Job Specifications
!!MUST BE LOCATED NEAR THE DALLAS AREA!!
Position Summary
The GRC Analyst is responsible for implementing and maintaining the Company's governance, risk, and compliance (GRC) program, with a focus on global data privacy regulations and information security frameworks. This role ensures CECO Environmental's compliance with GDPR, CCPA, PIPL, PIPEDA, and other relevant privacy regulations, while managing compliance activities through Microsoft Purview and related tools. The GRC Analyst will conduct risk assessments, manage compliance documentation, and collaborate with business units to embed privacy and security practices across the organization. May assist with IT due diligence efforts in M&A activities relative to compliance, regulatory requirements, and development of risk mitigation plans.
Key Responsibilities
Works as the primary subject matter expert on Microsoft Purview within the company, including data classification, retention policies, information protection, and compliance management.
Manage and maintain compliance with global data privacy regulations including GDPR, CCPA, PIPL, PIPEDA, and other applicable data protection laws.
Implement and administer data governance policies, data loss prevention (DLP) strategies, and information rights management using Microsoft Purview.
Conduct regular risk assessments, control evaluations, and compliance audits to identify gaps and recommend remediation activities.
Develop, maintain, and update compliance documentation including policies, procedures, standards, and guidelines aligned with regulatory requirements and industry best practices.
Monitor regulatory changes and assess impact on the organization; provide guidance on compliance requirements to stakeholders.
Coordinate and support internal and external audits, including evidence collection, response preparation, and remediation tracking.
Develop and deliver privacy and security awareness training programs for employees and stakeholders.
Manage data subject rights requests (DSRs) and privacy incidents, ensuring timely and compliant responses.
Collaborate with IT, Legal, HR, and business units to ensure privacy-by-design principles are incorporated into systems, processes, and initiatives.
Maintain vendor risk management program, including third-party assessments and ongoing monitoring of security and compliance practices.
Generate compliance metrics, dashboards, and reports for leadership and regulatory bodies as required.
This job description represents only the primary areas of responsibility; specific position assignments will vary depending on the needs of the department.
To perform the job successfully, an individual must be able to execute each essential duty satisfactorily. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.
Qualifications
A bachelor's degree in Information Systems, Business Administration, Cybersecurity, Legal Studies, or a related field.
5+ years of experience in GRC, compliance, data privacy, or information security; or an equivalent combination of education and experience sufficient to successfully perform the essential duties of the job such as those listed above.
Prior experience in the commercial industrial manufacturing industry is helpful.
Travel Requirements (Requirement): Occasional travel may be required, as necessary; must have ability to travel across borders.
LICENSING/CERTIFICATIONS:
CISA (Certified Information Systems Auditor), CISM (Certified Information Security Manager), CRISC (Certified in Risk and Information Systems Control), CISSP, CIPM (Certified Information Privacy Manager), CIPP (Certified Information Privacy Professional), or other relevant certifications strongly preferred.
KNOWLEDGE:
At least 5 years of experience in GRC, with demonstrated expertise in global data privacy regulations (GDPR, CCPA, PIPL, PIPEDA) and information security frameworks (ISO 27001, NIST, SOC 2).
Extensive hands-on experience with Microsoft Purview, including information protection, data classification, retention policies, DLP, and compliance management features.
Strong understanding of privacy principles, data protection requirements, and regulatory compliance obligations across multiple jurisdictions.
Experience with risk assessment methodologies, control frameworks (COBIT, COSO), and audit management processes.
Knowledge of vendor risk management, third-party security assessments, and contract compliance requirements.
Understanding of IT infrastructure and security controls in hybrid environments (on-premises and cloud).
Familiarity with data mapping, data flow analysis, and privacy impact assessments (PIAs).
SKILL IN:
Meticulous eye for detail and accuracy in compliance documentation and assessments.
Exercising confidentiality, discretion, and sound judgment when handling sensitive information.
Ability to work on multiple tasks and projects simultaneously and balance conflicting demands.
Relations