Privacy Officer

PRIVACY OFFICER (Director Level)

Position Description

The Privacy Officer will report to our Chief Compliance Officer and will be an integral part of a cross-functional team that works to ensure our business' compliance with applicable US data privacy laws and regulations. The position supports an increasing demand for both legal and operational advice and guidance regarding privacy and security matters. The Privacy Officer will deliver pragmatic solutions for privacy compliance in day-to-day operations and will advise the product development team on Privacy regulations and standards. This role will work closely with other departments within the company to advise on a wide range of privacy and security issues implicated in the delivery of patient care by our network of eyecare providers. The Privacy Officer will regularly lead Privacy Risk Assessments and manage the yearly Privacy Work Plan.

PRIMARY DUTIES & RESPONSIBILITIES:

Privacy Program Development, Direction and Operation

• Directs, develops, guides and continuously improves effective privacy compliance program to meet regulatory, legal and company privacy obligations.

• Develops, maintains and executes on the Privacy Work Plan to mature our privacy program.

• Oversees processes for reviewing and responding to individuals' data-related requests.

• Partners with Cyber Security and Information Technology to establish metrics measuring effectiveness of compliance initiatives and controls; tracks and reports on compliance issues to senior leadership.

• Develops and maintains practical incident response playbooks and manages the Company's response to any privacy/security incidents in conjunction with the Cyber Security team.

• Directs the Company's response to customer complaints about privacy, and investigates and prepares responses to any privacy/security incidents.

• Consults with external resources to assess, measure, and manage risk.

• Supervises, guides, and/or works closely with Compliance, Privacy and Legal team members.

• Proactively supports new and evolving business models, technologies and growth strategies, including development of new products.

• Establishes strong working relationships with key leaders in the business, and plays a lead role in raising awareness of privacy issues and communicating the strategic priorities for personal data protection.

• Advises the Chief Compliance Officer and other members of the Leadership Team of external industry developments, recommends potential responses, policy changes, and solutions.

• Advises on Privacy incidents and helps determines strategy for communicating with individuals whose data is involved and/or interacts with data protection and/or enforcement authorities, as appropriate.

• Develops standard procedures to ensure data privacy compliance requirements are addressed throughout information lifecycles.

• Interacts with business partners, healthcare organizations, health insurers, and service providers regarding data privacy and data protection related matters.

Laws and Regulations - Compliance

• Maintains awareness of emerging laws, regulations, enforcement activity, and trends and developments in industry best practices related to data privacy in the US.

• Communicates legal and regulatory privacy requirements to business partners.

• Creates and delivers regular communications and trainings to key functional areas in order to ensure awareness of U.S. federal and U.S. state data protection and privacy requirements, as well as internal processes and practices.

• Develops deep understanding of company processes and partners with members of legal, information technology, cyber security, commercial and HR to identify and mitigate privacy compliance risks.

• Maintains the confidentiality of Legal Department communications and documentation.

• Ensures work is performed in compliance with company policies including Privacy/HIPAA and other regulatory, legal, and safety requirements.

• Other responsibilities as assigned.

REQUIRED QUALIFICATIONS:

1.Knowledge, skills & abilities:

• In-depth knowledge of data protection and privacy laws, including HIPAA, CCPA (and other similar state laws), domestic laws, and additional regionally applicable laws and regulations.

• Knowledge of, and working experience with, appropriate responses to privacy breach events, including interactions with relevant federal and state authorities.

• Demonstrated privacy, compliance or other form of operational experience translating legal and regulatory requirements into a comprehensive privacy program that utilizes practical processes and practices for global systems, services and operations; demonstrated experience leading and maturing such a program.

• Experience advising clients with heavy direct-to-consumer contact through multiple channels of communication (phone, email, text, web).

• Ability to identify privacy compliance issues and resolve them through both internal and external research.

• Functions independently and delivers results with minimum supervision.

• High level of integrity supported by sound judgment and ethics.

• Effective verbal and written communication and presentation styles to interact with diverse audiences, including outside attorneys, senior management and business associates.

• Technical understanding of IT infrastructure, web-based software and mobile Apps and ability to work with IT, cyber security, and engineering teams in applying privacy-by-design principles.

• Understanding of business and privacy sensitivities of healthcare organizations.

• Ability to handle complex matters, across multiple simultaneous initiatives that require discretion, confidentiality and prioritization.

• Demonstrated experience in a leadership-level (Director or above) privacy position, at a large health care company.

• Strong, direct people management experience.

• Strong focus on business partnering and solutioning and ability to operate effectively in a matrix structure is required.

2.Minimum required educational/experience level:

• Bachelor's degree (B.A/B.S.) in related field or combination of equivalent education and applicable work experience.
• A minimum of 10 years of privacy and/or compliance experience, with minimum 5 of those years involving the practical privacy compliance aspects related to personal health information (e.g., conducting privacy assessments, drafting privacy notices and/or external

privacy collateral, advising on privacy-by-design, developing internal policies and procedures, etc.) in the US.

• Demonstrated leadership in Privacy compliance.

• Experience creating and implementing a privacy compliance program.

• Experience in the MedTech, Life Sciences and/or Healthcare industries.

• A proven track record of success in an environment that demands a sound understanding of the need to balance complex legal/regulatory/public policy issues within the structural and operational realities is required.

3.Preferred:

• Healthcare Privacy Compliance (CHPC) Certification strongly preferred

• Security, Privacy or Audit Certifications, such as CISSP, CIPP, CISA, CISM; CIPP

• Experience working for a HIPAA Covered Entity