Director, Privacy Controls & Operations

Marriott Vacations Worldwide

About The Position

Marriott Vacations Worldwide (MVW) is a leading global vacation company that offers vacation ownership, exchange, rental and resort and property management, along with related businesses, products, and services. The Company has over 120 vacation ownership resorts and approximately 700,000 owner families in a diverse portfolio that includes some of the most iconic vacation ownership brands. The Company also operates exchange networks and membership programs comprised of nearly 3,200 affiliated resorts in over 90 countries and territories, as well as provides management services to other resorts and lodging properties. As a leader and innovator in the vacation ownership industry, the Company upholds the highest standards of excellence in serving its customers, investors and associates while maintaining exclusive, long-term relationships with Marriott International, Inc. and Hyatt Hotels Corporation for the development, sales and marketing of vacation ownership products and services. The vision of MVW is to strive to build long-lasting relationships with their Owners, Members, customers, and associates to help them live their lives to the fullest. Innovation. Integrity. Excellence. This is the story of MVW. And while the company spans brands and businesses, decades and continents, their shared inspiration continues to drive them forward: delivering unforgettable experiences that make vacation dreams come true. Global Privacy Office The Global Privacy Office (GPO) is part of the Global Technology (GT) team at Marriott Vacations Worldwide (MVW) which is on a multi-year journey to modernize technical and digital products and platforms across all business lines. As part of the GT team, the GPO is continuing to mature and morph to align to the changing ecosystem. This role demands a visionary leader with a privacy background in privacy controls and operations who can manage areas of risk, compliance, controls assurance, and training while solving complex business challenges. The incumbent is a proven thought leader, a consensus builder, and an integrator of people, processes, and technology. Job Summary The Director, Privacy Controls & Operations provides leadership for MVW’s Privacy Operations function developing operational plans for processes and technologies that ensure company-wide compliance with privacy regulations. This hands-on managerial role requires subject matter expertise in privacy frameworks, audit methodologies, global privacy regulatory standards, and a foundational understanding of privacy and Artificial Intelligence (AI) challenges in a fast-changing environment. The Director ensures the effective and efficient operation of Privacy Controls & Operations functions, including Controls Assurance by directing the creation. Update and maintain policies and notices. Supports the design, and manages the implementation, testing, and validation of privacy safeguards to prevent regulatory gaps. Key responsibilities include managing data subject rights (DSR) processing, GLBA requests, privacy and data-related complaints, policy and notice management, and the design and management of privacy controls. The role also acts as a point of escalation for control failures and privacy operational issues. Additional responsibilities include leading initiatives to advance regulatory compliance and organizational transparency across 80+ countries, managing relationships with internal teams and external third-party providers involved in privacy controls and operations, providing organization-wide guidance on global privacy regulations, e.g., GDPR, CCPA, APPI, PDPA, maintaining privacy notices and data retention practices, aligning business processes with evolving standards and contractual obligations, and ensuring DSR fulfillment. Key Results Executive leaders and stakeholders trust the integrity and effectiveness of the privacy controls and operations programs, contributing to a privacy-aware, compliance-focused culture across all lines of business. Privacy frameworks are defined, adopted, and validated across the enterprise. Controls Assurance and Privacy Operations are fully operationalized, ensuring complete visibility into the data ecosystem. Privacy rights fulfillment, including DSRs, GLBA requests, and Executive Privacy Protection cases, operates with precision, transparency, and full adherence to regulatory and internal policy requirements. Business operations integrate privacy controls seamlessly into their workflows, ensuring that requirements are met with minimal disruption through automated or standardized testing. Business functions are supported with up-to-date, clearly communicated privacy notices and internal privacy policies that are reviewed, maintained, and aligned with evolving global privacy obligations. MVW demonstrates a culture of accountability through measurable adherence to established privacy frameworks and continuous control validation. Operational metrics and KPIs provide actionable insights into fulfillment trends, escalations, and performance, informing continuous improvement and leadership reporting

Requirements

Bachelor’s degree in Political Science, Public Policy, International Relations, Marketing, Business Administration, HR, Pre-law, Public Administration or related field or equivalent work experience.
At least 10 years of progressive experience in either privacy, risk management, or similar field, e.g. legal, audit, cyber-security, HR, etc.
Some experience managing a team of direct reports or projects preferred.
Experience coordinating and directing multiple resources, both internal resources and external vendors, to accomplish tasks.
Experience in a corporate, multi-unit and/or multi-state/country environment preferred.
Experience in a matrix corporate structured organization preferred.
Experience in Hotel Management, Vacation Ownership, Hospitality preferred.
Analytical and Strategic Thinking Ability to develop and execute business plans aligned with corporate objectives and regulatory compliance.
Ability to analyze trends, legal changes, and identify emerging risks while anticipating impacts.
Ability to identify and develop metrics and KPIs to measure effectiveness of policies and initiatives.
Ability to provide operational guidance to integrate policy considerations into new technologies and customer engagement strategies.
Technical Understanding of privacy laws and regulations, such as GDPR, CCPA, and APPI, and their operational implications.
Familiarity with privacy frameworks, data protection techniques, e.g. pseudonymization, encryption, anonymization, masking, etc., and privacy-enhancing technologies (PETs).
Knowledge of data flows, data categories and their privacy impact to system configurations, human resource operations, marketing operations, and resort operations.
Project Management Skills Ability to lead cross-functional teams to implement programs across multiple business units and geographic locations.
Ability to ensure timely delivery of initiatives, including audits, policy updates.
Ability to manage vendor and third-party privacy compliance relationships.
Verbal and written communication skills to convey technical concepts to non-technical stakeholders at all levels in easy-to-understand ways.
Able to build and maintain relationships with stakeholders across business operations, e.g., Resort Operations, Marketing & Sales, and corporate functions, e.g., Legal and GT, to foster a culture of privacy.
Commitment to a strong customer service orientation to understand and address internal client needs effectively.
Ability to build empathy with key stakeholders in the course of their daily work.
Ability to be an advocate for customer trust and transparency in all privacy-related communications and policies.
Ability to influence at all levels, lead, motivate, and inspire team members, driving successful implementation and adoption of group product features and solutions.
Serve as a trusted advisor to the leadership team on privacy matters, balancing business goals with regulatory requirements.
Strong ethical foundation and commitment to upholding customer privacy and data security.
Proactive and adaptable in responding to the dynamic regulatory landscape.
Detail-oriented with a focus on accuracy and compliance.

