This role represents an opportunity for a driven and growth-oriented individual to lead the enhancement and implementation of information security, data processing and data privacy policies and standards across the business. You will report to the Engineered Compliance Lead and DPO, who is responsible for planning and managing Oxehealth’s compliance with all international regulations and standards, meeting market procurement standards and guidance, and ensuring the personal data protection and clinical safety of the patients that our customers care for.
You will be responsible for:
● Supervising execution and monitoring of the Information Security and Privacy Information Management System (ISMS/PIMS)
● Running the Monthly and Quarterly security reviews i n support of the CTO (Chair), and the Quarterly Data Review in support of the COO and DPO
● Tracking high priority actions, leading cross-functional security and data privacy projects
● Managing security risk and vulnerability analysis, and monitoring and executing risk treatment plans
● Running internal and external data privacy and security audits eg ISO 27001 and ISO 27701 as well as supporting compliance with regulations (eg GDPR, HIPAA, NIS), and market procurement standards (eg DSPT, HSSF, DTAC), and other regimes as they become relevant
● Supporting the DPO in monitoring and managing the company’s data protection stance
● Working with the Regulatory lead to improve the ISMS and PIMS
● Maintaining robust supporting documentation and policies, and ensuring that they are embedded within the wider business
● Acting as an in-house expert on international data privacy and security regulations (eg Europe, UK, USA, other territories)
● Overseeing and delivering data privacy and information security training to all staff
The ideal candidate will have a passion for monitoring and interpreting regulation, and for systematically ensuring compliance with that regulation, by helping to ensure that data protection and information security are always “built in”.
The successful candidate is likely to have:
● Experience of having managed an Information security management system (ISMS) and maintaining ISO 27001 certification i n a multi-site operation.
● Solid understanding of IT and experience in contributing to IT governance, controls and best practice processes.
● Experience in undertaking a range of internal and third party audits around Information security, data protection and IT governance and controls.
● Experience in developing physical security best practice processes and controls.
● Good understanding of the Data Protection Act and EU GDPR.
● Very good understanding of the principles of risk assessment and risk treatment, including operational risk as well as compliance monitoring and reporting.
Desirable but not essential:
● Industry experience within the healthcare sector