Corporate Privacy Counsel
- Rolling Meadows, IL
- Permanent
- Full-time
OverviewAs Corporate Privacy Counsel, you will play a crucial role in ensuring the protection and privacy of data within Gallagher Global Brokerage (“GGB”), focusing primarily on the U.S. business segment.You will be responsible for developing and implementing data protection strategies, polices, standards, procedures, and training materials to both gain efficiencies in our privacy practices and to ensure compliance with relevant privacy laws and regulations across GGB, with a particular focus on the US. As the need arises, the Privacy Counsel will also occasionally support other business units under the GGB umbrella to include non-U.S. operations (Caribbean, Canada, etc.).You will collaborate with the Global Privacy Office (“GPO”), local privacy, security, IT, AI, Legal and compliance teams, senior business stakeholders and third parties to ensure the delivery of Gallagher's data privacy strategy within the established risk appetite. This involves adhering to company and regulatory requirements while meeting the needs of customers, regulators, colleagues and stakeholders.You will provide advice and support to the business to identify, articulate and guide them in the implementation and management of their privacy risks in support of their business strategies.You will monitor compliance with data privacy, AI and cybersecurity laws, as well as internal policies and procedures.You are comfortable working fully onsite, remote (U.S.), or in a hybrid office arrangement.
How you'll make an impact
- Data Protection Strategy: Collaborate with the GPO, GGB Division Privacy and IT Leads, the GGB-US General Counsel and local GGB business leaders to develop and execute a comprehensive data protection strategy for GGB that aligns with business objectives and regulatory requirements. Assist the Global Chief Privacy Officer to implement the Global Data Privacy Framework (Tier 1) within GGB and develop and implement any required GGB local Data Privacy Frameworks (Tier 2) to minimize privacy risks and drive risk reduction initiatives.
- Policy Development: Create and maintain data protection policies, standards, guidelines and playbooks that reflect best practices and ensure compliance with applicable laws and regulations.
- Risk Management: Identify and assess privacy risks (including conducting privacy risk assessments and data transfer impact assessments) across jurisdictions and provide guidance to business units on risk mitigation strategies; Complete and maintain GGB Privacy Risk Registers, with specific focus on inherent and residual risk.
- Privacy Advice and Support: Provide expert advice and guidance to GGB, the GPO and other stakeholders on privacy-related matters, including data sharing, international transfers of personal data, consent management, data subject rights, data incidents, vendor risk management, due diligence and integration relating to merger and acquisition activities, responses to client privacy queries, data minimization, privacy complaints, determinations of requirements to have a Data Protection Officer (or equivalent) in an entity, data analytics and artificial intelligence. Handle internal and third-party requests for access to GGB data. Act as GGB’s HIPAA Privacy Officer, as legally required.
- Training and Awareness: Develop and deliver privacy training programs (Including HIPAA) to raise awareness and ensure understanding of data protection obligations among employees, including high risk users.
- Privacy Impact Assessments and Data Transfer Impact Assessments: Conduct assessments for new projects, systems, and processes to identify and address potential privacy risks, and for data transfers where required by law.
- Incident Response: Lead and coordinate the containment and response to data privacy incidents, including conducting investigations, implementing corrective actions, responding to client, carrier and data subject queries, and reporting to relevant authorities, companies and involved data subjects.
- Supplier Risk: Assess privacy risks in relation to GGB’s supply chain, working closely with colleagues in security, IT, the GPO, legal and procurement.
- Contractual Risk: Provide review and negotiation of privacy-related contractual terms with individuals, vendors, clients and insurance markets.
- Compliance Monitoring: Monitor and report on compliance with data protection, HIPAA and AI laws, regulations, and internal policies, and implement controls to ensure ongoing adherence.
- Records Retention: Advise business units on privacy requirements and best practices related to records retention and de-identification/destruction and work closely with IT and business units to implement new retention and de-identification/destruction guidelines and capabilities.
- Stakeholder Engagement: Collaborate and build effective working relationships with internal and external stakeholders, including the GPO, Legal, Security, Insurance, IT, AI, Data, HR, Marketing, Digital and third-party vendors, to ensure alignment and cooperation in data privacy initiatives.
- Industry Knowledge: Stay up-to-date with emerging trends, technologies, and legal and regulatory developments in the field of data protection, privacy, AI and cybersecurity.
- 3+ years practicing attorney in the privacy space
- Experience as an attorney practicing in a law firm
- Experience in carrying out privacy gap analysis, creation and implementation of remediation plans as well as designing and implementing privacy projects
- CIPP/US, CIPM, HCISPP, CISSP, or similar certifications
- Previous insurance industry experience
- An accomplished communicator with the ability and confidence to present issues and influence decisions at all levels within an organization with excellent analytical, interpersonal and stakeholder management skills
- Detailed; problem solver; outcome focused; multi tasker; and collaborative team player
- Ability to identify, articulate, guide and assist stakeholders in the management of their privacy risks and obligations to desired outcomes through stakeholder engagement
- Experience of working closely with Legal, Compliance, Information Security, HR, Data, Digital, Privacy, Marketing and Operations
- Practical privacy operations experience, for example, privacy risk impact assessments, handling complex data privacy incidents and privacy skills transfer
- Ability to travel as required (though not presently contemplated)
- Medical/dental/vision plans, which start from day one!
- Life and accident insurance
- 401(K) and Roth options
- Tax-advantaged accounts (HSA, FSA)
- Educational expense reimbursement
- Paid parental leave
- Digital mental health services (Talkspace)
- Flexible work hours (availability varies by office and job function)
- Training programs
- Gallagher Thrive program – elevating your health through challenges, workshops and digital fitness programs for your overall wellbeing
- Charitable matching gift program
- And more...