GDPR Compliance Analyst (4+ Years)

Data Protection & Compliance Specialist (GDPR / PCI DSS)Location: Hybrid / Remote • Level: Mid-level (4–6 years)About the RoleWe’re hiring a Data Protection & Compliance Specialist to lead our GDPR program end-to-end and maintain strong PCI DSS v4.0 alignment across our cardholder data environment. You’ll be the connective tissue between Legal, Security, Product, and Engineering—turning regulatory requirements into practical, testable controls in cloud and hybrid infrastructures.Key Responsibilities (GDPR-First)GDPR & Privacy OperationsOwn GDPR lifecycle: data mapping/records of processing (RoPA), lawful basis, purpose limitation, minimization, retention, and secure disposal.Lead DPIAs/TIAs, privacy by design reviews, and cross-border transfer governance (SCCs/UK IDTA).Manage data subject rights (DSRs): intake, verification, fulfillment within SLAs; coordinate with Legal and Engineering.Drive vendor/privacy governance: DPAs, Article 28 oversight, privacy/security clauses, ongoing assurance.Run privacy incident readiness: breach assessment, notification decisioning, tabletop exercises, and evidence capture.Continuous Compliance (Privacy & Security)Maintain policy/procedure libraries, training content, exceptions, and targeted risk analyses in the GRC platform.Operate continuous control monitoring: access reviews, strong auth/MFA, logging/alerting, change control, and evidence collection.Report KPIs, risks, and remediation progress to leadership; track findings to closure.PCI DSS v4.0 (Secondary but Required)Support PCI scope, data-flow mapping, asset inventory, and segmentation validation for the CDE.Coordinate assessments (ROC/AOC/SAQ), quarterly ASV scans, internal vuln scans, and pen tests.Advise on secure payment architectures (tokenization, encryption/HSM, P2PE as applicable) and partner with Infra/AppSec/Dev on patch/vuln SLAs.Required Qualifications4–6 years in data protection/privacy and/or security governance, with hands-on GDPR implementation (DPIAs, RoPA, DSRs, transfers).Experience collaborating with Legal, Product, and Engineering to embed privacy by design in real systems.Practical knowledge of cloud controls (AWS/Azure/GCP) and on-prem: identity/access, logging/SIEM, vuln mgmt, change mgmt.Exposure to PCI DSS v4.0 assessments and evidence management (ROC/AOC/SAQ) with QSA/ASV partners.Strong documentation, communication, and stakeholder management skills.Nice to HaveCertifications: CIPM / CIPP-E / CIPT, PCIP, CISSP, CISM, CISA, CCSK/CCSP.Tools: OneTrust/Archer (or similar GRC), Jira/Confluence, Splunk/Elastic, Qualys/Tenable; basic IaC familiarity (e.g., Terraform) a plus.Familiarity with ISO 27001, SOC 2, PCI SSF/3DS, NIST privacy/security frameworks.Success Metrics (GDPR-Led)DSR SLA: ≥98% on-time closure; zero critical privacy incidents without documented response.RoPA & DPIA Coverage: 100% of in-scope processing activities recorded; ≥95% DPIAs completed where required.Training & Awareness: 100% completion for in-scope teams; targeted refreshers for high-risk roles.Vendor Governance: 100% DPAs/SCCs in place for processors & transfers; periodic assurance completed on schedule.PCI Support: On-time AOC/SAQ with no critical gaps; ≥95% ASV pass rate; ≥90% patch SLA adherence for in-scope assets.What We OfferCompetitive compensation & benefitsCertification support and professional development budgetFlexible work arrangementsA privacy-first culture where security and compliance are built in—not bolted onReady to drive a privacy-first program while keeping our payment environment clean and audit-ready? Apply now.