We are seeking a Privacy and Data Protection Lead to serve for HEALWELL AI. INC. and our subsidiary companies. The successful candidate will have a solid understanding of corporate governance principles, risk management strategies, privacy principles and regulations, security controls, and privacy and security compliance frameworks.
Reporting to the COO of HEALWELL AI. Inc., the Data Protection Lead is responsible for handling and coordinating the organization’s Governance, Risk, and Compliance (GRC) programs, privacy policies, and security measures. This role ensures that the organization’s operations adhere to data protection laws, effectively identify and manages risks, and maintains the confidentiality, integrity, and availability of information.
At HEALWELL AI. Inc. a leader in healthcare AI solutions, the Data Protection Lead will play a crucial role in safeguarding sensitive patient health information (PHI) and ensuring compliance with Canadian federal, provincial, and US state regulations, such as PIPA (BC), HIA (Alberta), PHIPA (Ontario), the Act respecting the protection of personal information in the private sector (Quebec), PIPEDA (Canada), HIPAA and HITECH.
Key Responsibilities:
- Governance, Risk, and Compliance (GRC):
- Develop, implement, and maintain the GRC framework to ensure alignment with industry standards and regulatory requirements in an immature landscape that is still evolving requirements for AI used for the enhanced provision of healthcare.
- Conduct risk assessments to identify vulnerabilities, assess potential impacts, and develop risk mitigation strategies.
- Oversee compliance with relevant laws, regulations, and industry standards (e.g., SOC2, ISO 27001).
- Prepare and present GRC reports to senior management and the board, including risk analysis and compliance status updates.
- Coordinate and manage internal and external audits, ensuring that audit findings are addressed and resolved.
2. Privacy Management:
- Develop and implement privacy policies, procedures, and practices to ensure compliance with applicable data protection laws (e.g., PIPEDA, GDPR, CCPA).
- Lead privacy-related projects by implementing privacy frameworks and best practices.
- Collaborate with cross-functional teams to and participate in meetings as a subject matter expert by addressing privacy risks and offering mitigation strategies to the business
- Conduct privacy impact assessments and maintain records of processing activities.
- Respond to data subject access requests, privacy complaints, and other privacy-related inquiries.
- Stay abreast of emerging privacy regulations and AI-specific guidelines, adapting to the organization’s privacy policies and procedures accordingly.
- Develop and maintain strong vendor management relationships by conducting various due diligence activities, such as assessing vendor compliance, implementing data protection clauses in contracts, and performing risk assessments.
3. Information Security:
- Develop and enforce security policies and procedures to protect the organization’s information assets.
- Implement and oversee security controls, including access management, data encryption, and network security.
- Conduct regular security assessments and vulnerability scans to identify and address potential threats.
- Manage incident response activities, including investigating security breaches and coordinating remediation efforts.
- Ensure compliance with cybersecurity frameworks and standards (e.g., SOC2, ISO 27001).
- Conduct vendor due diligence activities, such as performing risk assessments.
4. Training and Awareness:
- Design and deliver training programs on privacy and security topics to educate employees on their roles and responsibilities.
- Promote a culture of privacy and security awareness and compliance throughout the organization.
5. Policy and Procedure Development:
- Develop and maintain comprehensive documentation for GRC, privacy, and security policies and procedures.
- Regularly review and update policies to ensure they reflect current practices, regulations, and organizational needs.
6. Collaboration and Communication:
- Work closely with IT, legal, compliance, and other departments to ensure integrated approaches to GRC, privacy, and security.
- Serve as a point of contact for regulatory bodies, auditors, and external stakeholders on privacy and security matters.
Qualifications:
- Bachelor’s degree in Information Security, Computer Science, Law, Business Administration, or a related field; advanced degree or relevant certifications (e.g., CISM, CISA, CIPP) preferred.
- Proven experience in GRC, privacy management, and information security, typically 3+ years.
- Strong knowledge of privacy regulations and frameworks (e.g., GDPR, CCPA) and information security standards (e.g., ISO 27001, NIST).
- Experience with risk management, compliance monitoring, and security incident response.
- Excellent analytical, problem-solving, and organizational skills.
- Strong communication skills with the ability to interact effectively with all levels of the organization.
- Ability to manage multiple priorities and work independently.
- Skilled in project management for privacy and security initiatives and working with cross-functional teams.
HEALWELL AI. Inc. is an equal opportunity employer. All qualified applicants will receive consideration for employment without discrimination on the basis of race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or any other factors protected by federal, or provincial law.