Job: Head of Data Security and Compliance
Python, GDPR, CCPA, SOC, ISO
Remote
Full Time
Description
Our client is seeking a highly skilled Head of Data Security & Compliance to join our fast-growing SaaS company. This leadership role is responsible for ensuring the company’s data security, regulatory compliance, and overall protection of sensitive information. The ideal candidate will possess a deep understanding of data security best practices, compliance frameworks, and risk management strategies. Moreover, the Head of Data Compliance and Security should demonstrate a customer-centric approach, ensuring that security measures do not impede product functionality, ease of use, or hinder the sales process. This role requires a unique blend of technical expertise, strategic thinking, and business acumen.
Responsibilities
- Ensure compliance with ISO, SOC 2, GDPR , Mexico, Ecuador, California and other relevant data privacy laws in the USA and Latam, developing and implementing policies, procedures, and controls to meet the requirements.
- Collaborate with internal teams to establish data minimization practices, consent management processes, and procedures to address data subjects’ rights, including the right to be forgotten.
- Work with product team to ensure that all our client’s product is best-in-class from a Data Security perspective
- Lead and oversee audits, including SOC 1, SOC 2, and SOC 3 audits and ISO 27001 certification, ensuring compliance with control objectives and requirements.
- Stay updated on emerging data privacy laws and regulations, such as GDPR, CCPA and PIPEDA, and assess their impact on our client’s data protection practices.
- Lead incident response efforts, including managing data breach incidents, coordinating investigations, and executing data breach notification procedures in accordance with GDPR and other applicable regulations.
- Conduct regular risk assessments and vulnerability assessments to identify potential weaknesses and implement appropriate controls.
- Stay informed about emerging threats, trends, and industry developments, and proactively update security strategies to address new risks.
- Develop and maintain documentation, such as Data Protection Impact Assessments (DPIAs), privacy policies, and procedures, to demonstrate compliance with data protection regulations.Lead incident response efforts, including managing data breach incidents, coordinating investigations, and executing data breach notification procedures in accordance with GDPR and other applicable regulations.
- Understand cloud technologies and architectures, such as Google Cloud Platform and AWS, and apply associated security and compliance considerations in data protection strategies.
- Apply data security principles, including encryption, anonymization, and pseudonymization techniques, to safeguard sensitive data.
- Collaborate with cross-functional teams to embed security considerations throughout the product development lifecycle without compromising functionality or user experience.
- Conduct thorough security assessments of new features, products, and systems to identify potential risks and recommend appropriate security controls.
- Champion a culture of secure coding practices, security testing, and ongoing vulnerability management to ensure the product is robust and resilient.
- Address security issues related to database technologies, ensuring secure database configurations and access controls.
- Balance security requirements with customer expectations and usability, ensuring security measures do not create unnecessary obstacles or impede the overall user experience.
- Engage with customers, understand their security concerns, and provide guidance on secure product usage, privacy, and data protection practices.
- Collaborate with customer support and sales teams to address security-related inquiries, concerns, and provide expertise during the sales process.
Requirements
- In-depth knowledge of data privacy and protection laws, regulations, and frameworks in the LatAm region, including specific knowledge of Mexico’s data protection landscape, as well as expertise in GDPR requirements, such as data minimization, right to be forgotten, consent management, etc.
- Has experience as DPO in a fintech, highly regulated start-up or equivalent.
- Experience with SOC 1, SOC 2, SOC 3 audits, and ISO 27001, understanding the control objectives and requirements associated with these standards.
- Familiarity with other data privacy laws and regulations, such as GDPR, CCPA (California Consumer Privacy Act), PIPEDA (Personal Information Protection and Electronic Documents Act), and other relevant global privacy frameworks.
- Proficiency in risk assessment methodologies and experience conducting security risk assessments to identify and mitigate potential risks to data security and compliance.
- Ability to develop and maintain documentation, including Data Protection Impact Assessments (DPIAs), privacy policies, procedures, and other necessary documentation to ensure compliance with data protection regulations.
- Experience in incident response and data breach notification procedures as per GDPR and other applicable regulations, including coordination with relevant stakeholders, regulatory bodies, and legal teams.
- Proficiency in Python programming language for data analysis, automation, and security-related tasks.
- Understanding of cloud technologies and architectures (Google Cloud Platform, MongoDB, AWS) and the associated security and compliance considerations.
- Knowledge of data security principles, including encryption, anonymization, and pseudonymization techniques.
- Familiarity with database technologies and associated security issues.
- In-depth knowledge of data security frameworks, such as ISO 27001, NIST Cybersecurity Framework, or CIS Controls.
- Strong understanding of regulatory compliance requirements, such as GDPR, CCPA, or HIPAA.
- Demonstrated experience in developing and implementing comprehensive information security strategies.
- Proven track record of successfully integrating security into product development lifecycles while maintaining usability and customer satisfaction.
- Familiarity with secure coding practices, vulnerability management, and security testing methodologies.
- Excellent communication and interpersonal skills to collaborate effectively across departments and communicate complex security concepts to non-technical stakeholders.
- Strong analytical and problem-solving skills to identify and mitigate potential risks effectively.
- Relevant certifications such as CISSP, CISM, or CRISC are highly desirable.