Overview
Skills
Job Details
Description
Data and privacy maturity assessment report with gap analysis.
Comprehensive data and privacy program strategy and implementation roadmap.
Incident response and breach management plan.
Third-party privacy risk management (TPRM) framework.
Final project report with recommendations for prioritizing privacy efforts, acquiring privacy-enhancing technology (PET) tools, and determining long-term sustainability of agency data privacy initiatives.
Scope of Work:
The contractor will perform the following tasks:
Data and Privacy Program Assessment & Strategy Development:
Conduct a data and privacy maturity assessment to evaluate current practices, and regulatory/legal compliance.
o Develop a strategic roadmap for implementing a data and privacy framework aligned with industry standards, regulatory, and legal requirements.
o Identify key data and privacy risks and recommend mitigation strategies.
o Provide actionable steps for mapping and inventory management of data assets.
o Identify and prioritize concise, and enforceable data & privacy standards, and practices to facilitate and drive agency change management.
Data and Policy Governance Framework Development:
o Draft and implement data and privacy policies, standards, and procedures (PSPs) including privacy notices tailored to the agency's operations.
o Establish a data and privacy governance structure, including roles and responsibilities.
Roles considered should include how to drive culture so that all understand their obligations besides the normal operational aspects.
o Define key performance indicators (KPIs) for data and privacy program success.
o Outline monitoring plan for compliance and performance to determine cadence and governance practices that ensure adherence to policies and regulations. This plan should include how adjustments are also included into the workflow and cadence to address gaps or emerging risks.
Regulatory Compliance & Risk Management:
o Along with legal counsel, create processes to ensure compliance with federal and state privacy laws and regulations.
o Along with agency Data manager & legal counsel, develop and implement data privacy risk
assessments and risk management frameworks.
o Along with agency Data Manager, establish a data inventory and mapping process and execute data inventories, data flows, data modeling, data access, data lifecycle and system assessments.
o Along with legal counsel, create streamlined processes for Privacy Threshold Analyses (PTAs), Privacy Impact Assessments (PIAs), and AI Risk Assessments (AIRAs) and/or embed into existing systems, applications, and risk management/risk assessment processes (e.g., security, cloud brokerage).
Vendor & Third-Party Risk Management (TPRM):
o Along with the State Bureau of Procurement (SBOP), DET, and legal counsel, develop a third-party privacy risk assessment framework for statewide procurement and contracting.
o Along with agency and legal counsel, conduct data and privacy assessments of key vendors and partners.
o Along and legal counsel, recommend strategies to standardize contracting and data sharing agreements (DSAs) and/or templatize appropriate data protection and privacy clauses within statewide procurements and agency contracts.
Data & Privacy Technology Automation:
o Assess and recommend privacy-enhancing technologies (PETs) and automation tools, including AI.
o Support integration of privacy controls into agency IT systems including working with application stakeholders.
o Collaborate with IT and security teams to embed privacy by design (PbD) and security by design principles throughout the system development lifecycle (SDLC) and business processes, such as authorization management and purpose-based and role-based access controls (PBAC/RBAC).
o Along with agency Data Manager, develop recommendations for tools to execute and automate data-centric privacy capabilities, such as discovering personal data, de-duplicating redundant/obsolete/tertiary (ROT) data, classifying data, and retention scheme management/data dispositioning at the end of records
retention cycles.
Required Qualifications & Competencies:
? Experience with data modeling and data warehousing concepts and technologies. (5 years)
? Experience with database platforms such as Oracle, SQL Server, NoSQL. (5 years)
? Demonstrated experience in data and privacy program development and implementation. (5 years)
? Expertise in implementing risk management, data governance, and compliance frameworks (e.g., NIST Privacy Framework). (5 years)
? Experience in implementation of data literacy frameworks in support of overall data initiatives.
? Strong project and change management skills with the ability to execute strategic privacy initiatives.
? Ability to assess risks, conduct assessments, and analyze data flows.
? Excellent communication skills (written and verbal) and the ability to engage with cross-functional technical and business teams to gather requirements, explain complex concepts, and align to frameworks.
? Ability to effectively prioritize workload from multiple workstreams and adapt to changing priorities and deadlines.
? Ability to work independently, be self-motivated, and maintain the confidentiality of sensitive/restricted information under minimal supervision.
Desired Qualifications & Competencies:
? Proven project experience with programming languages such as Java, SQL, Python, and R for data manipulation and analysis. (5 years)
? Experience in data protection compliance, legal, audit, or risk management roles. (5 years)
? Proven project experience with data analysis and visualization tools such as Tableau, PowerBI, or other cloud data analytics platforms. (5 years)
? Professional data and privacy training or certifications such as International Association of Privacy Professionals certifications (e.g., Certified Information Privacy Professional/US (CIPP/US), Certified Information Privacy Manager (CIPM), Certified Information Privacy Technologist (CIPT) or similar), CDPSE (Certified Data Privacy Solutions Engineer) preferred.
? Experience with the use of artificial intelligence (AI) tools for electronic records management (ERM), electronic records dispositioning, and data minimization in government.
? Ability to develop innovative solutions for privacy and data challenges.
Reporting Structure:
? The contractor will jointly report to DET s Chief Information Officer (CIO) or her designee and DLS s Lead Privacy Counsel.
Top Required Skills & Years of Experience:
? Experience with data modeling and data warehousing concepts
and technologies. (5 years)
? Experience with database platforms such as Oracle, SQL Server, NoSQL. (5 years)
? Demonstrated experience in data and privacy program development and implementation. (5 years)
? Expertise in implementing risk management, data governance, and compliance frameworks (e.g., NIST Privacy Framework). (5 years)
Nice to Have Skills:
? Proven project experience with programming languages such as Java, SQL, Python, and R for data manipulation and analysis. (5 years)
? Experience in data protection compliance, legal, audit, or risk management roles. (5 years)
? Proven project experience with data analysis and visualization tools such as Tableau, PowerBI, or other cloud data analytics platforms. (5 years)