Director of Legal and Privacy (JD Required)
Job Description:
About BankFund:
BankFund Credit Union is a full-service financial cooperative that was organized and chartered in 1947 as a convenient place for employees of the World Bank Group and International Monetary Fund and their families to save and to obtain credit. Located in Washington, DC, BankFund maintains three full-service branches downtown with our headquarters located near Farragut West metro station. This position is classified as a hybrid role which means that on-site work will be expected. After completion of training for the role, staff generally work on site 40% of the time but this is subject to change based on health and safety standards and operational need.
Summary
Experienced third party i.e., vendor commercial contracts and privacy professional to meet Credit Union obligations under contract law, privacy and data protection rules including but not limited to the Gramm Leach Bliley Act (GLBA), NCUA Rules and Regulations, the California Consumer Privacy Act (CCPA), and the European Union (EU) General Data Protection Regulation (GDPR). Director, Legal & Privacy will build and manage the Credit Union Commercial Contracts & Privacy and Data Security program, develop contract guardrails for legal terms negotiation and draft or revise and review standard commercial contract agreements (NDA, MSA, DPA, SOW etc.), participate in contract negotiations and liaison with external counsel, revise internal policies, describe contract & privacy requirements for business partners and service providers, train business on these legal guidelines and monitor practices to ensure the business and its functions comply with the applicable requirements and achieve best practices.
The Director, Legal & Privacy will be responsible for implementing and maintaining organizational contracting legal guardrails, privacy risk assessments, data protection impact assessments, identify and suggest prioritization of response to contract, privacy and data risks, ensure appropriate staff and organizational training, and perform compliance testing/audits related to data privacy and the privacy program. The Director, Legal & Privacy will work closely with business stakeholders including the Information Technology, Data Analytics, and Marketing teams to control risk from procedural or technology changes that affect vendor contracts, privacy and data security.
Responsibilities
Leadership
- Supervise the Data and Information Security Compliance Officer (DISCO) and the Privacy Analyst. These leadership functions include (but are not limited to) staffing, performance appraisals, training, one on one coaching, team meetings, rewards and recognition programs, employee retention and engagement, career path/promotions, performance improvement plans, salary recommendations, and terminations.
- Supports all management decisions and fulfills responsibilities in a professional manner while active as a role model for team members.
- Supervises staff in achieving their individual and team metric goals and sets an example in needs-based sales for other staff members to follow.
- Directs the activities of the Credit Union Privacy and Data Security team by providing leadership, guidance, and expertise to staff. Manages staff and ensures the timely and accurate oversight of work processed. Promotes independence and autonomy in direct reports to enhance the delivery of superior service to the membership.
- Conducts performance evaluations of direct reports and provides regular coaching and career development both formally and informally. Interviews new applicants and makes recommendations regarding all aspects of employee relations.
- Promote diversity, inclusion and belonging to best meet the needs of the individual and the organization.
- Fosters a safe environment for employees to receive and give feedback.
Monitoring & Policy Development
- Actively monitor changes in law and issue recommendations to ensure compliance;
- Review and draft proposed changes to Credit Union policies and procedures to ensure ongoing compliance with applicable laws, rules and regulations and provide recommendations for necessary changes, including recommending alternative approaches consistent with guidance requirements;
- Develop, implement, and ensure maintenance of all relevant policies, including any regional-specific descriptions concerning consumers’ privacy rights; data subject requests, consumer and employee resources and contacts;
- Develop, implement, and ensure maintenance of a training program and awareness campaigns for employees; recommend specialized curriculum for roles with potentially higher impact on privacy and data security such as application developers, marketing staff, and handlers of employee information;
- Perform compliance testing/audits to monitor for adherence to policy and determine whether policy, procedures, processes and controls comply with regulations; issue reports detailing findings and recommendations;
- Provide briefings to the Executive Team, Management Committees, and the Board of Directors regarding the effectiveness of data and privacy processes and controls; liaise and communicate effectively with external entities, such as supervisory and regulatory authorities, on relevant occasions.
Technical
- Develop and maintain commercial contract guardrails for legal terms negotiation and draft, revise and review standard commercial contract agreements (NDA, MSA, DPA, SOW etc.)
- Coordinate with external counsel on specific contracts & training business and manage processes to preserve attorney-client privilege.
- Support the update of vendor contract templates (NDA, standard MSA clauses etc.), participate in, and develop training on the use of such templates, and update templates to reflect changes in third party risk regulatory requirements and best practices.
- Review third party contracts and help the business with negotiations and understanding contracts. This includes advising the business on data privacy legal requirements in third party vendor contracts, including negotiating and advising on federal, state, and international requirements for third party engagements and best practices.
- Prioritize contracts into risk categories for evaluation based on these new legal guardrails.
- Implement and maintain Data Protection and Privacy Impact Assessments;
- Determine the Credit Union’s specific contract & privacy-related requirements and potential vulnerabilities;
- Collaborate with business stakeholders on business processes and project initiatives, including change management, to ensure timely attention for contract & privacy practices;
- Conduct regular privacy policy & contract guardrail compliance assessments to ensure that they are being adhered to.
