Privacy Compliance Manager

Develops and oversees privacy compliance program and privacy program staff, supporting privacy compliance needs of privacy and security executives and their teams.

Tasks

The concrete work activities defined for this role in the DCWF v5.1 spreadsheet. Core tasks are required for the role; additional tasks are associated but not mandatory.

• T395 additional Advise senior management (e.g., CIO) on risk levels and security posture.
• T396 additional Advise senior management (e.g., CIO) on cost/benefit analysis of information security programs, policies, processes, systems, and elements.
• T457 additional Conduct Privacy Impact Assessments (PIA) of the application’s security design for the appropriate security controls, which protect the confidentiality and integrity of Personally Identifiable Information (PII).
• T524 additional Develop and maintain strategic plans.
• T5430 additional Present technical information to technical and non-technical audiences.
• T5560 additional Promote awareness of cyber policy and strategy as appropriate among management and ensure sound principles are reflected in the organization's mission, vision, and goals.
• T5761 additional Account for and administer individual requests for release or disclosure of personal and/or protected information.
• T5762 additional Act as a liaison to the information systems department.
• T5763 additional Act as, or work with, counsel relating to business partner contracts.
• T5764 additional Administer action on all complaints concerning the organization’s privacy policies and procedures in coordination and collaboration with other similar functions and, when necessary, legal counsel.
• T5765 additional Assist the Security Officer with the development and implementation of an information infrastructure.
• T5766 additional Assure that the use of technologies maintain, and do not erode, privacy protections on use, collection and disclosure of personal information.
• T5767 additional Collaborate on cyber privacy and security policies and procedures.
• T5768 additional Collaborate with cybersecurity personnel on the security risk assessment process to address privacy compliance and risk mitigation.
• T5769 additional Conduct on-going privacy training and awareness activities.
• T5770 additional Conduct periodic information privacy impact assessments and ongoing compliance monitoring activities in coordination with the organization’s other compliance and operational assessment functions.
• T5771 additional Conduct privacy impact assessments of proposed rules on the privacy of personal information, including the type of personal information collected and the number of people affected.
• T5772 additional Coordinate with the appropriate regulating bodies to ensure that programs, policies and procedures involving civil rights, civil liberties and privacy considerations are addressed in an integrated and comprehensive manner.
• T5773 additional Coordinate with the Chief Information Security Officer to ensure alignment between security and privacy practices.
• T5774 additional Coordinate with the Corporate Compliance Officer re: procedures for documenting and reporting self-disclosures of any evidence of privacy violations.
• T5775 additional Develop and apply corrective action procedures.
• T5776 additional Develop and coordinate a risk management and compliance framework for privacy.
• T5777 additional Develop and manage enterprise-wide procedures to ensure the development of new products and services is consistent with company privacy policies and legal obligations.
• T5778 additional Develop and manage procedures for vetting and auditing vendors for compliance with the privacy and data security policies and legal requirements.
• T5779 additional Develop privacy training materials and other communications to increase employee understanding of company privacy policies, data handling practices and procedures and legal obligations.
• T5780 additional Direct and oversee privacy specialists and coordinate privacy and data security programs with senior executives globally to ensure consistency across the organization.
• T5781 additional Ensure all processing and/or databases are registered with the local privacy/data protection authorities where required.
• T5782 additional Ensure compliance with privacy practices and consistent application of sanctions for failure to comply with privacy policies for all individuals in the organization’s workforce, extended workforce and for all business associates in cooperation with Human Resources, the information security officer, administration and legal counsel as applicable.
• T5783 additional Ensure that the company maintains appropriate privacy and confidentiality notices, consent and authorization forms, and materials.
• T5784 additional Establish a process for receiving, documenting, tracking, investigating and taking action on all complaints concerning the organization’s privacy policies and procedures.
• T5785 additional Establish an internal privacy audit program.
• T5786 additional Establish with management and operations a mechanism to track access to protected health information, within the purview of the organization and as required by law and to allow qualified individuals to review or receive a report on such activity.
• T5787 additional Establish, implement and maintains organization-wide policies and procedures to comply with privacy regulations.
• T5788 additional Identify and correct potential company compliance gaps and/or areas of risk to ensure full compliance with privacy regulations.
• T5789 additional Interface with Senior Management to develop strategic plans for the collection, use and sharing of information in a manner that maximizes its value while complying with applicable privacy regulations.
