Data Privacy Manager
Lendistry · Tustin, CA · 1 mo ago
Engineering$119k–$153k/yrFull-time
About the role
The Data Privacy Manager will lead the administration of the enterprise privacy program across Lendistry’s and affiliated and subsidiary entities. Reporting to the VP, Enterprise Security, this role is the organization's technical data privacy subject matter expert, translating regulatory requirements into concrete technical controls and auditable processes.
Responsibilities
- Lead the administration of the enterprise privacy program across Lendistry’s and affiliated and subsidiary entities.
- Design, implement, and manage solutions to protect personal data, embedding “privacy by design” into the software development lifecycle, product architecture, and AI/ML privacy integration.
- Act as a bridge between Compliance, Legal, and Engineering teams to translate privacy policy and regulatory requirements into actionable requirements such as data minimization, encryption, tokenization, data masking, anonymization, and access controls.
- Maintain and continuously update enterprise data flow diagrams and data inventories to map the lifecycle of personal information from ingestion to deletion.
- Lead and document annual privacy risk assessments, including Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs).
- Manage first-line-of-defense compliance with the technical requirements of applicable US state privacy laws (CCPA/CPRA, GLBA Safeguards Rule, and the growing patchwork of state statutes).
- Support incident response activities related to data privacy, including breach assessment, documentation, and regulatory support, in partnership with the Security and Legal.
- Own the governance, technical, and operational aspects of the enterprise privacy program across Lendistry and all subsidiary entities, working cross-departmentally with Legal, Compliance, and Engineering to set privacy strategy.
- Set the privacy roadmap, including annual program priorities, investment requests, and measurable objectives tied to business and regulatory risk.
- Report regularly to VP, Security and executive leadership on privacy posture, material risks, regulatory developments, incidents, and program maturity.
- Embed privacy by design in the product development lifecycle, reviewing new features, data flows, retention changes, and vendor integrations before they ship.
- Partner with the AI team to set privacy guardrails on Lendistry’s AI systems, including data minimization, PII redaction before inference, model training data governance, and consumer disclosure for automated decisioning.
- Contribute to Lendistry’s responsible AI posture alongside Legal, Compliance, Security, and the AI team, with attention to fair lending, consumer disclosures for AI-driven decisions, and alignment with the NIST AI Risk Management Framework.
- Support third-party risk assessments with a focus on data handling, privacy, and regulatory exposure.
- Review vendor security and privacy documentation (SOC reports, SIGs, DPAs).
- Track controls and remediation items and ensure vendors meet contractual and regulatory obligations.
- Work with Compliance and Training and Development teams to administer privacy training, including role-based training for engineering, credit, servicing, marketing, and customer-facing teams, plus executive-level education.
- Build a privacy-aware culture where data questions prompt conversation rather than workarounds.
- Provide practical guidance that balances compliance, risk reduction, and business velocity.
- Aid in regulator, auditor, and customer due-diligence inquiries.
Qualifications
- 5+ years in privacy, data protection, or a closely adjacent field, with a clear pattern of growing program ownership and regulatory accountability.
- Hands-on experience supporting regulatory and compliance programs, including SOC 2 and GLBA Safeguards Rule, along with familiarity with U.S. state privacy laws (CA, CO, VA, CT, UT, TX, OR, MT, NJ, TN, IA, IN, DE, NE, NH, MD, MN) and global frameworks such as GDPR, PIPEDA, LGPD, or DPDPA.
- Demonstrated ability to perform privacy and security risk assessments — PIAs, DPIAs, and data security risk assessments — with strong documentation and evidence-management practices.
- Deep working knowledge of CCPA/CPRA, including consumer rights, sensitive personal information, service provider vs. third-party distinctions, opt-out signals, and CCPA enforcement expectations.
- Deep working knowledge of GLBA (Privacy Rule and Safeguards Rule) and how GLBA interacts with state privacy laws for financial institutions.
- Understanding of privacy engineering and secure system design, including familiarity with privacy-enhancing technologies such as differential privacy, federated learning, and secure multi-party computation (particularly in AI/ML pipelines).
- Experience developing and maintaining data inventories, data maps, and data flow diagrams to support privacy compliance and regulatory obligations.
- Experience overseeing privacy for AI or automated decisioning systems — data minimization, training data governance, consumer disclosure, and fair lending intersections.
- Strong analytical, organizational, and documentation skills, with the ability to manage multiple compliance initiatives independently and communicate effectively across technical and business stakeholders.