Privacy and Information Governance Compliance Program Manager

About The Position

Requirements

• Minimum of 8-10 years of directly related experience in privacy, data protection, risk
• Possess a minimum of 8-10 years of progressive, hands-on experience in privacy, data protection, risk management, information security, or auditing, with a strong preference for candidates with a background in financial services environments.
• Hold a Bachelor's degree with a major in finance, business, information systems, or a closely related field, or demonstrate equivalent work experience.
• Maintain formal, interdisciplinary risk alignment certifications such as Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), or Certified Information Security Manager (CISM); additional credentials such as Certified Information Privacy Officer (CIPP), Certified Information Privacy Technologist (CIPT), or Certified Information Privacy Manager (CIPM) are highly valued.
• Commitment to ongoing professional education and development is required.
• Demonstrate a proven ability to operationalize complex privacy obligations under CPRA, CCPA, and other multistate data privacy regimes within large, matrixed organizations, effectively managing competing priorities and meeting critical deadlines both independently and as part of a collaborative team.
• Possess deep expertise in privacy regulations, personal data processing, and the full data lifecycle, with the ability to apply this knowledge to real-world scenarios and ensure compliance across the organization.
• Exhibit experience in fostering and embedding a risk-aware culture within fast-paced, rapidly evolving business environments, adapting strategies to meet organizational needs.
• Demonstrate a strong track record of building and sustaining cross-functional partnerships, and communicating complex privacy and risk management concepts clearly and persuasively to senior leadership and executive stakeholders.
• Bring prior experience working directly with regulatory agencies, participating in regulatory examinations, and supporting compliance-related inquiries (preferred).
• Exhibit strategic thinking skills, with the authority and confidence to influence, oversee, and monitor the performance and continuous improvement of the Privacy Program.
• Possess comprehensive knowledge of Enterprise Risk Management frameworks, including risk management processes, risk appetite statements, key risk indicators (both leading and lagging), and conducting robust risk assessments and reviews.
• Demonstrate mastery of the English language, with exceptional skills in proofreading, editing, formatting, and spelling to ensure the highest quality of written communications.
• Be highly proficient in utilizing software and information technology tools to collect, organize, manage, and disseminate information, with a demonstrated ability to leverage technology in innovative and complex situations.
• Exhibit exceptional written and oral communication, facilitation, and presentation skills, with a history of effectively reporting to all levels of the organization, including the Board of Directors and Executive Team.
• Strong analytical, problem-solving, and stakeholder engagement abilities are essential.
• Demonstrate a results-oriented approach, with the ability to analyze problems and deliver solutions efficiently, accurately, and thoughtfully under tight deadlines.
• Present a professional demeanor and positive attitude, interacting effectively with colleagues at all levels, external auditors, and regulatory agencies, while consistently demonstrating integrity, discretion, and sound judgment.
• Bring a forward-thinking, enterprise-wide perspective to proactively identify and address potential and emerging privacy and risk issues, aligning with organizational goals and regulatory expectations.
• Exhibit unwavering integrity, high ethical standards, and a strong work ethic, maintaining confidentiality and exercising excellent judgment in all matters.
• Willingness and ability to travel domestically up to 20% of the time to support business needs, team meetings, and regulatory engagements.
• Must be able to perform basic office tasks and work in a typical office setting.
• The employee will be sitting for extended periods and accomplishing work at a desk and a computer for an extended period.
• Must have strong written and verbal communication skills to convey ideas and work with a team effectively.
• The ability to talk and hear, sit and use their hands and fingers, and reach in all directions is essential in the performance of the job.
• Some lifting and moving of items up to 25 pounds is required.
• Work during established business hours and may require occasional weekend and evening work.
• Travel required.

Nice To Haves

• A Juris Doctorate is preferred; however, not necessary.