• T5790 additional Liaise with regulatory and accrediting bodies.
• T5791 additional Maintain current knowledge of applicable federal and state privacy laws and accreditation standards, and monitor advancements in information privacy technologies to ensure organizational adaptation and compliance.
• T5792 additional Manage privacy incidents and breaches in conjunction with the Privacy Officer, Chief Information Security Officer, legal counsel, and the business units.
• T5793 additional Mitigate effects of a use or disclosure of personal information by employees or business partners.
• T5794 additional Monitor systems development and operations for security and privacy compliance.
• T5795 additional Oversee, direct, deliver or ensure delivery of initial privacy training and orientation to all employees, volunteers, contractors, alliances, business associates and other appropriate third parties.
• T5796 additional Participate in the implementation and ongoing compliance monitoring of all trading partner and business associate agreements, to ensure all privacy concerns, requirements, and responsibilities are addressed.
• T5797 additional Periodically revise the privacy program in light of changes in laws, regulatory, or company policy.
• T5798 additional Provide development guidance and assist in the identification, implementation, and maintenance of organization information privacy policies and procedures in coordination with organization management and administration and legal counsel.
• T5799 additional Provide leadership for the organization’s privacy program.
• T5800 additional Provide leadership in the planning, design and evaluation of privacy and security related projects.
• T5801 additional Provide strategic guidance to corporate officers regarding information resources and technology.
• T5802 additional Report on a periodic basis regarding the status of the privacy program to the Board, CEO or other responsible individual or committee.
• T5803 additional Resolve allegations of non-compliance with the corporate privacy policies or notice of information practices.
• T5804 additional Review all system-related information security plans to ensure alignment between security and privacy practices.
• T5805 additional Serve as the information privacy liaison for users of technology systems.
• T5806 additional Serve in a leadership role for Privacy Oversight Committee activities.
• T5807 additional Support the organization’s privacy compliance program, working closely with the Privacy Officer, Chief Information Security Officer, and other business leaders to ensure compliance with federal and state privacy laws and regulations.
• T5808 additional Develop appropriate sanctions for failure to comply with the corporate privacy policies and procedures.
• T5809 additional Undertake a comprehensive review of the company’s data and privacy projects and ensure that they are consistent with corporate privacy and data security goals and policies.
• T5810 additional Work cooperatively with applicable organization units in overseeing consumer information access rights.
• T5811 additional Work with all organization personnel involved with any aspect of release of protected information to ensure coordination with the organization’s policies, procedures and legal requirements.
• T5812 additional Work with business teams and senior management to ensure awareness of “best practices” on privacy and data security issues.
• T5813 additional Work with external affairs to develop relationships with consumer organizations and other NGOs with an interest in privacy and data security issues—and to manage company participation in public events related to privacy and data security.
• T5814 additional Work with external affairs to develop relationships with regulators and other government officials responsible for privacy and data security issues.
• T5815 additional Work with External Affairs to respond to press and other inquiries with regard to concern over consumer and employee data.
• T5816 additional Work with legal counsel and management, key departments and committees to ensure the organization has and maintains appropriate privacy and confidentiality consent, authorization forms and information notices and materials reflecting current organization and legal practices and requirements.
• T5817 additional Work with organization administration, legal counsel and other related parties to represent the organization’s information privacy interests with external parties, including government bodies, which undertake to adopt or amend privacy legislation, regulation or standard.
• T5818 additional Work with organization senior management to establish an organization-wide Privacy Oversight Committee.
• T5819 additional Work with the general counsel, external affairs and businesses to ensure both existing and new services comply with privacy and data security obligations.
• T599 additional Evaluate contracts to ensure compliance with funding, legal, and program requirements.
• T600 additional Evaluate cost benefit, economic, and risk analysis in decision making process.
• T618A additional Provide guidance on laws, regulations, policies, standards, or procedures to management, personnel, or clients.
• T675 additional Interpret and apply laws, regulations, policies, standards, or procedures to specific issues.
• T677 additional Interpret patterns of non compliance to determine their impact on levels of risk and/or overall effectiveness of the enterprise’s cybersecurity program.
• T784 additional Prepare audit reports that identify technical and procedural findings, and provide recommended remediation strategies/solutions.

