GRC/Data Privacy Specialist

Lendistry is an Equal Opportunity/Affirmative Action Employer. We consider applicants without regard to race, color, religion, age, national origin, ancestry, ethnicity, gender, gender identity, gender expression, sexual orientation, marital status, veteran status, disability, genetic information, or membership in any other group protected by federal, state, or local law. If you need assistance or accommodation due to a disability, you may contact us at [email protected].

Lendistry does not accept unsolicited resumes from recruiters, employment agencies, or staffing firms. To conduct business with Lendistry, a Master Services Agreement (MSA) must be executed and confirmed prior to submitting any information relating to a potential candidate. Without a signed MSA, Lendistry shall not be responsible to any individual or entity for any payment relating to any form of fee or compensation.

And, in the event that a resume or candidate is submitted by a recruiter, employment agency, or a staffing firm without a fully executed MSA, Lendistry has the unrestricted right to pursue and hire any of those candidate(s) without any legal or financial responsibility to the recruiter, agency, and/or firm.

A Day in the Life

The GRC/Data Privacy Specialist is responsible for leading and maturing the organization’s governance, risk, compliance, and data privacy programs across IT systems, cloud environments, and third‑party vendors. This role partners with Security, Engineering, and Compliance to ensure regulatory requirements and privacy obligations are translated into practical controls that protect sensitive data while supporting business operations.

The role oversees privacy governance, regulatory compliance, and risk‑management activities including maintaining data inventory and data flow maps, conducting privacy and security risk assessments, supporting frameworks such as SOC 2 and GLBA, and ensuring audit‑ready documentation and evidence management.

Operating both strategically and tactically, the GRC/Data Privacy function helps embed privacy‑by‑design practices across systems and processes while clearly communicating risk posture and compliance status to both technical teams and executive leadership.

Lendistry: Who We Are

We’re proud to be the nation’s largest minority‑led, tech‑savvy lender for small businesses and commercial real estate. As a certified Community Development Financial Institution (CDFI) and Community Development Entity (CDE), our mission is all about creating economic opportunities and fueling growth for small business owners and their communities. Join us as we pave the way with innovative financing and financial education!

What You’ll Be Doing

Governance, Risk & Compliance

• Maintain and operate the organization’s SOC 2 compliance program (Type I and Type II), including control ownership, evidence collection, auditor coordination, and remediation tracking.
• Support alignment with ISO/IEC 27001, including risk assessments, Statement of Applicability support, and control mapping.
• Manage compliance obligations under GLBA, including Safeguards Rule requirements, vendor oversight, and risk documentation.
• Conduct periodic risk assessments and control effectiveness reviews across people, process, and technology.
• Maintain GRC documentation, policies, standards, procedures, and risk registers in a continuous‑compliance model.
• Partner with internal stakeholders to translate regulatory requirements into practical, auditable controls.

Data Privacy & Protection

• Technical Data Privacy subject matter expert for the organization.
• Design, implement, and manage technical solutions to protect personal data, embedding “privacy by design” into the software development lifecycle, product architecture, and AI/ML privacy integration.
• Act as a bridge between the Compliance, Legal, and engineering teams to translate the requirements of privacy policies, laws and regulations into actionable functional technical requirements such as data minimization, encryption, tokenization, data masking, anonymization and access controls, and clearly defined auditable controls.
• Maintain and continuously update enterprise data flow diagrams and data inventories to map the lifecycle of personal information from ingestion to deletion.
• Lead and document annual Privacy risk assessments.
• Manage first line of defense for compliance with the technical requirements of applicable U.S. state privacy laws.
• Support incident response activities related to data privacy, including breach assessment, documentation, and regulatory support.

Third‑Party & Vendor Risk

• Support third‑party risk assessments with a focus on data handling, privacy, and regulatory exposure.
• Review vendor security and privacy documentation (SOC reports, SIGs, DPAs).
• Track remediation items and ensure vendors meet contractual and regulatory obligations.

Cross‑Functional Collaboration

• Work closely with Security, Engineering, Product, Legal, Compliance, and Operations teams.
• Provide practical guidance that balances compliance, risk reduction, and business velocity.
• Assist with regulator, auditor, and customer due‑diligence inquiries.

Your Areas of Knowledge and Expertise

• 3–5 years of experience in Governance, Risk, and Compliance (GRC), data privacy, risk management, or a related field, preferably within a regulated environment such as fintech or financial services.
• Hands‑on experience supporting regulatory and compliance programs, including SOC 2 and GLBA Safeguards Rule, along with familiarity with U.S. state privacy laws and global privacy frameworks such as GDPR, PIPEDA, LGPD, or DPDPA.
• Experience implementing and administering GRC platforms, including managing compliance workflows, evidence collection, audit readiness, and risk tracking across multiple workstreams.
• Demonstrated ability to perform privacy and security risk assessments, including privacy impact assessments (PIAs), data protection impact assessments (DPIAs), and data security risk assessments, with strong documentation and evidence‑management practices.
• Hands‑on experience developing and maintaining data inventories, data maps, and data flow diagrams to support privacy compliance and regulatory obligations.
• Technical literacy in modern enterprise environments, including familiarity with cloud platforms (AWS, Azure), data architecture, database management (SQL), automation tools, and scripting languages such as Python.
• Understanding of privacy engineering and secure system design, including familiarity with privacy‑enhancing technologies such as differential privacy, federated learning, and secure multi‑party computation (particularly in AI/ML pipelines).
• Working knowledge of data mapping and automation tools used to manage data subject rights requests and privacy operations workflows.
• Strong analytical, organizational, and documentation skills, with the ability to manage multiple compliance initiatives independently and communicate effectively across technical, legal, and business stakeholders.
• Professional certifications such as CIPT or CDPSE required; CIPM and CISSP preferred.
• Bachelor’s degree in Computer Science, Information Security, or a related field, or an equivalent combination of professional experience, certifications, and alternative education.

Why You’ll Love Working Here

• Comprehensive Medical, Dental, and Vision Insurance
• Generous Paid Time Off
• Birthday Day Off
• 12 Paid Company Holidays
• 401(k) Match
• FSA and HSA
• Paid Life Insurance
• Paid Disability Insurance
• Pet Insurance
• Employee Assistance Program (EAP)
• Professional Development Courses
• In‑Office Provided Snacks and Drinks
• Gym Facilities (LA & Tustin/CEC Offices)
• In‑Office Engagement Activities

Physical Requirements

This is a stationary position that requires frequent sitting (approximately 95%), repetitive wrist motions, grasping, speaking, listening, close vision, and the ability to adjust focus. It also may require occasional standing, lifting, carrying of 20lbs or less, walking, kneeling, bending/stooping, twisting, pulling/pushing, and reaching above the shoulder. Employees in this position must be physically able to efficiently perform the essential functions of the position.