- Implement and maintain Personal Data and Usage Inventory.
- Support the creation of an inventory that document Credit Union collection, sharing, and use of personal data including all personal data stores and processing activities;
- Continuously update and re-evaluate the extent to which consumer and employee information is collected and shared internally and externally;
- Monitor the data request and usage processes, ensure processes are in place to support responses to all queries from data subjects within legal timeframes;
- Monitor purpose-based authorized use of data and control effectiveness against unauthorized use;
- Ensure adherence to retention program to facilitate deletion or anonymization of personal data that is no longer needed for identified purpose(s), and in accordance with applicable requirements.
- Participate in meetings with managers across the organization and the project management office to ensure privacy by design at all levels and serve as the internal advisor to the CRO and CIO to interpret privacy-policy-related questions;
- Ensure that data security practices, in particular, logging, monitoring and auditing practices, do not conflict with privacy requirements;
- Work closely with the technology service teams to anticipate potential privacy problems embedded in the use of emerging technologies;
- Liaise with IT Cybersecurity and/or organizational Incident Management Team in matters relating to data breaches (including preparedness, prevention, impact mitigation and integral management of breaches);
- Work to integrate controls within specific CRM, IT, HR systems, products, processes, as appropriate;
- Liaise with other organizations that store or process data on behalf of the Credit Union or have potential to store process data on behalf of the Credit Union to ensure continued compliance with contract law, privacy and data protection rules.
Operational
- Verify that all organizational and regulatory policies and procedures have been documented, implemented, and communicated;
- Keep abreast of pending industry changes, trends, and best practices as assess the potential impact of these changes on organizational processes;
- Successfully participate in annual Information Security refresher training. Comply with the Information Security Policy, including the immediate reporting of unusual or suspicious activity to management and the Information Security Officer. Follow all procedures to protect company computers from viruses, and to maintain the security and confidentiality of Credit Union data;
- Participate in annual Bank Secrecy Act (BSA) and Office of Foreign Assets Control (OFAC) training and demonstrate knowledge and understanding of the BSA and OFAC, including the immediate reporting of unusual or suspicious activity to the Risk Management Department. Undertake additional training specific to daily responsibilities and as required to ensure continued compliance with all applicable regulations;
- Ensure the Credit Union’s safe harbor protections as allowed by the BSA. Understand that if confronted with knowledge of existence of a Suspicious Activity Report (SAR), an obligation exists to preserve the confidentiality of that SAR, as well as any information that may reveal the existence of a SAR. Maintain awareness of, and immediately report to the Compliance Officer, any unauthorized disclosure of a SAR, or unauthorized disclosure of information related to a SAR. Understand that failure to do so is a violation of federal law and may lead to both civil and criminal penalties for SAR disclosure violations;
- Demonstrate commitment to the Credit Union’s Service PACT philosophy;
- Perform other work-related duties as assigned.
Requirements
Minimum Qualifications or Knowledge, Skills, and Abilities Required
- Doctoral degree in related field or an equivalent combination of education and experience
- At least 10 years of compliance or risk management experience in financial institutions required
Skills Required
- Experience with commercial contracts ( NDA, MSA, SOW, etc)
- Experience with commercial contracts negotiation
- Strong knowledge of EU data privacy and national data protection regulation, and a good understanding of other major privacy frameworks and evolving legislation worldwide
- Experience in data protection, regulatory and legal compliance
- Work experience in data protection and legal compliance is a plus
- Familiarity with computer security systems
- Ability to handle confidential information
- Ethical, with the ability to remain impartial and report all non-compliances
- Knowledge of data processing operations in the company’s sector
- Excellent verbal and written communications skills
- Knowledge of the credit union industry, products and services
- Strong leadership, diplomatic and motivational skills including the ability to lead up, across and down multiple departments within the organization
- Proven ability to work creatively and analytically in a problem-solving environment demonstrating teamwork, innovation and excellence
- Build and maintain relationships by engaging business leaders to establish credibility, solve problems, build consensus and achieve objectives
- Self-motivated, decisive and flexible with proven ability to conform to shifting priorities, demands and timelines through analytical and problem-solving capabilities
- Technically competent with various software programs, including but not limited to Microsoft Office and project management software
- Demonstrate decisiveness in resolving business problems, making decisions and identifying priorities
- Interpersonal skills to influence and spur change, facilitate and enhance performance within a cross-functional environment
- Experience in successfully leading projects and programs to on-time, on-schedule and within budget close
- Experience leading, motivating and managing various project and program team sizes, including internal and external resources, while holding team accountable for performance
- Tableau experience, preferred
For internal purposes, this position is graded as Exec-16.
The anticipated annualized base salary range for this position is $150,000 to $200,000. Final base salary for this role will be based on the individual’s job-related experience, skillset, training, certifications and market demands. The benefits available for this full-time position include but are not limited to: medical, dental, and vision insurance, 401(k) plan, life insurance coverage, disability benefits, tuition assistance program and paid time off, including paid parental leave benefits. In addition to base compensation salary, this role position is eligible for an annual incentive plan.