Responsibilities

• Establish, design, and implement a structured framework for the Privacy Program, ensuring a clear delineation of roles and responsibilities for privacy and information governance-related tasks and fostering cross-functional collaboration by involving relevant cross-functional stakeholders through the RACI model.
• Develop, implement, and maintain comprehensive privacy policies, procedures, work instructions, and governance structures, ensuring ongoing alignment with best practices and regulatory requirements.
• Develop and routinely update comprehensive policies and procedures governing privacy and data protection for customers and employees, ensuring these guidelines reflect actual business practices and personal data management.
• Prepare and review privacy notices, disclosures, and customer communications to ensure clarity, transparency, and compliance with disclosure obligations.
• Establish and maintain clear, actionable protocols for responding to data breaches, aligning response plans with regulatory requirements and organizational operations.
• Ensure ongoing compliance with privacy regulations by regularly reviewing and revising documentation to accurately represent day-to-day handling of sensitive information.
• Drive alignment between the Privacy Program, Operational Risk Management Framework, Information Governance, and IT Control efforts.
• Build, implement, and integrate a holistic and scalable Privacy Impact Assessment process to systematically evaluate risk and controls for new products, services, emerging technologies (AI, machine learning, and cloud services), or business processes for privacy risks and recommend mitigation strategies.
• Assist in the assessment and monitoring of third-party service providers to ensure they meet organizational privacy and data protection standards through tools such as standardized questionnaires, contractual clauses, etc.) and determine the cadence of these efforts.
• Monitor regulatory changes by staying informed about evolving privacy laws and regulations (such as GLBA, GDPR, CCPA, and other applicable standards) and proactively update policies and practices to maintain compliance, when applicable.
• Oversee and coordinate the process for responding to individuals' requests to access, correct, delete, or obtain copies of their personal data, ensurinweg all responses are timely and comply with legal and regulatory requirements.
• Partner with stakeholders to perform regular cross-functional risk assessments.
• Design, implement, and maintain a comprehensive privacy monitoring framework that enables continuous oversight of data protection practices, supports the timely identification and escalation of privacy risks, ensures regular and actionable reporting to the Board of Directors, and incorporates robust change management workflows to adapt to evolving regulatory requirements and organizational changes.
• Design, implement, and continuously refine key privacy-related performance metrics, leveraging dashboards and analytics to enable real-time monitoring and actionable insights.
• Collaborate with both first and second lines of responsibility to design and execute thorough control testing procedures that validate compliance with privacy requirements, identify gaps in data protection practices, and ensure corrective actions are implemented to address any deficiencies.
• Mature and enhance the organization's inventory of personally identifiable information (PII), ensuring it is comprehensive, accurate, and aligned with internal data repositories.
• Prepare and maintain the PII inventory to be compatible with future data-mapping tools and systems, enabling seamless integration and adaptability as organizational technologies evolve.
• Ensure the organization has clear visibility into the personal data it holds, its storage locations, and maintains the ability to update or integrate this information efficiently with new data management solutions.
• Oversee and enforce organizational policies and procedures for data retention, secure destruction, and minimization, ensuring that personal and sensitive data is stored only as long as required, disposed of securely when no longer needed, and limited to what is strictly necessary for business purposes.
• Collaborate actively with Records Management to maintain accurate records and with Legal to ensure all practices are compliant with relevant laws, regulations, and industry standards.
• Design, implement, and continuously improve an incident management and breach response program.
• Lead and coordinate the intake, thorough evaluation, escalation, and resolution of privacy incidents, adhering strictly to the organization’s Privacy Incident Notification procedures to ensure prompt and effective action.
• Collaborate proactively with cybersecurity, legal, risk management, and business unit stakeholders to facilitate rapid containment of incidents, fulfill regulatory reporting requirements, and manage customer notification processes in alignment with applicable laws and organizational policies.
• Maintain comprehensive and accurate documentation for each incident, systematically capturing key findings and outcomes, and apply lessons learned to drive ongoing improvements to the privacy program and incident response protocols.
• Design, implement, and continuously improve comprehensive privacy training and awareness programs tailored to the needs of the entire organization as well as to specific roles, ensuring all staff—from frontline employees to leadership—are equipped with up-to-date knowledge of privacy requirements, best practices, and emerging risks.
• Engage staff through interactive, scenario-based learning and regular refresher modules to cultivate a strong culture of compliance and proactive risk management across all business functions.
• Proactively support and coordinate regular internal audits and comprehensive assessments of data handling practices to identify potential compliance gaps, risks, and opportunities for improvement, ensuring that corrective actions and best practices are systematically implemented to drive ongoing program excellence.
• Establish and cultivate strong, collaborative relationships with regulatory authorities, key industry groups, and privacy advocacy organizations to remain informed of regulatory developments, emerging trends, and evolving best practices, positioning the organization to anticipate and adapt to changes in the privacy landscape.
• Lead the preparation of timely, accurate, and thorough regulatory responses and manage the end-to-end delivery of all regulatory examination materials and documentation related to privacy, ensuring that all submissions meet the highest standards of compliance, transparency, and organizational readiness.
• Serve on the Association’s Geopolitical Risk Committee and Operational Risk Committee, which are Governance and Risk Committee subcommittees.
• Oversee and manage Privacy Program risk-related budgets and resources.
• Perform other duties as assigned by the Executive Head of Compliance, Ethics, and Regulatory Management.

Benefits

• Commitment to agriculture and the communities we serve
• Family friendly work environment
• Investment in employee development
• Medical, Dental and Vision coverage
• Outstanding 401k – automatic 3% employer contribution, plus match up to 6%
• Generous Paid Time Off (Vacation accrued at 26 days annually, Sick Days accrued at 15 days annually, 12 paid holidays, plus 16 hours of volunteer time)
• Competitive Incentive Compensation Plan
• Disability & Life Insurance
• Employee mental, physical, and financial wellness programs
• The position is bonus eligible based on association and personal performance