Compliance Manager – Data & Information Privacy

分享
  • 上海

ROLE & RESPONSIBILITIES

Business Partnering

  • Provide practical privacy/PIP advisory to Marketing, Medical/Sales, Digital, IT, Procurement, HR, R&D, Operations, and other internal clients; embed governance controls into business processes.
  • Support privacy risk assessments (scenario identification, process mapping, data inventory/mapping, PIA/PIPIA), propose remediation plans, and drive first-line accountability and closure.
  • Establish/optimize local privacy policies, procedures, and operational playbooks; localize global requirements (incident response, cross-border transfers, third-party management, data subject request handling).
  • Share assurance outcomes with area management and ensure timely remediation, including corrective and disciplinary actions where needed.

Policy and Document Review and Management

  • Draft, review, and customize privacy notices, PICS/notification statements, consent language, internal policies, guidelines, and templates.
  • Review and negotiate privacy/data protection contract clauses and Data Processing Agreements (DPA/TDPA), identify risk issues, and propose operationally feasible revisions.
  • Support cross-border data transfer compliance (e.g., CAC security assessments/standard contracts, filing/record-keeping, PIPIA). Prepare due diligence lists, questionnaires, and reports; drive remediation.

Third-Party/Vendor Privacy Compliance

  • Design and execute vendor/third-party privacy due diligence and assessments (e.g., using vendor compliance checklists/questionnaires), identify control gaps, and drive corrective actions.
  • Partner with Procurement, InfoSec, and IT to ensure administrative, physical, and technical safeguards are implemented for third parties.

Privacy by Design for Projects and Products

  • Participate in digital/IT/marketing project reviews; provide privacy and security by design guidance to ensure legal, contractual, and internal control requirements are built in from inception.
  • Assist with negotiation of privacy and security provisions in contracts/agreements, balancing business objectives and compliance risk.

Training and Communication

  • Conduct role- and scenario-based training needs analysis; develop and deliver privacy training (PPT decks, e-learning, micro-learning) via face-to-face or virtual sessions.
  • Innovate training and communication channels (mobile/app prompts, system banners) to improve reach and effectiveness; issue periodic best-practice reminders.

Monitoring, Auditing, and Continuous Improvement

  • Perform periodic/thematic privacy compliance checks and internal audits; monitor KPIs/KCIs; conduct root-cause analysis and track corrective and preventive actions (CAPA).
  • Maintain privacy compliance registers (incidents, assessments, vendor reviews, cross-border filings, data subject requests) and report trends and plans to management.

Incident Response and Regulatory Engagement

  • Support identification, classification, handling, and notification of personal information security incidents; participate in cross-functional drills and post-incident improvements.
  • Track and analyze new laws, regulations, national standards, and regulatory guidance; develop impact assessments and recommendations; support interactions with regulators/industry bodies when needed.

Other ad-hoc tasks related to data privacy assigned from time to time


REQUIREMENTS

Education

  • Bachelor’s degree or above in Law, Information Security/Computer Science, Compliance, or related fields; PRC legal professional qualification (A certificate) or bar membership is a plus.
  • Top-tier university background and student leadership experience are plus factors; top 20% academic performance preferred.

Experience

  • 4–8 years in data privacy/PIP/compliance/legal roles; experience in Big Four, leading law firms, MNCs, or healthcare industry preferred.
  • Hands-on experience in drafting/negotiating privacy policies and contract clauses, reviewing DPAs, vendor privacy due diligence, cross-border compliance (CAC/security assessments/standard contracts), PIPIA/PIA execution, audit/assurance and remediation closure.
  • Proven project management and cross-functional delivery experience in a matrix organization.

Skills and Competencies

  • Deep knowledge of Mainland China and Hong Kong privacy/data protection laws and regulatory frameworks (PIPL, CSL, DSL, implementing measures, national standards, PCPD guidance); familiarity with EU/US privacy frameworks is a plus.
  • Familiar with privacy governance elements: strategy and policies, data mapping and lifecycle management, third-party management, data subject rights, cross-border transfer controls, incident response, training and audit.
  • Strong structured thinking, analytical and problem-solving skills; ability to rapidly identify risks and propose actionable solutions.
  • Excellent communication, influence, and collaboration skills across levels and functions; ability to manage multiple priorities under pressure.
  • Fluent bilingual capability in Chinese and English (written and verbal); able to produce high-quality bilingual policy and contract documents.
  • Proficiency in MS Word, Excel, PowerPoint; familiarity with compliance/training tools and collaboration platforms preferred; knowledge of ISO/IEC 27701/27001 practices and CIPP certifications are pluses.

Values and Professional Traits

  • Strong ethical mindset and compliance orientation; proactive, results-driven; committed to first-line ownership and a culture of integrity.
  • Passion for advancing organizational ethics and continuous learning of emerging regulations and best practices.