Nice To Haves

Privacy certification preferred, e.g., IAPP, ISACA, ISC2, etc.

Responsibilities

Provides operational leadership and direction for global privacy operations to ensure efficiency, standardization, and alignment with regulatory obligations, internal policies, and organizational objectives.
Provides leadership and day-to-day management of MVW Enterprise privacy operations, including DSR fulfillment, GLBA opt-out handling, Executive Privacy Protection workflows, privacy complaints, consent and preference management, and notice/policy governance.
Manages operational use of privacy management platforms, e.g., OneTrust, TrustArc, Privado, ensuring intake, workflow execution, fulfillment, and reporting are optimized and auditable.
Develops and maintains enterprise-level operational frameworks, escalation protocols, and service-level standards in coordination with Legal, Global Technology, Information Security, and Customer Experience leaders.
Identifies and responds to emerging risks related to privacy operations, such as increased request complexity, evolving regional notice requirements, new preference signals, and emerging privacy UX patterns.
Provides financial input for operational budgeting and resource planning in collaboration with GPO and Global Technology leadership.
Optimizes resources and ensure knowledge retention in a rapidly evolving regulatory environment.
Recommends improvements and automation in privacy processes that can be enhanced through technology.
Performs other reasonable job duties as requested.
Occasional travel required.
Establishes, maintains, and continuously improves the enterprise Privacy Control Framework aligned to NIST Privacy Framework, ISO/IEC 27701, and applicable global data protection laws.
Manages the enterprise privacy control assurance program, including design effectiveness, operating effectiveness testing, and continuous monitoring.
Communicates proactively with internal stakeholders, customers, and partners on operational privacy issues and readiness posture.
Translates legal and regulatory obligations into clear, testable, and auditable privacy controls applicable to both resort operations and corporate systems.
Ensures all controls have documented intent, scope, evidence requirements, and standardized implementation guidance.
Drives consistent implementation of privacy controls across resort operations, guest‑facing environments, and all corporate business units.
Develops and disseminates operational SOPs, playbooks, and functional job aids tailored for resort teams, ensuring controls are practical, embedded, and measurable in day‑to‑day processes.
Establishes and maintains evidence standards, sampling expectations, control testing methodologies, and quality criteria for both field and corporate environments.
Identifies systemic gaps, assesses risk impact, and drives remediation and control hardening across business and technology owners.
Conducts resort‑level readiness assessments, operational walkthroughs, and control verification activities to confirm consistent execution across locations.
Drives continuous improvement via metrics: publishes monthly KPIs/KRIs e.g., DSR SLA %, average days to close, privacy request error rate, exceptions by business unit, etc.
Runs GLBA privacy request workflows end-to-end, e.g., opt‐out of information sharing, annual notice fulfillment, and servicing inquiries, while maintaining evidence of timely response and clear documentation for audits and exams.
Manages the DSR/DSAR engine across jurisdictions, e.g., GDPR, UK GDPR, CCPA/CPRA, PIPL, etc., including identity verification, scoping, collection, redaction, response packaging, and SLA tracking.
Supports the design and Implements dashboards for volumes, cycle time, exceptions, and escalations.
Ensures compliant validation, execution, and delivery of all privacy requests.
Manages Privacy 360 executive protection program, continuously monitoring darkweb, databroker, and opensource intelligence sources for exposure of CSuite personal data.
Drives rapid takedowns, removal requests, and coordinated mitigation actions to reduce risks of impersonation, social engineering, and targeted fraud.
Coordinates with senior executives to ensure regular risk briefings, exposure trending, and actionable insights while maintaining a defensible audit trail of removals, vendor actions, and threat reduction outcomes aligned to enterprise risk management objectives.
Drives a culture of accountability, operational excellence, and trust across privacy-related business functions through training, awareness campaigns, and collaborative execution.
Maintains and updates privacy process and related documentation across the enterprise.
Leads efforts to improve customers’ data transparency needs.
Reviews internal/external audit findings to validate scope, materiality, and root cause.
Develops and owns remediation plans with measurable milestones and defined control owners.
Designs and implements analyses of comparative and historical data related to status and identify trends.
Drafts, designs and maintains privacy policies and notices for both internal and external stakeholders.
Owns end-to-end lifecycle of global privacy notices, ensuring accuracy, transparency, and are aligned with applicable regulations, e.g., GDPR, CCPA, PIPL, while maintaining consistent messaging across products, services, and regions.
Partners with Legal, Marketing, and Data Engineering teams to identify data collection and usage practices, translate them into clear notice language, and drives timely updates as business models, technologies, or regulatory requirements evolve.
Establishes governance and quality controls for privacy notices, including version management, approval workflows, publication tracking, and periodic reviews ensuring notices are compliant, accessible, and aligned with the company’s data privacy strategy.
Ensures Resort Operations teams implement and maintain controls related to notice delivery, consent capture, request intake, secure handling of personal data, guest identity verification, data retention, and breach escalation.