Senior Director, Global Privacy

About The Position

Requirements

• Juris Doctor from an accredited law school.
• 15 years of relevant legal experience, including significant experience in biotechnology, pharmaceutical, or healthcare environments.
• A minimum of 10 years of experience as a supervisor with strong leadership skills and experience managing and developing high-performing teams.
• Ability to influence senior executives and cross-functional teams.
• Demonstrated experience leading an enterprise-level privacy or data-governance program, with accountability for outcomes.
• Deep expertise in HIPAA, GDPR, U.S. state privacy and consumer health data laws, and global data-transfer frameworks.
• Proven ability to influence senior leaders, manage cross-functional stakeholders, and exercise independent judgment on complex risk issues.
• Strong experience negotiating complex commercial, vendor, and clinical research agreements involving data protection.

Nice To Haves

• CIPP/US, CIPM, or equivalent privacy certification.
• AI governance or emerging-technology experience (e.g., AIGP or equivalent).
• Experience supporting public companies or late-stage/pre-commercial organizations.

Responsibilities

• Lead the design, implementation, and ongoing enhancement of Crinetics’ global privacy and data-protection program, including the design, implementation, and ongoing oversight of policies, standards, procedures, and controls aligned with U.S. and international privacy laws and industry best practices.
• Establish and chair enterprise privacy and data-governance forums, defining decision rights, escalation pathways, and accountability across functions.
• Provide regular executive-level reporting on privacy risk posture, program effectiveness, and emerging regulatory developments.
• Serve as the company’s senior legal authority on privacy, data protection, and data-use governance, advising executives and cross-functional leaders on risk-based, compliant approaches to business initiatives.
• Translate complex legal requirements into practical operating guidance that supports innovation, patient trust, and responsible data use.
• Provide senior-level oversight of privacy considerations across the clinical-trial lifecycle, including recruitment, informed consent, source data access, pseudonymization/de-identification, secondary research use, and data retention.
• Advise on privacy governance for interactions with CROs, investigators, sites, and vendors, ensuring appropriate access controls, contractual protections, audit rights, and ongoing compliance monitoring.
• Lead privacy strategy for cross-border data transfers, including approval and oversight of Standard Contractual Clauses (SCCs), Transfer Impact Assessments (TIAs), and supplementary safeguards.
• Oversee privacy and data-use governance for patient support programs, open-label extensions, real-world evidence initiatives, digital health tools, patient ambassadors, and testimonials.
• Ensure appropriate consent, authorization, notice, and opt-out mechanisms, with particular attention to U.S. state consumer health data laws.
• Establish controls to maintain appropriate separation between clinical research data and commercial or marketing uses.
• Lead privacy and data-governance oversight for AI, machine learning, and advanced analytics, including review of high-risk use cases, data sourcing, transparency, and accountability.
• Monitor, interpret, and operationalize emerging privacy, cybersecurity, and AI laws and guidance, including GDPR, HIPAA, CCPA/CPRA, Washington My Health My Data Act, and other U.S. state and global requirements.
• Oversee the privacy risk-assessment framework, including Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs).
• Ensure identified risks are tracked, mitigated, and documented, with clear ownership and follow-through.
• Provide senior legal oversight of privacy and data-protection provisions in vendor, CRO, collaboration, and commercial agreements.
• Partner with Procurement, IT Security, and Compliance to oversee third-party privacy and security risk management, including onboarding diligence, ongoing monitoring, and remediation.
• Play a senior leadership role in privacy and data-security incident response, including assessment of regulatory notification obligations and coordination with internal and external stakeholders.
• Align privacy governance with cybersecurity controls, including data classification, access management, retention, and secure system design.
• Build and lead a high-performing privacy function, including hiring, mentoring, and developing team members as the company grows.
• Drive enterprise-wide privacy training and awareness to foster a culture of accountability, ethical data handling, and privacy by design.
• Act as a visible leader who models company values and builds trust across the organization.
• Other duties as assigned.

Benefits

• discretionary annual target bonus
• stock options
• ESPP
• 401k match
• top-notch health insurance plans for employees (and their families) to include medical, dental, vision and basic life insurance
• 20 days of PTO
• 10 paid holidays
• winter company shutdown