Data Protection and Privacy - Assistant Director (Data Risk and Incident Manager)

Data Protection and Privacy – Assistant Director (Data Risk and Incident Manager)

Risk Management supports our people in managing the risks that arise during our daily working lives. We work closely with all parts of the organization to identify, manage and monitor risk, providing coordinated advice and assistance on independence, conflicts, compliance, regulatory, policy, security issues, as well as dealing with claims and any queries regarding ethics.

The opportunity 

We are operating in an increasingly connected world that is changing how to manage risk. With fast-paced technology advancements, new innovations within emerging technologies, and an ever-challenging regulatory environment, it is business critical for our organization to not only identify the risks, but also the opportunities these present. As a Data Risk Manager, you will make educated, thoughtful decisions on Risk Management. Our brand depends on it. It’s all part of our long-term commitment to building a better working world and in return, you can expect plenty of opportunities to take on new responsibilities and develop your career. 

Your key responsibilities 

As part of EY Americas Data Protection (Confidentiality, Data Privacy) function, you will assist in the development, implementation, and monitoring of various activities within the Data Protection program. The position involves managing the firm’s confidential and personal information inventory and data subject rights request process. The position also involves investigating and addressing data incidents (loss, theft, and inappropriate disclosure or use of confidential/personal information) in accordance with EY’s policies and procedures. You will serve as the primary point of contact for EY client serving teams regarding data incidents and work across functions (Legal, IT, Investigations, Executive Leadership) to coordinate the response. You will help with interpreting data protection and privacy laws and policies, determining required actions to standard and non-standard situations, and making recommendations based on firm guidance, professional standards, and acquired experience. The position involves coordination and reporting of various Data Protection activities to stakeholders and interacts with executive-level personnel.

Skills and attributes for success

• Leads the Data Risk Management function of the Data Protection program, including but not limited to:
  • Documenting, conducting, and assisting others with investigations of data incidents (i.e., instances of loss, theft, or inappropriate disclosure of confidential/personal information); collaborating with clients, internal functions, and EY service lines to understand root cause, assess impact, and develop remediation plans,
  • Maintaining EY confidential and personal information inventory, in partnership with EY internal functions and service lines, to understand types of information that require protection and to fulfil data protection regulatory requirements (e.g., Records of Processing Activities (ROPA)),
  • Responding to data subject rights (DSR) and internal data access requests in accordance with applicable data protection legal and regulatory requirements and EY policies,
  • Collaborating with EY Information Security functions to design and implement controls (e.g., data loss prevention, insider threat detection) to protect confidential and personal information based applicable data protection regulatory requirements and EY policies, and
  • Developing, driving, and executing strategy to continuously build out the Data Risk Management function to align with industry leading practices and data protection regulatory requirements
• Assists other functions of the Data Protection program, including but not limited to:
  • Tracking and analyzing new and/or revised applicable data protection laws, regulations, and standards (e.g., CPRA, VCDPA, HIPAA), and
  • Developing and maintaining EY U.S. data protection policies, guidance, training, and awareness communication plan to reflect new and/or changes to data protection laws, regulations, and other related EY policies 
• Interacts with various stakeholders and functions across the organization, such as EY’s Information Security, Risk Management, General Counsel’s Office (GCO), Service Line Quality, Talent, and client serving teams, including but not limited to:
  • Partnering with local and Global teams across the above Data Protection processes,
  • Working collaboratively with related various EY Service Line Quality teams so as to understand and recommend enhancements to various service line policy or awareness efforts,
  • Assisting in reporting on various data protection program activities to key stakeholders within the organization, including senior leaders within EY Service Line Quality, GCO, Risk Management, and others, and
  • Developing relationships across teams/functions
• Maintains and expands current knowledge of field of expertise and communicates new developments and resulting impact to program stakeholders and team members
• Participates in other ad hoc projects, as assigned

To qualify for the role you must have

• Strong verbal and written communications skills, and the ability to interface and communicate effectively and diplomatically with all levels of EY personnel
• Solid understanding of relevant firm business and area wide data protection issues and concerns
• Strong project management and problem-solving skills
• Strong investigative mindset with ability to quickly assess situations and determine the impact
• Proven ability to lead under pressure
• Flexibility and the ability to take the initiative
• Independent decision-making skills, as well as discretion as to when to escalate issues for further review to senior members of the Americas Data Protection team
• Ability to right-size risk
• High degree of cultural and emotional intelligence
• Ability to deliver tough messages to executive leaders within the firm

• Strong organizational skills; demonstrated ability to create, plan and successfully handle multiple tasks; and the ability to meet multiple deadlines in a fast-paced environment

• Ability to train and supervise local or virtual teams, including junior Data Protection team members as well as other operational teams supporting the Data Protection program
• Ability to foster teamwork and maintain effective working relationships with internal clients/stakeholders
• Responsiveness with ability to manage high workload volumes efficiently and effectively
• Good working knowledge of information systems and common software packages
• Experience with data protection technologies (e.g., Data Loss Prevention (DLP) preferred
• Bachelor’s degree or equivalent work experience; Graduate degree preferred
• 4-6 plus years related experience

Ideally, you’ll have

• The ability to reference existing firm data protection and privacy policies as well as knowledge and experience to review complex situations and assist in proposing solutions
• Strong knowledge of relevant global, national, and local data protection laws, regulations, and standards, as well as familiarity with other risk management initiatives outside of their specific area
• Sound understanding of high-level technology trends and issues surrounding data protection
• Privacy certification from ISACA or the International Association of Privacy Professionals (e.g., CIPP, CIPM, CDPSE)

What we look for 

We’re interested in people that will be able to right-size risk and recommend creative solutions to complex problems, as well as take responsibility for complex Risk Management projects or significant aspects of highly complex projects.