Knowledge, Skills, and Abilities

KSA statements define what a person filling this role knows or can do. "Knowledge" is what they must know, "Skill" is what they can perform, and "Ability" is a durable capacity they bring to the work.

• A3076 ability core Ability to tailor technical and planning information to a customer’s level of understanding.
• A6100 ability core Ability to develop policy, plans, and strategy in compliance with laws, regulations, policies, and standards in support of organizational cyber activities.
• A6910 ability core Ability to determine whether a security incident violates a privacy principle or legal standard requiring specific legal action.
• A6912 ability core Ability to monitor advancements in information privacy laws to ensure organizational adaptation and compliance.
• A6913 ability core Ability to monitor advancements in information privacy technologies to ensure organizational adaptation and compliance.
• A6914 ability core Ability to work across departments and business units to implement organization’s privacy principles and programs, and align privacy objectives with security objectives.
• K0100 knowledge core Knowledge of Privacy Impact Assessments.
• K1036 knowledge core Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.
• K3651 knowledge core Knowledge of what constitutes a “threat” to a network.
• S6916 skill core Skill in creating policies that reflect the business’s core privacy objectives.
• A3055A ability additional Ability to select the appropriate implant to achieve operational goals.
• A3749 ability additional Ability to develop clear directions and instructional materials.
• A6110 ability additional Ability to develop, update, and/or maintain standard operating procedures (SOPs).
• A6911 ability additional Ability to develop or procure curriculum that speaks to the topic at the appropriate level for the target.
• A6918 ability additional Ability to apply cybersecurity strategy to cloud computing service and deployment models, identifying proper architecture for different operating environments.
• K0009 knowledge additional Knowledge of applicable business processes and operations of customer organizations.
• K0345 knowledge additional Knowledge of web mail collection, searching/analyzing techniques, tools, and cookies.
• K1125 knowledge additional Knowledge of Cloud-based knowledge management technologies and concepts related to security, governance, procurement, and administration.
• K1136A knowledge additional Knowledge of use cases related to collaboration and content synchronization across platforms (e.g., Mobile, PC, Cloud).
• K3098 knowledge additional Knowledge of virtualization products (Vmware, Virtual PC).
• K3637 knowledge additional Knowledge of Unix/Linux and Windows operating systems structures and internals (e.g., process management, directory structure, installed applications).
• K3644 knowledge additional Knowledge of virtual machine technologies.
• K3654 knowledge additional Knowledge of who the organization’s operational planners are, how and where they can be contacted, and what are their expectations.
• K3659 knowledge additional Knowledge of wireless technologies (e.g., cellular, satellite, GSM) to include the basic structure, architecture, and design of modern wireless communications systems.
• K4116 knowledge additional Knowledge of transcript development processes and techniques (e.g., verbatim, gists, summaries).
• K4117 knowledge additional Knowledge of translation processes and techniques.
• S6915 skill additional Skill in communicating with all levels of management including Board members (e.g., interpersonal skills, approachability, effective listening skills, appropriate use of style and language for the audience).
• S6917 skill additional Skill in negotiating vendor agreements and evaluating vendor privacy practices.

Other roles in this element