Business analyst with Data privacy

Position Description: Data & Privacy Analyst/Business Analyst/Consultant III - Contractor

Overview:

Seeking an experienced contractor to support the efforts to begin implementation/operationalization of a comprehensive data & privacy program at the Wisconsin Department of Administration (DOA). The contractor will be responsible for helping DOA staff navigate and implement data & privacy frameworks, assessments, governance, policy development, inventory, gap analysis, and other duties as assigned to support this program. In addition, along with the DOA s Division of Enterprise Technology s (DET) Chief Technology Officer (CTO) and DOA Division of Legal Service s (DLS) Lead Privacy Counsel, the contractor will work with key stakeholders to develop a strategic data and privacy program.

This role presents an exciting opportunity for an experienced professional that will support efforts to establish a best-in-class data & privacy program for state government ensuring compliance and the protection of data. Interested contractors should highlight experience that can support the functions of this role.

Key Deliverables of the Contract:

• Data and privacy maturity assessment report with gap analysis.
• Comprehensive data and privacy program strategy and implementation roadmap.
• Incident response and breach management plan.
• Third-party privacy risk management (TPRM) framework.
• Final project report with recommendations for prioritizing privacy efforts, acquiring privacy-enhancing technology (PET) tools, and determining long-term sustainability of agency data privacy initiatives.

Scope of Work: The contractor will perform the following tasks:

1. Data and Privacy Program Assessment & Strategy Development:
• Conduct a data and privacy maturity assessment to evaluate current policies, practices, and regulatory/legal compliance.
• Develop a strategic roadmap for implementing a data and privacy framework aligned with industry standards, regulatory, and legal requirements.
• Identify key data and privacy risks and recommend mitigation strategies.
• Provide actionable steps for mapping and inventory management of data assets.
• Identify and prioritize clear, concise, and enforceable data & privacy policies, standards, and practices to facilitate and drive agency change management.

1. Data and Policy Governance Framework Development:
• Draft and implement data and privacy policies, standards, and procedures (PSPs) including privacy notices tailored to the agency's operations.
• Establish a data and privacy governance structure, including roles and responsibilities. Roles considered should include how to drive culture so that all understand their obligations besides the normal operational aspects.
• Define key performance indicators (KPIs) for data and privacy program success.
• Outline monitoring plan for compliance and performance to determine cadence and governance practices that ensure adherence to policies and regulations. This plan should include how adjustments are also included into the workflow and cadence to address gaps or emerging risks.

1. Regulatory Compliance & Risk Management:
• Along with legal counsel, create processes to ensure compliance with federal and state privacy laws and regulations.
• Along with DOA s Data manager & legal counsel, develop and implement data privacy risk assessments and risk management frameworks.
• Along with DOA s Data Manager, establish a data inventory and mapping process and execute data inventories, data flows, data modeling, data access, data lifecycle and system assessments.
• Along with legal counsel, create streamlined processes for Privacy Threshold Analyses (PTAs), Privacy Impact Assessments (PIAs), and AI Risk Assessments (AIRAs) and/or embed into existing systems, applications, and risk management/risk assessment processes (e.g., security, cloud brokerage).

1. Vendor & Third-Party Risk Management (TPRM):
• Along with State Bureau of Procurement (SBOP), DET, and legal counsel, develop a third-party privacy risk assessment framework for statewide procurement and contracting.
• Along with DET and legal counsel, conduct data and privacy assessments of key vendors and partners.
• Along with DET and legal counsel, recommend strategies to standardize contracting and data sharing agreements (DSAs) and/or templatize appropriate data protection and privacy clauses within statewide procurements and agency contracts.

1. Data & Privacy Technology Automation:
• Assess and recommend privacy-enhancing technologies (PETs) and automation tools, including AI.
• Support integration of privacy controls into agency IT systems including working with application stakeholders.
• Collaborate with IT and security teams to embed privacy by design (PbD) and security by design principles throughout the system development lifecycle (SDLC) and business processes, such as authorization management and purpose-based and role-based access controls (PBAC/RBAC).
• Along with DOA s Data Manager, develop recommendations for tools to execute and automate data-centric privacy capabilities, such as discovering personal data, de-duplicating redundant/obsolete/tertiary (ROT) data, classifying data, and retention scheme management/data dispositioning at the end of records retention cycles.

Required Qualifications & Competencies:

• Experience with data modeling and data warehousing concepts and technologies. (5 years)

• Experience with database platforms such as Oracle, SQL Server, NoSQL. (5 years)

• Demonstrated experience in data and privacy program development and implementation. (5 years)
• Expertise in implementing risk management, data governance, and compliance frameworks (e.g., NIST Privacy Framework). (5 years)
• Experience in implementation of data literacy frameworks in support of overall data initiatives.
• Strong project and change management skills with the ability to execute strategic privacy initiatives.
• Ability to assess risks, conduct assessments, and analyze data flows.
• Excellent communication skills (written and verbal) and the ability to engage with cross-functional technical and business teams to gather requirements, explain complex concepts, and align to frameworks.
• Ability to effectively prioritize workload from multiple workstreams and adapt to changing priorities and deadlines.
• Ability to work independently, be self-motivated, and maintain the confidentiality of sensitive/restricted information under minimal supervision.

Desired Qualifications & Competencies:

• Proven project experience with programming languages such as Java, SQL, Python, and R for data manipulation and analysis. (5 years)
• Experience in data protection compliance, legal, audit, or risk management roles. (5 years)
• Proven project experience with data analysis and visualization tools such as Tableau, PowerBI, or other cloud data analytics platforms. (5 years)
• Professional data and privacy training or certifications such as International Association of Privacy Professionals certifications (e.g., Certified Information Privacy Professional/US (CIPP/US), Certified Information Privacy Manager (CIPM), Certified Information Privacy Technologist (CIPT) or similar), CDPSE (Certified Data Privacy Solutions Engineer) preferred.
• Experience with the use of artificial intelligence (AI) tools for electronic records management (ERM), electronic records dispositioning, and data minimization in government.
• Ability to develop innovative solutions for privacy and data challenges.

Reporting Structure:

• The contractor will jointly report to DET s Chief Information Officer (CIO) or her designee and DLS s Lead Privacy Counsel.