Principal Regulatory Compliance Attorney

The Principal Regulatory Compliance Attorney must have functional knowledge and demonstrated experience across regulatory, compliance, and privacy matters within a global or multijurisdictional organization, with particular emphasis on EU regulations and GDPR requirements. This is a critical senior position responsible for designing and implementing a comprehensive risk-based compliance framework; managing regulatory strategy and examinations; protecting data and privacy; and mitigating regulatory and compliance risk across our global organization.

This is an individual contributor position within CB. Responsibilities include:

• Provide oversight and collaboration on compliance matters intersecting with export controls, trade compliance, cross-border regulatory requirements, and third-party due diligence.
• Conduct risk assessments, identify root causes, develop mitigation strategies, implement and manage correction actions, and track compliance and remediation efforts.
• Support and conduct confidential internal investigations, draft investigation reports, and help manage the employee whistleblower hotline and metric reporting.
• Serve as a primary contact for regulator, inspector, or supervisory communications.
• Help coordinate or lead productions, submissions, and responses to regulatory exams, audits, inquiries, remediation plans, incidents, or breaches.
• Take responsibility for statutory updates and submissions (e.g., registration and payment of annual data protection fees to the ICO and quarterly returns to the Scottish Lobbying Register).
• Ensure alignment between regulatory requirements and internal policies and programs.
• Provide guidance on aligning operational controls and initiatives with regulatory requirements.

Data Privacy responsibilities include:

• Serve as the GDPR subject-matter expert and help design, implement, and improve the company’s GDPR compliance framework and privacy and data protection program, ensuring alignment with GDPR principles, accountability requirements, and supervisory authority expectations.
• Draft and maintain GDPR-compliant privacy notices, policies, and procedures and conduct or assist with conducting periodic privacy monitoring and audits.
• Oversee and advise on data protection impact assessments, privacy risk assessments, and privacy-related incident response, including breach assessments, notification obligations, and coordination with regulators and external counsel, as needed.

Qualifications

• Education: J.D., LL.M., or LL.B.
• License: Licensed attorney in good standing in the U.K. or equivalent.
• Experience: 10 years building and overseeing compliance programs and frameworks (preferably multi-jurisdictional experience) with 6 years in the EU and UK; 6 years of EU and UK regulatory compliance experience, including GDPR and EU data governance, data protection, and privacy; 6 years defending against EU and UK regulatory inquiries, investigations, and enforcement and interacting with EU and UK regulators and supervisory authorities.

Preferred Experience (not required, but a plus)

• Certifications: Certified Information Privacy Professional (CIPP), Certified Compliance and Ethics Professional (CCEP), or Certified Regulatory Compliance Manager (CRCM).
• Demonstrated experience supporting global companies with EU and GDPR compliance needs and handling complex regulatory compliance matters across multiple jurisdictions.
• Familiarity with ISO 27001, 27701, and NIST Privacy Framework.