The Office of Audit, Risk and Compliance (OARC) is a dynamic group of aligned professionals offering a suite of services that support comprehensive assurance programs for Duke University through internal audit, risk management and compliance services. This includes: strategic risk assessment; conducting operational performance audits, compliance program assurance reviews, and financial risk and control assessment; providing process and control environment consultation; and proactively engaging clients and institutional leadership in emerging issues and risks management planning.
The Manager, Information Privacy will assist the IT Risk Officer to minimize the university’s privacy risk exposure through a scalable, risk-based, university-wide privacy program that proactively addresses risks in alignment with the institution’s risk appetite.
Work performed by the Manager, Information Privacy includes:
- Builds and maintains the university privacy framework; develop repeatable processes to identify and document covered framework activities and develop and deploy a risk- based, scaled-to-maturity plan for remaining framework activities in alignment with the institution’s risk appetite; manage the Duke University privacy program to address in- scope activities; monitor and assess the evolving privacy landscape, and adjust program plan as appropriate
- Conduct risk-based privacy impact assessments of business processing activities to inform overall information risk management and promote privacy program maturity; identify and conduct privacy impact assessments when processing activities indicate higher risk to in-scope privacy-related interests and to address areas of emerging risks
- Lead advisory engagements including, but not limited to, business process documentation and assessment in support of information risk assessments and other collaborative information inventorying initiatives; revise and implement privacy policies, standards, procedures and guidelines with campus partners and impacted Stakeholders.
- Work collaboratively to develop strong working relationships with key business stakeholders within the institution and functional stakeholder in compliance, internal audit, records management, general counsel, and information security to support privacy compliance.
- Maintain a working knowledge of all privacy and related policies across the institution and work with policy owners on needed modifications to help ensure codification of institutional standards and practices.
- Remain current with generally-accepted interpretation of and enforcement landscape for all state, federal, and global privacy laws and regulations and emerging issues in the privacy and information risk space, monitor enforcement actions and translate trends into actionable recommendations for institutional consideration.
- Serve as a privacy and data protection subject matter resource; provide guidance to internal clients, internal audits and compliance reviews and to campus partners, as requested and as applicable to issues related to privacy and data protection regulatory compliance.
- Perform other related duties and manage other projects incidental to the work described herein.
- Preference of a bachelor’s degree or equivalent experience plus at least 5 years work experience in privacy, higher education compliance, information asset management or another directly related field. Masters in a related field or JD desired
- Knowledge of privacy and data protection laws and regulations and standards, in scope for higher education, including but not limited to HIPAA, FERPA, GDPR, FISMA, NIST 800- 171, GLBA
- Experience in a privacy or information-related compliance role, or another compliance role, preferably in higher education or a non-profit environment
- Understanding of privacy and information security policies and operations
- Experience in project management
- Interpersonal and leadership skills
- Demonstrated communication, management, negotiation, decision-making and collaboration skills
- Proficiency in Microsoft Office suite applications with specific emphasis on Word, Excel and PowerPoint. Secondary emphasis on Project and Visio.
- Privacy program management
- Conducting privacy impact assessments (PIA) or privacy risk assessments (PRA) and providing privacy guidance
- Project management skills and experience sufficient to successfully complete long and short term projects
- Written and verbal communications skills sufficient to professionally address a wide and varied audience both internally and externally
- Client relationship management
- Preparing oral and written reports