Data Protection Programs Director

Reporting to the VP of Compliance & Risk, the Data Protection Programs Director is integral to the development, maintenance, and enhancement of Everly Health’s data protection program as it evolves with the business. Incumbent will be responsible for advising multiple levels of the organization on laws, regulations, and industry best practices concerning data protection, and will facilitate the translation of those requirements into operation.  Leading the daily operations of the data protection program including development, implementation and maintenance of policies and procedures, auditing and monitoring program compliance, investigation and tracking of incidents.

• Builds a strategic and comprehensive data protection program that defines, develops, maintains and implements policies and processes that enable consistent, effective data protection practices which minimize risk and ensure the confidentiality of personally identifiable information (PII) and protected health information (PHI), paper and/or electronic, across all media types.
• Ensure the organization has and maintains appropriate privacy and confidentiality consents, authorization forms and information notices and materials reflecting current organization and legal practices and requirements.
• Establishes, with the information security officer, an ongoing process to track, investigate and report potential unauthorized access and disclosure of protected information (PII/PHI). Monitor patterns of access and/or disclosure of protected health information.
• With oversight from the Chief Privacy Officer, recommends and manages all required breach determination and notification processes.
• Complete research and apply a risk-based assessment of how legal requirements affect new services, offerings, projects, products, or initiatives.
• Lead privacy by design reviews of client-facing services, offerings, projects, products or initiatives, incorporating data privacy principles into those initiatives.
• Build and maintain strong and trusted relationships with internal and external stakeholders and provide support and advice in support of rapid-solutioning to meet current and future business needs.
• Performs initial and periodic risk assessment/analysis, mitigation and remediation.
• Collaborates with the information security officer to ensure alignment between security and privacy compliance programs including policies, practices and investigations.
• Support contract negotiations on an as-needed basis to review data privacy contractual provisions with customers and third-party suppliers, such as data processing agreements, data transfer agreements, and business associate agreements.
• Keep abreast of technological developments, changes in the law, and enforcement trends, and their impact on data privacy. Develop guidance, training, and thought leadership as needed for internal audiences.
• Conducts related ongoing compliance monitoring activities in coordination with the organization's other compliance and operational risk assessment functions.
• Oversees, develops and delivers initial and ongoing privacy training to the workforce, Initiates, facilitates and promotes activities to foster information privacy awareness within the organization and related entities.
• Works cooperatively with business teams in overseeing patient rights to inspect, amend, and restrict access to protected health information when appropriate.
• Establishes and administers a process for investigating and acting on privacy and security complaints.

• Bachelor’s degree from an accredited college or university.
• Minimum of 15 years of professional experience in data protection/privacy, including at least 5 years of experience partnering with technology and marketing executives to manage data derived from digital tracking and marketing technologies to comply with applicable regulatory and digital advertising industry requirements.
• Subject matter expertise with the federal and state data privacy laws, regulations, and industry codes in the U.S., and ability to translate written regulatory requirements into actionable technological specifications and Privacy Impact Assessments.
• Professional experience conducting privacy by design reviews, particularly in the healthcare, healthtech and medical device verticals.
• Law degree from an ABA-accredited law school preferred.

• CIPP/CIPM/CIPT certification strongly preferred.