About the JobBrightly is seeking an experienced Director of Data Privacy & Governance to run the day-to-day privacy and data governance program across the enterprise. This role will work closely with Product Management, Technology, Sales, Legal, and the CISO to turn privacy requirements into practical processes, controls, and operating routines. While the CISO owns data security, this position is accountable for ensuring personal data is handled lawfully, consistently, and in line with global regulatory requirements across Brightly's products and internal operations.
This is an execution-focused leadership role. You will manage the core operating mechanisms of the privacy program, including the RoPA, Privacy Requirements Checklist, DPIA process, DSR workflow, reporting cadence, and cross-functional action tracking. The role requires close partnership with product, engineering, legal, commercial, and security teams to embed privacy into everyday decisions, improve audit readiness, and increase the speed and consistency of privacy reviews.
This U.S.-based role is ideally located in Raleigh, NC; however, we encourage applications from qualified remote candidates across the Eastern U.S.
Qualified Applicants must be legally authorized for employment in the United States and will not require employer sponsored work authorization now or in the future for employment in the United States.
What you will doPrivacy Strategy & Program Leadership- Set and execute Brightly's privacy and governance strategy in alignment with product priorities and Siemens objectives.
- Build, operate, and continuously improve a global privacy program across Brightly's regions.
- Partner with Siemens DPOs and act as a liaison between the DPO Office and Brightly; where required, serve as Brightly's DPO representative and ensure consistent execution.
- Deliver quarterly executive updates on privacy risk, regulatory change, DSR performance, and program maturity.
- Own the privacy program budget, forecast needs, and provide clear spend visibility.
Regulatory Compliance - Day-to-Day Operations- Partner with product and engineering teams to provide clear guidance on any technical or organizational changes related to data privacy that would be required for launching our products in new regulatory environments.
- Run a quarterly jurisdiction review, mapping regulatory obligations to products, processing activities, owners, and deadlines.
- Convert regulatory changes into engineering tickets, policy updates, or contract actions within 30 days.
- Monitor and operationalize key regimes, including GDPR, US state privacy laws, PIPEDA/Quebec Law 25, Australia Privacy Act, India DPDP Act, HIPAA, and FERPA.
- Maintain clear documentation related to our identified requirements for our products and the efforts we have implemented to achieve compliance with those requirements.
- Lead regulator correspondence and ensure deadlines, submissions, and follow-ups are completed on time.
- Direct regulatory investigations and audits, maintaining a current readiness playbook.
Data Governance - Ownership & Accountability- Own and mature the RoPA, ensuring full coverage and annual recertification.
- Drive adoption of data classification, retention, and deletion controls, including quarterly deletion reporting.
- Chair the monthly Data Governance Council and hold owners accountable for actions and decisions.
- Maintain lawful basis coverage for processing activities before product or workflow go-live.
- Run the DPIA process end-to-end, targeting a 10-business-day turnaround for standard reviews.
- Lead TIAs for new international transfers and maintain the transfer register.
- CISO and Security Partnership - Shared Operational Cadences
- Co-lead weekly privacy/security triage with the CISO organization for requests, DPIAs, and sub-processor decisions.
- Own the sub-processor register and approval workflow, targeting decisions within 10 business days.
- Provide privacy inputs for monthly and quarterly Privacy & Security KPI dashboards.
- Lead privacy impact assessment and regulator notification drafting during incidents.
Product & Engineering Enablement- Own and maintain the Privacy Requirements Checklist for features, integrations, and data workflows.
- Lead privacy reviews at design, pre-launch, and post-launch milestones.
- Create reusable privacy design patterns for consent, residency, anonymization, and analytics.
- Triage privacy tickets within 2 business days and enforce review SLAs.
- Run monthly office hours to unblock product and engineering teams on privacy decisions.
- Data Subject Rights (DSR) Program
- Own the end-to-end DSR workflow across products and regions, targeting 10 business days for standard requests.
- Publish monthly DSR reporting by request type, jurisdiction, completion rate, response time, and escalations.
- Own customer-facing privacy documentation and update it annually or after material regulatory changes.
- Enable Sales and Customer Success with approved responses for privacy questionnaires, RFPs, and audits.
Training & Privacy Culture- Deliver annual privacy training and report quarterly completion and adoption metrics.
- Run role-specific privacy workshops twice per year for Engineering, Product, Marketing, and HR.
- Maintain internal privacy policies and publish an accessible change log for employees.
- Track privacy culture metrics, including training, DPIA timeliness, DSR SLAs, and policy acknowledgements.
Operational and Soft Skills- Exceptional critical thinking with ability to translate vision into executable plans
- Outstanding communication capabilities with track record of driving high-performing teams and the ability to influence at peers and leaders
- Excellent analytical abilities and data-driven decision-making approach
What you need- Bachelor's degree and 8+ years of progressive experience in data privacy, data protection, or a related field, including hands-on ownership of global privacy programs.
- Deep expertise operationalizing multi-jurisdictional privacy requirements across major regulatory regimes, with the ability to translate legal obligations into practical controls, workflows, and engineering actions.
- Strong technical fluency in B2B SaaS or cloud environments, including AI and agentic technologies, cloud architecture, multi-tenancy, APIs, R&D trade-offs, incident response, threat models, and access controls.
- Proven track record delivering privacy program artifacts and operating mechanisms, including RoPAs, DPIAs, DSR workflows, privacy checklists, training programs, policies, and governance routines.
- Executive presence and cross-functional influence, with experience partnering with product, legal, security, sales, customers, and regulators in regulated industries; relevant IAPP certifications preferred.
What makes you a Standout- Prior experience as a designated Data Privacy and Governance leader, under GDPR with direct regulatory authority engagement.
- JD, LLM, or equivalent legal education; or equivalent depth through extensive hands-on program leadership.
- Hands-on experience with privacy tooling: OneTrust, BigID, TrustArc, Transcend, DataGrail, or similar - can configure workflows, not just procure licenses.
- Experience governing AI/ML data practices: model training data, automated decision-making, and synthetic data use policies.
- Experience managing international transfer mechanisms: SCCs, Binding Corporate Rules, adequacy decisions, US Data Privacy Framework.
- Experience in asset management, facilities management, or infrastructure technology sectors.
- Comfortable driving clarity and decisions in a global, matrixed organization under ambiguity.
You'll Benefit FromSiemens offers a variety of health and wellness benefits to our employees. Details regarding our benefits can be found here: https://www.benefitsquickstart.com/siemens/index.html
The pay range for this position is $145,156 - $248,839 annually with a target incentive of 20% of the base salary. The actual wage offered may be lower or higher depending on budget and candidate experience, knowledge, skills, qualifications, and premium geographic location.