Senior GRC Analyst, Privacy

Meet Benevity

Benevity is the way the world does good, providing companies (and their employees) with technology to take social action on the issues they care about. Through giving, volunteering, grantmaking, employee resource groups and micro-actions, we help most of the Fortune 100 brands build better cultures and use their power for good. We’re also one of the first B Corporations in Canada, meaning we’re as committed to purpose as we are to profits. We have people working all over the world, including Canada, Spain, Switzerland, the United Kingdom, the United States and more!

Benevity is seeking a Sr. GRC Analyst, Privacy to anchor and advance our data protection program across a complex, multi-jurisdictional regulatory landscape. In this role, you will own the design, operationalization, and continuous maturity of Benevity’s privacy compliance program, spanning GDPR, UK-GDPR, CPRA, PIPEDA, CASL, and emerging global frameworks. You will build the foundational infrastructure that keeps Benevity accountable to its regulatory obligations: Records of Processing Activities, Data Subject Access Request workflows, Data Protection Impact Assessments, and subprocessor governance, ensuring the program is not only defensible to regulators but scalable as Benevity grows.

As a trusted privacy advisor embedded across cross-functional teams, you will work closely with Legal, Security, Engineering, Product, and Data Governance to embed Privacy by Design into the business. You will support the DPO operational function, partner on Data Processing Agreement reviews, and translate complex privacy requirements into practical, business-aligned controls. Your work will directly protect Benevity’s clients, employees, and the communities they serve, and ensure that trust remains a core competitive advantage.

What you’ll do:

Privacy Program & Governance

• Own and maintain Benevity’s Records of Processing Activities (ROPA) under both controller and processor regimes, ensuring compliance with GDPR Article 30 and equivalent requirements across applicable jurisdictions.

• Develop and maintain privacy policies, notices, standards, and control frameworks aligned with GDPR, UK-GDPR, CPRA/CCPA, PIPEDA, CASL, and emerging global laws (AU Privacy Act, India DPDP, Swiss FADP, and others).

• Support privacy policy approval, exception management, and attestation processes, actively seeking opportunities for process improvement and automation.
  

Data Subject Rights & DSAR

• Build and manage DSAR intake, triage, and response workflows in compliance with statutory deadlines (30 days under GDPR; 45 days under CPRA), including coordination with business and legal stakeholders.

• Maintain and refresh the subprocessor listing in alignment with client Data Processing Agreement commitments and GDPR Article 28 obligations.
  

Data Protection Impact & Risk

• Design, operationalize, and continuously improve the Data Protection Impact Assessment (DPIA) process; embed DPIA requirements into product, data, and business initiative workflows.

• Support the DPO operational function, including regulatory correspondence readiness, breach notification preparedness, and supervisory authority interface support in coordination with Legal.

• Partner with Security, Engineering, Product, Legal, and Data Governance teams to embed privacy by design and by default into key business initiatives.

Regulatory Compliance & Monitoring

• Review and support the negotiation of Data Processing Agreements and data transfer mechanisms (SCCs, UK IDTAs) in collaboration with Legal.

• Monitor the global privacy regulatory landscape and assess the impact of new and evolving requirements on Benevity’s operations and client commitments.

• Support multi-entity privacy obligations across Benevity’s partner ecosystem, including jurisdiction-specific compliance requirements and data processing documentation.
  

Tooling & Operational Delivery

• Maintain and enhance privacy workflows in GRC platforms (e.g., OneTrust Privacy module) to automate and streamline compliance operations at scale.

• Deliver executive-ready privacy reports, risk insights, and dashboards to inform leadership decision-making.

• Leverage AI tools and automation as a force multiplier, accelerating DSAR triage, regulatory horizon scanning, policy drafting, and evidence workflows to scale program output without scaling headcount.

Advisory & Awareness

• Design and deliver privacy awareness and training programs to build a culture of data protection across Benevity.

• Serve as a cross-functional privacy advisor, partnering with teams across the organization to embed privacy requirements into products, services, and operational decisions.

What you’ll bring:

• 5+ years of experience in privacy, data protection, GRC, or a closely related field, ideally within a SaaS or high-growth technology environment.

• Deep, practical knowledge of global privacy frameworks, including GDPR, UK-GDPR, CPRA/CCPA, PIPEDA, and CASL, with working familiarity of emerging regimes (India DPDP, Swiss FADP, AU Privacy Act reforms).

• Hands-on experience building and maintaining ROPAs under both controller and processor regimes, managing DSAR workflows, conducting DPIAs, and maintaining subprocessor inventories.

• Experience supporting or operating within a DPO function, including regulatory interface and breach notification processes.

• Proven ability to review and support the negotiation of Data Processing Agreements and data transfer mechanisms in collaboration with Legal.

• Hands-on experience with privacy or GRC tooling (e.g., OneTrust Privacy module, Hyperproof, or equivalent) to operationalize compliance workflows at scale.

• Ability to communicate complex privacy and regulatory concepts clearly to technical, legal, and business audiences.

• A demonstrated interest and track record in leveraging AI and automation as a force multiplier, streamlining privacy operations, accelerating routine workflows, and expanding program capacity without proportional headcount growth.

• Certifications such as CIPP/E, CIPP/US, or CIPM are highly valued; CIPT, CISM, or CRISC are also welcomed.

Discover your purpose at work

We’re not employees, we’re Benevity-ites. From all locations, backgrounds and walks of life, who deserve more …

Innovative work. Growth opportunities. Caring co-workers. And a chance to do work that fills us with a sense of purpose.

If the idea of working on tech that helps people do good in the world lights you up ... If you want a career where you’re valued for who you are and challenged to see who you can become …

It’s time to join Benevity. We’re so excited to meet you.

Where We Work

At Benevity, we embrace a flexible hybrid approach to where we work that empowers our people in a way that supports great work, strong relationships, and personal well-being. For those located near one of our offices, while there’s no set requirement for in-office time, we do value the moments when coming together in person helps us build connection and collaboration. Whether it’s for onboarding, project work, or a chance to align and bond as a team, we trust our people to make thoughtful decisions about when showing up in person matters most.

Join a company where DEIB isn’t a buzzword

Diversity, equity, inclusion and belonging are part of Benevity’s DNA. You’ll see the impact of our massive investment in DEIB daily — from our well-supported employee resources groups to the exceptional diversity on our leadership and tech teams.

We know that diverse backgrounds, experiences, skills and passions are what move our business and our people forward, so we're committed to creating a culture of belonging with equal opportunities for everyone to shine.

That starts with a fair and accessible hiring process. If you want to feel seen, heard and celebrated, you belong at Benevity.

Candidates with disabilities who may require accommodations throughout the hiring or assessment process are encouraged to reach out to [email protected].