Director of Privacy

Our mission is to SAVE AND IMPROVE LIVES BY EMPOWERING HEALTHCARE CONSUMERS. Come be part of remarkable.

How You Can Make a Difference

The Director is the operational leader of HealthEquity's privacy program and is accountable for translating the Chief Privacy Officer's enterprise privacy strategy into scalable execution across the organization. This role drives privacy-by-design adoption, operational governance, and measurable risk reduction across products, technology, vendors, and business operations. The Director partners closely with Product, Technology, Security, Legal, Compliance, Risk, and Operations to assure that personal data is used lawfully, responsibly, and in alignment with company policy, enabling innovation while protecting customers and the organization. This role is accountable for operating an efficient and effective privacy program.

What You'll Be Doing

This role is a people leader with responsibility for building, developing, and leading a high-performing privacy team. The Director, Privacy is accountable for talent development, performance management, resource planning, and ensuring the privacy function has the capabilities necessary to meet enterprise risk and regulatory expectations.

.

Enterprise Privacy Strategy & Governance

Execute and continuously improve the day-to-day operation of HealthEquity's privacy program in alignment with the enterprise privacy strategy, policies, and governance framework.
• Develop and maintain the privacy program operating plan and roadmap; translate strategic priorities into measurable initiatives, milestones, and deliverables.
• Operate privacy governance mechanisms (intake, triage, workflow management, decision documentation, evidence management, issue tracking, and escalation pathways) to ensure consistent, auditable, and business-enabling execution.
• Draft, maintain, and operationalize privacy procedures, standards, and playbooks that implement enterprise policy requirements; recommend policy or standard enhancements based on operational learnings and emerging risk.
• Assure governance artifacts are complete and "exam-ready," including documented decisions, rationales, exceptions, and remediation tracking.

Data Governance & Lifecycle Management

• Oversee the operational privacy components of data governance, including data mapping, records of processing/data inventories, data classification support, and purpose/use documentation.
• Partner with Technology, Data, Security, Legal, and Records/Information Management stakeholders to support implementation of data minimization, retention, deletion, and secure handling controls consistent with enterprise standards.
• Support alignment between privacy requirements and records management/legal hold processes.
• Drive operational improvements that reduce friction for teams while improving data lifecycle compliance and evidence quality.

Product, Technology & AI Governance

• Embed privacy-by-design principles into product development and technology delivery processes through practical mechanisms (e.g., SDLC touchpoints, launch readiness criteria, design reviews, and change management controls).
• Lead execution of privacy impact assessments and related reviews in accordance with established frameworks; ensure risks are clearly documented, remediation is owned, and completion is tracked.
• Develop reusable privacy patterns and implementation guidance for common scenarios (e.g., analytics/telemetry, customer communications, data sharing, identity verification, sensitive data handling).
• Operationalize privacy governance for AI and advanced analytics initiatives by executing reviews, documenting risk assessments, and recommending controls and guardrails.
• Partner with Product, Technology and Security to align privacy and security requirements, ensuring privacy controls are practical, testable, and scalable.

Risk Assessment & Metrics

• Execute the enterprise privacy risk assessment processes, including intake scoping, privacy impact assessments, periodic risk reviews, and issue management.
• Maintain a disciplined remediation tracking process for privacy findings, control gaps, and program issues; drive to closure and validate evidence.
• Develop, maintain, and report privacy program KPIs/KRIs, control health metrics, and maturity indicators; provide executive-ready reporting, insights, and trend analysis for reporting and governance.
• Support audits, exams, and internal assurance activities by producing high-quality evidence, narratives, and corrective action tracking.

Individual Rights & Regulatory Compliance

• Own day-to-day operations for individual rights/consumer request fulfillment (e.g., access, deletion, correction), including intake, identity verification coordination, fulfillment workflows, quality control, documentation, and SLA management.
• Define operational procedures, templates, and QA checks that improve response consistency and defensibility; drive automation and efficiency improvements where appropriate.
• Monitor privacy regulatory developments and translate changes into operational; support implementation planning, execution, and readiness activities.
• Coordinate complex or sensitive requests with Legal, Security, and business owners.

Vendor, Partner & Data Sharing Oversight

• Lead operational privacy reviews for vendors, partners, and third parties that process or access personal information, in partnership with Procurement, Legal, and Third-Party Risk.
• Assure privacy requirements are embedded in onboarding, contracting, and ongoing monitoring practices in alignment-approved privacy standards and contractual requirements.
• Evaluate data sharing arrangements, integrations, and API-based data flows for alignment with enterprise standards; document risks, required controls, and exceptions.
• Maintain operational evidence of third-party privacy diligence and oversight to support audit and regulatory expectations.

Incident Response & Enforcement

• Serve as the privacy program lead in incident response activities, partnering with Security and Legal on privacy impact analysis, documentation, evidence collection, and remediation tracking.
• Support breach evaluation and notification analyses by preparing documented impact assessments and options.
• Track privacy incidents, complaints, investigations, and corrective actions to closure; identify systemic drivers and recommend control or process improvements to reduce recurrence.
• Support enforcement and corrective action execution consistent with enterprise standards.

