Data Privacy

Want to Build and Run an effective data-privacy program for a large MNC from scratch and across multiple jurisdictions? Then this role is for youRole Name: Data Privacy & Compliance Counsel Function :Legal, Privacy & Compliance Experience : 5–10 years (core data protection / privacy, preferably with health-tech or consumer tech exposure) Location:RemoteAbout the Role Ultrahuman (~$500M, exports to 140 countries, wearables powerhouse brand) is seeking an experienced Data Privacy & Compliance Counsel to lead global data-protection strategy and serve as our Group Data Protection Officer for non-EU entities, working in close coordination with our existing EU DPO / local representatives. This is a high-impact role at the intersection of health data, product innovation, and fast-evolving regulation. You will be responsible for building and running Ultrahuman’s privacy program across jurisdictions (including GDPR, India’s DPDP Act, HIPAA and other key regimes), ensuring lawful, secure, and ethical use of sensitive health and behavioural data. You will partner closely with product, engineering, data, security, and operations teams to embed privacy by design across our stack.Key Responsibilities Privacy Strategy & Governance ·Design, implement, and maintain Ultrahuman’s global data-protection and privacy governance framework. ·Translate laws such as GDPR, DPDP, HIPAA, CCPA/CPRA and other regional rules into clear internal standards, playbooks, and SOPs. ·Maintain and update internal privacy policies, governance charters, and RACI for privacy responsibilities across teams. DPO Responsibilities & Regulatory Interface ·Serve as Data Protection Officer for relevant entities (outside the EU) and coordinate with EU DPO/local representatives where appointed. ·Act as the primary point of contact for data-protection authorities and manage regulatory queries, notices, and inspections. ·Oversee DPIAs/DSRIAs, legitimate interest assessments, and high-risk processing reviews, ensuring appropriate mitigations are implemented. Product, Data & Engineering Advisory ·Advise product, engineering, data science, and marketing teams on privacy-by-design and privacy-by-default. ·Review new features, data flows, and experiments involving health, biometric, geolocation, or behavioural data. ·Help structure data-minimisation, retention, and pseudonymisation/anonymisation strategies aligned with product needs. Documentation, Mapping & Contracts ·Lead and maintain RoPAs (records of processing activities), data-flow maps, and data inventories across products and systems. ·Draft and negotiate privacy-related clauses in commercial contracts, DPAs, SCCs, data-transfer addenda, and vendor security schedules. ·Align privacy documentation with information-security frameworks (e.g., ISO 27001, SOC 2) in collaboration with security teams. Incident Response & Risk Management ·Own the legal/privacy track of security-incident and data-breach response (assessment, notification decisioning, regulator/user communications). ·Develop and run tabletop exercises and playbooks for potential breach scenarios involving sensitive health data. ·Monitor emerging laws, enforcement trends, and guidance; proactively update Ultrahuman’s risk posture and controls. Training, Culture & Internal Enablement ·Design and deliver privacy training and awareness programs tailored to engineering, product, CX, growth, and leadership teams. ·Create practical checklists, FAQs, and templates that enable teams to self-serve on common privacy questions within safe guardrails. ·Support investor, board, and customer-facing narratives on Ultrahuman’s privacy posture and compliance maturity.Requirements ·Law degree and bar registration; additional certification in data protection (e.g., CIPP/E, CIPP/US, CIPM) preferred. ·5–10 years of post-qualification experience with strong focus on data protection / privacy; in-house experience in technology, health-tech, fintech, or consumer platforms preferred. ·Deep working knowledge of GDPR, India DPDP Act, and at least one of HIPAA / CCPA/CPRA or similar comprehensive privacy regime. ·Prior experience acting as DPO, privacy officer, or lead privacy counsel, including regulator engagement and DPIA/impact-assessment workflows. ·Comfort working with products that process sensitive health, biometric, and behavioural data at scale. ·Strong ability to read and map data flows, understand technical architectures at a practical level, and collaborate with engineering and security. ·Excellent drafting, communication, and documentation skills; able to convert complex rules into clear guidance. ·High ownership, bias for structure, and ability to operate independently in a fast-moving, globally distributed environment.Bonus Skills ·Experience with medical-device / SaMD, wellness wearables, or digital health platforms. ·Familiarity with information-security standards (ISO 27001, SOC 2) and their interface with privacy controls. ·Hands-on work with cross-border data transfers, SCCs, Schrems II-style assessments, and vendor-risk programs. ·Prior work with startups or high-growth tech companies, especially in multi-jurisdiction environments (US, EU, India, Middle East).