Privacy Program Lead

About The Position

Requirements

• 7–10+ years professional experience in privacy, risk, compliance, or information governance.
• Strong working knowledge of privacy laws and frameworks (PIPEDA, GDPR, POPIA, and international transfer requirements).
• Demonstrated experience conducting privacy impact and risk assessments.
• Ability to translate legal and regulatory requirements into operational controls.
• Experience working cross functionally with Legal, Security, IT, and business stakeholders.
• Excellent written and verbal communication skills suitable for regulators, clients, and senior leadership.

Nice To Haves

• Experience supporting multi-jurisdictional privacy programs.
• Background in professional services, legal, financial, or other regulated industries.
• Familiarity with ISO 27001, ISO 42001 or comparable governance frameworks.
• Experience supporting client audits or regulatory inquiries.
• Relevant certifications such as: CIPP/C, CIPP/E, CIPM CDPSE ISO 27001/42001 Lead Implementer/Auditor

Responsibilities

• Lead operational delivery of the firm’s privacy program under the direction of the Chief Privacy Officer.
• Conduct DPIAs, PIAs, TRAs and privacy risk reviews for new technologies, vendors and business initiatives.
• Identity privacy risks and coordinate remediation with responsible teams.
• Maintain privacy risk registers and issue tracking.
• Develop and deliver firmwide Privacy Training.
• Translate regulatory obligations (including PIPEDA, GDPR, POPIA and applicable provincial and state laws) into actionable controls and guidance.
• Map privacy controls of ISO 27001, client audit expectations, and internal governance requirements.
• Monitor emerging regulatory developments and recommend program enhancements.
• Conduct privacy risk assessments for AI and generative AI solutions.
• Evaluate data usage, training inputs, retention and output handling for privacy compliance.
• Partner with technology and governance teams to ensure AI systems align with privacy, confidentiality and client obligations.
• Support development of privacy guardrails and review standards for AI deployments.
• Support data classification, retention, minimization, and lawful use practices across systems and processes.
• Partner with IT and Security teams to validate that technical controls align with privacy requirements.
• Advise on cross border data transfers and third-party processing risk.
• Conduct privacy risk assessments for third parties handling personal or confidential data.
• Evaluate contractual safeguards, transfer mechanisms, and processing obligations.
• Provide recommendations to Procurement, Legal, and Security teams.
• Participate as privacy SME in investigations involving potential personal data exposure.
• Assess regulatory and contractual notification obligations.
• Support post incident lessons learned and control improvements.
• Provide practical privacy guidance to business leaders, attorneys, and operational teams.
• Deliver targeted awareness sessions promoting privacy-by-design practices.
• Support RFP responses, client questionnaires, and audit requests.
• Define and track program KPIs/KRIs such as: assessment turnaround time remediation closure rates risk severity trends third-party privacy posture
• Provide executive-level reporting and actionable insights.