Executive, Board & External Engagement

• Prepare executive-ready materials, program status updates, risk summaries, and recommendations for use in executive and Board-level reporting.
• Support regulatory, audit, and external assessment engagements.
• Partner cross-functionally to ensure consistent internal messaging and defensible documentation of privacy program decisions and actions.

Program Leadership & Enablement

• Build and deliver role-based privacy training and awareness that is measurable, targeted, and operationally effective; drive adoption through practical enablement rather than policy recitation.
• Develop self-service tools and playbooks that improve consistency and reduce delivery friction for product and operational teams.
• Partner with the Chief Privacy Officer on privacy program resourcing needs; manage program workflows and tooling to maximize efficiency and evidence quality.
• Benchmark operational practices against industry standards and peer programs; propose improvements that measurably strengthen program maturity.

What You Need to Be Succesful:

• Bachelors degree required, Juris Doctor with relevant experience in privacy law highly preferred.

• 12 to 15 years of progressive experience in privacy and data protection within complex, regulated environments with 5-10 years of leadership experience.

• Strong stakeholder leadership skills and the ability to drive adoption through influence and clarity.

• Proven ability to operationalize privacy requirements in technology and business processes.

• Track record of experience in a mix of financial services, financial technology, technology, and healthcare environments, with the ability to work with and navigate associated regulatory frameworks

• Deep understanding of U.S. privacy laws and regulatory frameworks, including GLBA and HIPAA, and state privacy laws.

• Fluency in privacy-by-design principles, data lifecycle concepts, and risk assessment practices; sufficient technical understanding to engage credibly on data flows, integrations, analytics, and AI use cases.

• Demonstrated ability to balance regulatory requirements with business enablement and innovation.

• Executive-level communication, influence, and stakeholder management skills.

• Proven ability to lead teams, drive change, and deliver measureable risk and compliance outcomes.

• Track record of constructive relationships with diverse groups of people, including internal and external stakeholders.

• Commitment to customer service excellence

• CIPP/US or CIPM and/or related professional designations/certifications highly preferred.

The actual compensation offer is determined based on job-related knowledge, education, skills, experience, and work location. This position will be eligible for performance-based incentives and restricted stock units as part of the total compensation package, in addition to a full range of benefits including:

• Medical, dental, and vision

• HSA contribution and match

• Dependent care FSA match

• Uncapped paid time off

• Paid parental leave

• 401(k) match

• Personal and healthcare financial literacy programs

• Ongoing education& tuition assistance

• Gym and fitness reimbursement

• Wellness program incentives

HealthEquity has a vision that by2030 we will make HSAs as wide-spread and popular as retirement accounts. We are passionate about providing a solution that allows American families to connect health and wealth. Join us and discover a work experience where the person is valued more than the position. Click here to learn more.

You belong at HealthEquity!

HealthEquity, Inc. is an equal opportunity employer, and we are committed to being an employer where no matter your background or identity - you feel welcome and included. We ensure equal opportunity for all applicants and employees without regard to race, age, color, religion, sex, sexual orientation, gender identity, national origin, status as a qualified individual with a disability, veteran status, or other legally protected characteristics. HealthEquity is a drug-free workplace. For more information about our EEO policy, or about HealthEquity's applicant disability accommodation, drug-free-workplace, background check, and E-Verify policies, please visit our Careers page.

HealthEquity uses Microsoft Copilot to transcribe screening interviews between candidates and their direct Talent Partner for note taking and interview summaries. By scheduling a screening interview with us, you consent to Microsoft Copilot's AI technology recording and transcribing your interview with your Talent Partner. This information will be reviewed for accuracy and then used by HealthEquity to summarize the interview, ensure accuracy, and facilitate our hiring process. We take privacy seriously. You have the option to opt out. If you wish to opt out of this Microsoft Copilot transcription, please notify your Talent Partner in advance of the interview. If we do not receive an opt-out request from you, we will assume that you consent to the use of Microsoft Copilot.

At HealthEquity, our goal is to save and improve lives by empowering healthcare consumers. This shared purpose inspires everything we do, including how we approach hiring. Our process is designed to get to know the real you: your skills, experiences, and potential to make a difference. We value honesty, originality, and the courage to do the right thing, even when it is not the easiest path. Showing up as your authentic self reflects these values and helps us build something truly remarkable together.

As AI is becoming a common tool throughout the application process, we want to be clear about its appropriate use at HealthEquity. Using AI to support resume writing, research, or interview preparation is perfectly acceptable, provided the content is accurate and genuinely represents your qualifications and skills. For other key parts of our interview process, however, it is important that the ideas, communication, and work you share reflect your own voice, experiences, and thinking. We ask that you participate in our live interviews and complete any assessments without AI assistance unless instructions explicitly indicate otherwise or a specific exception is discussed and approved in advance. This approach ensures fairness, celebrates your individuality, and allows your authentic perspective to shine. Behaviors that do not align with these guidelines may result in disqualification from the hiring process or termination of employment if later discovered. We appreciate your understanding and look forward to learning about the unique contributions only you can bring to HealthEquity.

HealthEquity is committed to your privacy as an applicant for employment. For information on our privacy policies and practices, please visit HealthEquity Privacy.