skills along with sound business judgment with the ability to think strategically and give practical advice and strong written and verbal communication skills. Must be comfortable with promoting privacy up and down the leadership chain, including audiences who have varying levels of familiarity with the topic. One or more industry recognized certifications is required. An advanced degree in law, business, information science, information security or a related subject is a plus. Relevant experience in the legal, financial or healthcare sectors with detailed knowledge of the EU e-Privacy Directive and the EU General Data Protection Regulation (GDPR) and knowledge of U.S. laws and regulations, such as HIPAA, Gramm-Leach-Bliley Act (GLBA), Privacy Shield certification process and U.S. (state) breach notification laws are a plus. Send resumes for London to [email protected] and for New York to [email protected].

Tasks and Responsibilities:

  • Develops, implements and maintains the firm’s privacy management program and the resulting policies, procedures, guidelines and other documentation for the processing of personal data in coordination with appropriate internal stakeholders
  • Develops and updates data breach incident responses, ensuring alignment with the implementation of personal data handling activities
  • Works to ensure the firm maintains the appropriate privacy and confidentiality consent procedures, authorization forms and information notices
  • Works with a multidisciplinary team, including risk management, compliance, HR, legal, business process owners and other internal stakeholders to ensure firm-wide coverage of the privacy discipline
  • Works with procurement, vendor management and risk management to ensure that third-party supplier contracts and operating-level agreements meet international privacy requirements
  • Implements and maintains an internal reporting mechanism for intended (new or changed) personal data processing activities, to which business unit/process owners must adhere
  • Notifies data protection authorities of the firm’s processing activities, where required
  • Leads the firm’s response to privacy-related emergencies and other potentially damaging events
  • Works on the firm’s continued compliance with GDPR and other applicable data protection laws
  • Determines the firm’s specific privacy-related requirements and potential vulnerabilities
  • Receives and manages internal reports from business stakeholders to maintain control over all project and innovative initiatives, including change management, to ensure timely attention for privacy bottlenecks and hiatuses
  • Manages the privacy impact assessment process, in close collaboration with business stakeholders
  • Conducts regular privacy policy compliance assessments to ensure that the firm’s privacy policies are up to date and being adhered to
  • Ensures that business units, technology teams and third parties (including service providers) follow the firm’s privacy management program, meet privacy policy requirements and address privacy concerns.
  • Collaborate with and assist business units and technology areas to develop corrective action plans for identified privacy compliance issues
  • Continuously monitors the status and effectiveness of privacy controls across the firm, ensuring that applicable privacy laws and regulations (including GDPR), and privacy-related key risk indicators are effectively monitored to prevent an unacceptable impact on business objectives and reputation
  • Conducts frequent compliance report monitoring activities on collaborating partners, third?party service providers’ and other data processors’ levels of privacy compliance
  • Reports findings in a structural, transparent and business-relevant manner to senior management, allowing the firm to decide and instruct on adequate and appropriate mitigating measures
  • Supports the creation of an inventory that documents how and why the firm collects, shares and uses personal data
  • Continuously updates and re-evaluates the extent to which client and employee information is collected and shared internally and externally
  • Monitors the data request and usage processes, purpose-based authorized use and prevention mechanisms’ effectiveness against unauthorized use, and cross-border data transfer matters for personal data across the firm
  • Maintains the firm’s registry of all personal data stores and processing activities.
  • Information Technology
  • Serves as the internal advisor to the IT and information security departments to interpret privacy policy-related questions
  • Ensures that data security practices — in particular logging, monitoring and auditing practices — do not conflict with privacy requirements
  • Works closely with the technology service teams to anticipate potential privacy problems embedded in the use of emerging technologies
  • Liaises with the firm’s information security team in matters relating to data breaches (including preparedness, prevention, impact mitigation and integral management of breaches)
  • Works to integrate controls within specific HR and CRM business and IT processes
  • Conducts or oversees privacy awareness campaigns, training and orientation for all employees — in particular application developers, HR and marketing
  • Identifies trends in privacy and regulatory requirements and compliance enforcement, and account for the necessary changes in the privacy management program, updating information only to the stakeholder audiences affected in their respective activities
  • Develops new and innovative strategies to address privacy and regulatory standards and requirements in new computing paradigms, such as the Internet of Things and the cloud
  • Liaises and communicates effectively with external entities, such as supervisory and regulatory authorities and the public, on relevant occasions
  • Manages and responds to requests of data subjects to exercise the rights provided for by the applicable data protection laws (for example, requests for access, rectification and deletion of personal data)

Education and Training:

  • Required:
    • Educated to degree level in a related subject
    • One or more industry recognized certifications
  • Desirable:
    • An advanced degree in law, business, information science, information security or a related field

Required Previous Experience:

  • Several years of relevant experience in the legal, financial or healthcare sectors
  • Detailed knowledge of the EU e-Privacy Directive and the EU General Data Protection Regulation (GDPR)
  • Experience with EU model contracts and/or Binding Corporate Rules for international data transfers
  • Experience working in a heavily regulated and/or audited environment
  • A deep working knowledge of international privacy laws, regulations and industry best practices
  • Knowledge of U.S. laws and regulations, such as HIPAA, Gramm-Leach-Bliley Act (GLBA), Privacy Shield certification process and U.S. (state) breach notification laws
  • Experience with cloud computing, online services, web and enterprise applications, and data analytics
  • Experience with governance, risk and compliance (GRC) tools and how they can be used to support privacy-related GRC activities
  • Experience with technological assistance tooling, such as data discovery, data mapping, authorization and access management, and pseudonymization technologies

Knowledge and Skills:

  • Strong analytical and problem resolution skills
  • Sound business judgment, with the ability to think strategically and give practical advice
  • Strong written and verbal communication skills, as well as the ability to work well with a diverse client base
  • Comfort with promoting privacy up and down the leadership chain, including audiences who have varying levels of familiarity with the topic

Personal Characteristics:

  • Can gain the respect of stakeholders at all levels and roles in the firm
  • A confident, energetic self-starter, with strong interpersonal skills

Interested in this job? Get in touch.

(Accepted file formats are PDF, DOC, DOCX, TXT, RTF and ZIP. File size maximum is 2 MB.)