Chief Privacy Officer #5359
CHIEF PRIVACY OFFICER
NATURE OF WORK
Working as part of the Office of General Counsel, the Chief Privacy Officer will establish and maintain the SAA vision, strategy, and program to ensure information assets and technologies are adequately safeguarded in order to protect the privacy of the Senators and their staff. The Chief Privacy Officer will develop privacy policies for internal use cases, and privacy statements for external use cases, and describe privacy requirements for business partners and service providers. The Chief Privacy Officer will closely collaborate with business stakeholders to control risk from potential procedural or technology changes that affect privacy. In addition, the Chief Privacy Officer represents the SAA with internal and external stakeholders. The Chief Privacy Officer conducts privacy risk assessments, focused on end-to-end business processes or applications. The Chief Privacy Officer will identify, develop, implement, maintain, assess and test processes across the enterprise to reduce information risks. The Chief Privacy Officer will coordinate a response to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures through analysis of end-to-end business process mapping. This position will identify key controls (to include major IT programs, macro programs, and non-IT related information) and identify strengths and material weaknesses. In coordination with the business process owners, the Chief Privacy Officer will exploit opportunities and weigh risks. The Chief Privacy Officer will coordinate the development of corrective action plans for risks deemed unacceptable and track them until mitigated. He or she will identify and suggest priorities for the organization, as well as determine how to maintain and improve adherence to Senate policies.
EXAMPLES OF WORK
(This list is not absolute or restrictive, but indicates approximate duties and responsibilities which may be redefined pursuant to operational needs.)
• Working across the divisions of the SAA, maintains, develops and implements SAA's privacy management program and the resulting privacy policies, procedures and documentation for the processing of personal data in coordination with SAA leadership.
• Devises and updates policies and procedures for customers, employees and data breach incident responses, ensuring alignment with the actual implementation of personal data processing activities.
• Works to ensure the organization maintains the appropriate privacy and confidentiality consent procedures, authorization forms, and information notices.
• Works with procurement, vendor management and the legal departments to ensure that contracts and operating-level agreements meet the Senate’s privacy requirements.
• In coordination with the SAA Internal Controls Program, implements and maintains an internal reporting mechanism for intended (new or changed) personal data processing activities, to which business unit/process owners must adhere.
• Determines the SAA’s specific privacy-related requirements and potential vulnerabilities.
• Receives and manages internal reports from business stakeholders to maintain control over all project and innovation initiatives, including change management, to ensure timely attention for privacy bottlenecks and hiatuses. • Manages the privacy risk assessment process in close collaboration with businessstakeholders.
• Coordinates with business process owners to ensure they establish adequate segregation of duties, rigorous change management procedures, access procedures, incident and problem management procedures, and configuration, installation & testing procedures.
• Collaborates with and assists business units and technology areas to develop corrective action plans for identified privacy compliance issues.
• Continuously monitors the status and effectiveness of privacy controls across service offerings, ensuring that privacy-related key risk indicators are effectively monitored to prevent an unacceptable impact on business objectives and reputation.
• Conducts frequent compliance report monitoring activities on collaborating partners, third-party service providers' and other data processors' levels of privacy compliance.
• Develops a testing methodology and report findings in a structural, transparent and business-relevant manner in coordination with SAA leadership, to the SAA to recommend, decide and instruct on adequate and appropriate mitigating measures.
• Supports the creation of an inventory that documents how and why SAA collects, shares and uses personal data.
• Continuously updates and re-evaluates the extent to which customer, constituent and employee information is collected and shared internally and externally.
• Monitors the data request and usage processes, purpose-based authorized use and prevention mechanisms' effectiveness against unauthorized use and cross-border data transfer matters for personal data across SAA.
• Works with business owners to help them maintain registries of all personal data stores and processing activities.
• Serves as the internal advisor to the CIO to interpret privacy/policy-related questions.
• Ensures that data security practices, in particular, logging, monitoring and auditing practices, do not conflict with privacy requirements.
• Works closely with the CIO to anticipate potential privacy problems embedded in the use of emerging technologies.
• Liaises with SAA's CIO and Director of Cybersecurity in matters relating to data breaches (including preparedness, prevention, impact mitigation and integral management of breaches).
• Identifies trends in privacy requirements and compliance enforcement, and accounts for the necessary changes in the privacy management program, updating information only to the stakeholder audiences affected in their respective activities.
• Develops new and innovative strategies to address privacy requirements in new computing paradigms, such as hybrid cloud computing, social media analytics, and surveillance technologies.
PHYSICAL DEMANDS AND WORKING ENVIRONMENT
Work is primarily in an office environment with no exceptional physical demands.
The ideal candidate will have a combination of a legal or business degree with a technical or computer science degree. Work requires a Bachelor’s Degree or higher in business administration, law, finance, accounting, computer science or a related discipline and at least 7 years of senior or executive management experience; or any equivalent combination of education and experience that provides the following knowledge, skills, and abilities:
• Familiarity and experience with cloud computing, online services, web and enterprise applications, and data analytics.
• Ability to understand business process flows and to provide recommendations for operationalizing compliance requirements.
• Strong analytical and problem resolution skills. Sound business judgment, with the ability to think strategically and give practical advice by balancing business needs with legal risks.
• Strong written and verbal communication skills, as well as the ability to work well with a diverse client base.
• Willingness to be available for incident and emergency handling outside standard office hours, where necessary.
• Knowledge of the privacy aspects of the product development life cycle, data handling and asset classification, and knowledge of the role of a privacy professional in ensuring that customer data is properly managed.
• Ability to articulate the importance of customer privacy. Comfort with promoting privacy up and down the management chain, including audiences who have varying levels of familiarity with the topic.
• Ability to maintain proper documentation, relevant records and archives in an orderly, transparent fashion.
LICENSES, CERTIFICATION AND OTHER REQUIREMENTS
• Position requires the ability to obtain a top-secret security clearance.
• An advanced degree in law (JD), business (MBA), information science (MIS), information security or a related field is preferred.
• The preferred candidate has obtained two or more of the following certifications: one or more of: Certified Information Privacy Professional (CIPP), Certified Information Privacy Management (CIPM), and/or Certified Information Privacy Technologist (CIPT), and one or more of: Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM) and Certified Information Systems Auditor (CISA).