Privacy Counsel

About The Position

Requirements

• 1+ year practicing attorney in the privacy space.
• Experience and expertise in data protection and privacy management, preferably in a multinational organization.
• In-depth knowledge of data protection laws and regulations, such as HIPAA, CCPA, and other regional privacy frameworks.
• Strong understanding of privacy risk management principles and practices.

Nice To Haves

• Experience in carrying out privacy gap analysis, creation and implementation of remediation plans as well as designing and implementing privacy projects preferable.
• Privacy qualifications / certificates e.g. CIPP/US, CIPM preferred.
• Previous insurance experience preferred.

Responsibilities

• Data Protection Strategy: Collaborate with the GPO, GGB Division Privacy and IT Leads, the GGB-US General Counsel and local GGB business leaders to develop and execute a comprehensive data protection strategy for GGB that aligns with business objectives and regulatory requirements. Assist the Global Chief Privacy Officer to implement the Global Data Privacy Framework (Tier 1) within GGB and develop and implement any required GGB local Data Privacy Frameworks (Tier 2) to minimize privacy risks and drive risk reduction initiatives.
• Policy Development: Create and maintain data protection policies, standards, guidelines and playbooks that reflect best practices and ensure compliance with applicable laws and regulations.
• Risk Management: Identify and assess privacy risks (including conducting privacy risk assessments and data transfer impact assessments) across jurisdictions and provide guidance to business units on risk mitigation strategies. Complete and maintain GGB Privacy Risk Registers, with specific focus on inherent and residual risk.
• Privacy Advice and Support: Provide expert advice and guidance to GGB, the GPO and other stakeholders on privacy-related matters, including data sharing, international transfers of personal data, consent management, data subject rights, data incidents, vendor risk management, due diligence and integration relating to merger and acquisition activities, responses to client privacy queries, data minimization, privacy complaints, determinations of requirements to have a Data Protection Officer (or equivalent) in an entity, data analytics and artificial intelligence. Handle internal and third-party requests for access to GGB data.
• Training and Awareness: Develop and deliver privacy training programs to raise awareness and ensure understanding of data protection obligations among employees, including high risk users.
• Privacy Impact Assessments and Data Transfer Impact Assessments: Conduct assessments for new projects, systems, and processes to identify and address potential privacy risks, and for data transfers where required by law.
• Incident Response: Lead and coordinate the containment and response to data privacy incidents, including conducting investigations, implementing corrective actions, responding to client, carrier and data subject queries, and reporting to relevant authorities, companies and involved data subjects.
• Supplier Risk: Assess privacy risks in relation to GGB’s supply chain, working closely with colleagues in security, IT, the GPO, legal and procurement.
• Contractual Risk: Provide review and negotiation of privacy-related contractual terms with individuals, vendors, clients and insurance markets.
• Compliance Monitoring: Monitor and report on compliance with data protection, HIPAA and AI laws, regulations, and internal policies, and implement controls to ensure ongoing adherence.
• Records Retention: Advise business units on privacy requirements and best practices related to records retention and de-identification/destruction and work closely with IT and business units to implement new retention and de-identification/destruction guidelines and capabilities.
• Stakeholder Engagement: Collaborate and build effective working relationships with internal and external stakeholders, including the GPO, Legal, Security, Insurance, IT, AI, Data, HR, Marketing, Digital and third-party vendors, to ensure alignment and cooperation in data privacy initiatives.
• Industry Knowledge: Stay up-to-date with emerging trends, technologies, and legal and regulatory developments in the field of data protection, privacy, AI and cybersecurity.

Benefits

• Medical/dental/vision plans, which start from day one!
• Life and accident insurance
• 401(K) and Roth options
• Tax-advantaged accounts (HSA, FSA)
• Educational expense reimbursement
• Paid parental leave
• Digital mental health services (Talkspace)
• Flexible work hours (availability varies by office and job function)
• Training programs
• Gallagher Thrive program – elevating your health through challenges, workshops and digital fitness programs for your overall wellbeing
• Charitable matching gift program