Associate General Counsel, Privacy and Cyber Risk
Responsible for supporting the development, implementation and maintenance of the Company's Global Privacy and Data Protection program with the goal of ensuring compliance with all applicable laws and regulations globally. The position reports to the Chief Compliance and Privacy Officer who reports to the General Counsel. The position will interact with departments/business units across the Company; provide legal advice and support to HR, IT, Information Security and Cyber Defense functions; and oversee and manage two privacy and data protection compliance specialists.
Supporting the company’s Compliance and Privacy function:
· Develops, implements and maintains the Company’s Privacy and Data Protection policies, processes and procedures.
· Monitors changes in Privacy and Data Protection laws and regulations globally to ensure Company adaptation and compliance, including all required country registrations.
· Provides legal advice regarding the implications of new privacy and data protection laws and regulations globally that impact the Company’s business.
· Identifies and implements data privacy best practices.
· Provides strategic guidance to Departments/Business Units in the design and evaluation of Privacy and Data Protection related tools and projects (e.g., privacy-by-design).
· In coordination with the Compliance Director for Training and Awareness, identifies and helps develop Privacy and Data Protection communications and trainings.
· Collaborates with Information Security to ensure alignment between Cyber Security and Privacy and Data Protection practices. Manages the review of data protection impact assessments and provides support and guidance for such assessments.
· Collaborates with and supports the commercial legal and contracting functions on the drafting, review and negotiation of Privacy and Data Protection matters related to customer, vendor, and third-party contracts (e.g., data transfer agreements, model clauses, privacy notices/policies).
· Serves and supports activities with regulatory and data protection authorities for matters relating to privacy and data protection (e.g., UK’s ICO and FCA, US state attorneys general, etc.).
· Implements and oversees a process for receiving, documenting, tracking, investigating and acting on all internal and external Data Subject Access Rights requests (e.g., changes to/deletion of information from systems) and complaints. Investigates complaints about breaches of applicable regulations. Maintains a log of incidents of remedial actions.
· In collaboration with other Company departments (e.g., Information Security, Vendor Management, Enterprise Risk Management, Legal, Internal Audit) establishes an internal and external Privacy and Data Protection due diligence, monitoring and audit program.
· Manages the collection, analysis and reporting of Privacy and Data Protection program data and metrics for continuous process improvement.
· Participates in client meetings, sponsor audits and regulatory inspections for questions related to Privacy and Data Protection.
· Participates in data security incident responses affecting the Company, and leads on understanding privacy impact assessment and breach notification obligations.
· Acts as primary legal privacy advisor on matters related to HIPAA, PCI compliance, TCPA, and other data privacy and data protection laws.
· Coordinates cross-functionally to provide data privacy support and guidance with respect to the Company’s records management program.
· Completion of law school with a J.D. or L.L.B. degree and admission to the bar and in good standing in at least one jurisdiction in the United States required.
· 7+ years of legal experience as a practicing attorney, with at least 2 of those years advising on global data protection/ privacy laws and requirements.
· Experience as in-house counsel and litigation/law firm experience strongly preferred.
· Experience with U.S. and international privacy program development and management preferred, with particular emphasis in the financial services and technology software environments.
· Experience with US data breach laws and incident response.
· Experience advising on cyber risk and IT compliance issues.
· Knowledge of US, Canada, European, and APAC privacy and data protection laws, regulations and best practices (CASL, CAN-SPAM, PCI DSS, HIPAA, GDPR, Privacy Shield, APEC’s CBPR, etc.).
· Innovative, forward-thinking and results-oriented with a passion to solve complex problems in a creative and pragmatic way and to translate laws and regulations into actionable policies and procedures that enable business objectives.
· Demonstrated ability to influence and drive internal and external stakeholders to a decision in a matrix corporate environment.
· Ability to work independently, meet tight deadlines and work effectively in a multi-functional, international team environment.
· Ability to manage a small team of privacy compliance specialists.
· Excellent interpersonal skills, work ethic, and team/collaboration experience.
· Strong investigative, analytical, communication, and writing skills.
· Demonstrated ability to get things done and stay mission focused.
· Strong sense of ownership and accountability, ability to make decisions efficiently and quickly.
· IAPP certification(s) (CIPP/US, CIPP/E, CIPM) preferred.
It is the policy of IHS Markit to provide equal employment opportunity (EEO) to all persons regardless of age, color, national origin, citizenship status, physical or mental disability, race, religion, creed, gender, sex, sexual orientation, gender identity and/or expression, genetic information, marital status, status with regard to public assistance, veteran status, or any other characteristic protected by federal, state or local law. In addition, IHS Markit will provide reasonable accommodations for qualified individuals with disabilities. We maintain a drug-free workplace. For candidates in the US, we are a participant in E-Verify (see link below).