Global Data Privacy Director

BACKGROUND

Over the past 80 years, the International Rescue Committee (IRC) has developed unparalleled expertise in responding to emergencies and helping uprooted communities to rebuild. Founded in 1933 at the request of Albert Einstein, the IRC offers lifesaving care and life-changing assistance to refugees forced to flee from war or disaster. The IRC is on the ground in more than 40 countries, providing emergency relief, relocating refugees and rebuilding lives in the wake of disaster. Through 25 regional offices in cities across the United States, the IRC also helps refugees resettle in the US and become self-sufficient. The IRC is committed to a culture of bold leadership, innovation in all aspects of our work, creative partnerships and, most crucially, accountability to those we serve. The IRC is a tireless advocate for the most vulnerable.

IRC in Europe & Worldwide

The IRC in Europe has a number of legal entities including in the UK and Germany. Activities in Europe combine country program implementing integration projects for refugees and other vulnerable populations, with representational functions of IRC’s global work vis-à-vis the EU and Member State governments and raising funds for project work worldwide.

IRC is also operating in other markets with increasing data protection regulation. The growing complexity and scope of IRC’s activities in Europe and across the world sees the need for a dedicated data protection function to ensure IRC’s compliance with local regulations and to protect the data of vulnerable persons we serve, as well as our staff and supporters.

PURPOSE OF THE ROLE

IRC is recruiting an experienced Global Data Privacy Director to meet its obligations under the EU and UK’s General Data Protection Regulation (GDPR) and other applicable regulatory frameworks under which IRC operates. Reporting to the Chief Information Security Officer, the Global Data Privacy Director will bring together and formalize existing data privacy functions (i.e. IT, Legal, etc.). As the first fully dedicated organizational data privacy leader, the director shall develop monitor compliance and data practices internally to ensure the organisation and its functions comply with the applicable regulatory requirements. Of significant importance is the capability to drive organizational change for this vital function for a global organisation across 40 jurisdictions.

The Global Data Privacy Director will be the champion of data protection and be responsible for staff training, developing and rolling out a privacy governance framework, and internal audits. The role will also serve as the primary contact for supervisory authorities and individuals whose data is processed by IRC.

KEY ACCOUNTABILITIES

The Global Data Privacy Director will report to the CISO (based in the US) and will work in close coordination with senior staff in Europe and the US, IT and in-house legal colleagues. It is expected that the role will manage a small team. Some travel will be required.

Duties will include:

• Developing and implementing a privacy governance framework to manage data use in compliance with the EU/UK GDPR and other regulatory frameworks, including developing templates for data collection, assisting with data mapping, and vendor management reviews.

• Executing a privacy governance framework and training across the IRC Network, gaining buy-in from senior leaders in HQs and in the field and coordination with nominated privacy representatives in each country program.

• Working with key internal stakeholders in the review of projects and related data to ensure compliance with local data protection laws, and where necessary, advise on privacy impact assessments.

• Serving as the primary point of contact and liaison for Supervisory Authorities on all data protection related matters under the GDPR, US and jurisdictions requiring enterprise, expert attention.

• Serving as the point of contact for data protection queries.

• Reviewing vendor contracts and advising procurement staff on data protection risks and obligations

• Monitoring and prioritizing changes to local privacy laws.

• Setting standards and reviewing policies and procedures globally that meet the requirements under the GDPR and any localization requirements in countries of operation.

• Developing and delivering data protection training to various business functions.

• Developing strategies and initiatives to ensure engagement with key internal and external stakeholders.

• Coordinating and conducting data protection audits.

• Collaborating with the IT and Information Security functions to raise employee awareness of data privacy and security issues, and to develop and maintain a data security incident management plan to ensure timely remediation of incidents including impact assessments, security breach response, complaints and responding to subject access requests.

• Directing IT, as needed, to implement required data protection controls.

• Liaising with external legal counsel, where needed.

Key Working Relationships:

Position Reports to: Chief Information Security Officer

Position directly supervises: Data Protection Senior Analyst

Indirect Reporting: Associate General Counsel, Europe & Privacy

Other Internal and/or external contacts:

Internal: Senior Leadership, GIS Steering Committee, business and IT staff across regions, HQ and Nairobi iHub, Safety and Security Team, Data Protection Working Group

External: Industry/sector peers and vendors. Law enforcement if needed for incident response.

Job Requirements:

Education

Relevant Bachelor’s degree; Law degree highly desired.

Work Experience

• At least 5-7 years data protection experience required, including strong knowledge of EU data privacy and data protection regulation, and a good understanding of other major privacy frameworks and evolving legislation worldwide.
• At least 2 years of functional leadership; 2-5 of these years must be in a global organization; nonprofit experienced desired.

Demonstrated Skills and Competencies

Skills, Knowledge and Qualifications and Experience

• Demonstrable experience with change management capabilities to influence and educate at all levels to secure buy-in across the organization.
• hands on experience in privacy/data protection aspects of incident response.
• Experience in developing and rolling out a global privacy program including a governance framework, policy and compliance training.
• Understanding of data security principles and ability to coordinate and direct specialist IT security staff with desired controls such as data loss prevention, encryption, timebound lost/stolen data or asses reporting with required remediation and support mechanisms.
• Experience of operating in a complex international environment and providing advice across multiple countries
• Pragmatic problem-solver, committed to understanding what people are trying to achieve and finding legally compliant solutions that meet business needs
• Integrity, professional discretion and ability to handle sensitive/confidential matters
• Proactive, creative thinker, with strong judgment and analytical skills
• Strong, credible communicator, with the ability to listen effectively and make complex privacy matters understandable to staff

Language Skills: English required; French and Arabic a plus

Certificates or Licenses: Holds at least two data privacy certifications (e.g. CIPP, CIPM, CIPT, ISEB) or equivalent.

*Working Environment:***Standard office work environment; work location may be another IRC office.

Travel: Up to 10%/year

The IRC and IRC workers must adhere to the values and principles outlined in IRC Way – Standards for Professional Conduct. These are Integrity, Equality, Service, and Accountability. In accordance with these values, the IRC operates and carries out policies on Beneficiary Protection from Exploitation and Abuse, Child Safeguarding, Anti Workplace Harassment, Fiscal Integrity, and Anti-Retaliation.

IRC et les employés de IRC doivent adhérer aux valeurs et principes contenus dans le IRC WAY (normes de conduite professionnelle). Ce sont l’Intégrité, Egalite, le Service, et la Responsabilité. En conformité avec ces valeurs, IRC opère et fait respecter les politiques sur la protection des bénéficiaires contre l’exploitation et les abus, la protection de l’enfant, le harcèlement sur les lieux de travail, l’intégrité financière, et les représailles.