Compliance Manager – Data & Information Privacy

ROLE & RESPONSIBILITIES

Business Partnering

• Provide practical privacy/PIP advisory to Marketing, Medical/Sales, Digital, IT, Procurement, HR, R&D, Operations, and other internal clients; embed governance controls into business processes.
• Support privacy risk assessments (scenario identification, process mapping, data inventory/mapping, PIA/PIPIA), propose remediation plans, and drive first-line accountability and closure.
• Establish/optimize local privacy policies, procedures, and operational playbooks; localize global requirements (incident response, cross-border transfers, third-party management, data subject request handling).
• Share assurance outcomes with area management and ensure timely remediation, including corrective and disciplinary actions where needed.

Policy and Document Review and Management

• Draft, review, and customize privacy notices, PICS/notification statements, consent language, internal policies, guidelines, and templates.
• Review and negotiate privacy/data protection contract clauses and Data Processing Agreements (DPA/TDPA), identify risk issues, and propose operationally feasible revisions.
• Support cross-border data transfer compliance (e.g., CAC security assessments/standard contracts, filing/record-keeping, PIPIA). Prepare due diligence lists, questionnaires, and reports; drive remediation.

Third-Party/Vendor Privacy Compliance

• Design and execute vendor/third-party privacy due diligence and assessments (e.g., using vendor compliance checklists/questionnaires), identify control gaps, and drive corrective actions.
• Partner with Procurement, InfoSec, and IT to ensure administrative, physical, and technical safeguards are implemented for third parties.

Privacy by Design for Projects and Products

• Participate in digital/IT/marketing project reviews; provide privacy and security by design guidance to ensure legal, contractual, and internal control requirements are built in from inception.
• Assist with negotiation of privacy and security provisions in contracts/agreements, balancing business objectives and compliance risk.

Training and Communication

• Conduct role- and scenario-based training needs analysis; develop and deliver privacy training (PPT decks, e-learning, micro-learning) via face-to-face or virtual sessions.
• Innovate training and communication channels (mobile/app prompts, system banners) to improve reach and effectiveness; issue periodic best-practice reminders.

Monitoring, Auditing, and Continuous Improvement

• Perform periodic/thematic privacy compliance checks and internal audits; monitor KPIs/KCIs; conduct root-cause analysis and track corrective and preventive actions (CAPA).
• Maintain privacy compliance registers (incidents, assessments, vendor reviews, cross-border filings, data subject requests) and report trends and plans to management.

Incident Response and Regulatory Engagement

• Support identification, classification, handling, and notification of personal information security incidents; participate in cross-functional drills and post-incident improvements.
• Track and analyze new laws, regulations, national standards, and regulatory guidance; develop impact assessments and recommendations; support interactions with regulators/industry bodies when needed.

Other ad-hoc tasks related to data privacy assigned from time to time

REQUIREMENTS

Education

• Bachelor’s degree or above in Law, Information Security/Computer Science, Compliance, or related fields; PRC legal professional qualification (A certificate) or bar membership is a plus.
• Top-tier university background and student leadership experience are plus factors; top 20% academic performance preferred.

Experience

• 4–8 years in data privacy/PIP/compliance/legal roles; experience in Big Four, leading law firms, MNCs, or healthcare industry preferred.
• Hands-on experience in drafting/negotiating privacy policies and contract clauses, reviewing DPAs, vendor privacy due diligence, cross-border compliance (CAC/security assessments/standard contracts), PIPIA/PIA execution, audit/assurance and remediation closure.
• Proven project management and cross-functional delivery experience in a matrix organization.

Skills and Competencies

• Deep knowledge of Mainland China and Hong Kong privacy/data protection laws and regulatory frameworks (PIPL, CSL, DSL, implementing measures, national standards, PCPD guidance); familiarity with EU/US privacy frameworks is a plus.
• Familiar with privacy governance elements: strategy and policies, data mapping and lifecycle management, third-party management, data subject rights, cross-border transfer controls, incident response, training and audit.
• Strong structured thinking, analytical and problem-solving skills; ability to rapidly identify risks and propose actionable solutions.
• Excellent communication, influence, and collaboration skills across levels and functions; ability to manage multiple priorities under pressure.
• Fluent bilingual capability in Chinese and English (written and verbal); able to produce high-quality bilingual policy and contract documents.
• Proficiency in MS Word, Excel, PowerPoint; familiarity with compliance/training tools and collaboration platforms preferred; knowledge of ISO/IEC 27701/27001 practices and CIPP certifications are pluses.

Values and Professional Traits

• Strong ethical mindset and compliance orientation; proactive, results-driven; committed to first-line ownership and a culture of integrity.
• Passion for advancing organizational ethics and continuous learning of emerging regulations and best practices.

Date Posted

16-Jan-2026

Closing Date

05-Apr-2026

AstraZeneca embraces diversity and equality of opportunity.  We are committed to building an inclusive and diverse team representing all backgrounds, with as wide a range of perspectives as possible, and harnessing industry-leading skills.  We believe that the more inclusive we are, the better our work will be.  We welcome and consider applications to join our team from all qualified candidates, regardless of their characteristics.  We comply with all applicable laws and regulations on non-discrimination in employment (and recruitment), as well as work authorization and employment eligibility verification requirements.