Data Privacy Manager

Lendistry is an Equal Opportunity/Affirmative Action Employer. We consider applicants without regard to race, color, religion, age, national origin, ancestry, ethnicity, gender, gender identity, gender expression, sexual orientation, marital status, veteran status, disability, genetic information, or membership in any other group protected by federal, state, or local law.

If you need assistance or accommodation due to a disability, you may contact us at [email protected]

Lendistry does not accept unsolicited resumes from recruiters, employment agencies, or staffing firms. To conduct business with Lendistry, a Master Services Agreement (MSA) must be executed and confirmed prior to submitting any information relating to a potential candidate. Without a signed MSA, Lendistry shall not be responsible to any individual or entity for any payment relating to any form of fee or compensation.

And, in the event that a resume or candidate is submitted by a recruiter, an employment agency, or a staffing firm without a fully executed MSA, Lendistry has the unrestricted right to pursue and hire any of those candidate(s) without any legal or financial responsibility to the recruiter, agency, and/or firm.

A Day in the Life

The Data Privacy Manager will lead the enterprise privacy program across our lending platform and subsidiary entities. This is a senior leadership role reporting to the Chief Information Security Officer, with direct escalation authority to the General Counsel, the Chief Compliance Officer, the CEO, and the Board on any matter where independent privacy judgment is required.

The DPO's authority is designed to be independent in substance even where it sits administratively within the CISO organization. You will have the documented right to raise, escalate, and — where appropriate — publicly dissent on any privacy matter without requiring CISO concurrence, and your performance will be assessed in part on the credibility and independence of your privacy judgments.

You will own Lendistry's privacy strategy, policy, and operations end to end — from regulatory obligations under CCPA/CPRA, GLBA, SBA program requirements, state lending and consumer finance law, and evolving state privacy statutes, through day-to-day privacy operations, data subject rights handling, vendor privacy diligence, privacy-by-design embedded in product development, and privacy oversight of Lendistry's AI-driven lending systems.

You will partner closely with the CISO and Security Engineering, Legal, Compliance, Product, Engineering, the AI team, and every business unit that handles borrower or employee personal information. You are the voice of privacy inside Lendistry — and, when required, the voice of Lendistry on privacy matters to regulators, banking partners, auditors, and the public.

Lendistry: Who We Are

We’re proud to be the nation’s largest minority-led, tech-savvy lender for small businesses and commercial real estate. As a certified Community Development Financial Institution (CDFI) and Community Development Entity (CDE), our mission is all about creating economic opportunities and fueling growth for small business owners and their communities. Join us as we pave the way with innovative financing and financial education!

What You’ll Be Doing

You will own and evolve the privacy program end to end, including:

• The Lendistry privacy policy and notice framework — consumer, borrower, employee, and partner-facing, kept current across every jurisdiction we operate in.
• The data inventory and records of processing activity — a single, credible view of what personal data we hold, for what purpose, and under what controls.
• The data subject rights operation — intake, verification, fulfillment, reporting — meeting every statutory timeline with defensible documentation.
• The PIA / DPIA process — especially for AI-driven decisioning and new product launches.
• The vendor privacy diligence program — defensible, documented, and aligned with the GRC vendor risk function.
• The privacy incident response playbook — integrated with the CISO's security incident process and Legal's regulatory response process.
• The training and culture program — so privacy shows up in the daily decisions of every team, not just in policy documents.

Privacy Strategy \& Program Ownership

• Own the enterprise privacy program — strategy, policy, governance, and operations — across Lendistry and all subsidiary entities, including Home Loans, Insurance, and any future business lines.
• Serve as the named Data Privacy Officer and Lendistry's accountable point of contact for privacy matters with regulators, banking partners, capital-markets counterparties, auditors, and consumers.
• Operate with documented independence — including direct escalation to the General Counsel, the CEO, and the Board on any matter where independent privacy judgment is required, regardless of the administrative reporting line to the CISO.
• Report regularly to the Board and executive leadership on privacy posture, material risks, regulatory developments, incidents, and program maturity — including, where appropriate, reporting that is not filtered through the CISO organization.
• Set the privacy roadmap — annual program priorities, investment requests, and measurable objectives tied to business and regulatory risk.

Regulatory Compliance \& Policy

• Own CCPA/CPRA compliance end to end — privacy notices, consumer rights handling, opt-out mechanisms, sensitive personal information controls, contractual requirements with service providers, and regulatory reporting to the California Privacy Protection Agency.
• Own GLBA privacy and Safeguards compliance in coordination with the CISO — financial privacy notices, opt-outs, information-sharing limits, and the safeguards rule intersection with SOC 2 and state lending obligations.
• Maintain compliance with the growing patchwork of state privacy laws — Virginia, Colorado, Texas, and others — and operationalize a scalable approach rather than chasing each statute individually.
• Support SBA, state lending, and banking-partner privacy obligations — data handling clauses, notice requirements, consumer protection overlaps, and privacy-relevant examination responses.
• Prepare for GDPR and international readiness as Lendistry's footprint evolves — including any India-based operations — so we have a credible path if the business expands.
• Monitor the regulatory horizon and translate enforcement trends, new statutes, and rulemakings into concrete program updates before they become fire drills.

Privacy Operations

• Run the data subject rights program — intake, identity verification, response, appeal handling, and metrics — meeting statutory timelines with defensible documentation.
• Maintain the data inventory and records of processing activity — what personal data Lendistry collects, from whom, for what purpose, where it lives, who it is shared with, and how long it is retained.
• Own privacy notices — borrower-facing, employee-facing, and partner-facing — including the annual refresh and change-management process.
• Run the Privacy Impact Assessment (PIA) and Data Protection Impact Assessment (DPIA) process for new products, features, vendors, and data uses — with particular rigor around AI-driven decisioning.
• Lead privacy incident response — triage, scoping, regulatory notification decisions, consumer notification, and post-incident program improvements — in partnership with the CISO and Legal.

Privacy by Design \& AI Privacy

• Embed privacy by design in the product development lifecycle — reviewing new features, data flows, retention changes, and vendor integrations before they ship.
• Partner with the AI team — the VP of AI \& Organizational Intelligence and the Senior Staff Engineer, AI — to set privacy guardrails on Lendistry's AI systems, including data minimization, PII redaction before inference, model training data governance, and consumer disclosure for automated decisioning.
• Contribute to Lendistry's responsible AI posture alongside Legal, Compliance, Security, and the AI team — particularly around fair lending, consumer disclosures for AI-driven decisions, and alignment with the NIST AI Risk Management Framework and emerging AI privacy regulation.

Vendor \& Third-Party Privacy

• Own privacy due diligence for new vendors, data processors, and service providers — including contract review, data processing addenda, cross-border transfer mechanisms where relevant, and ongoing monitoring.
• Maintain the vendor data map in partnership with GRC — who receives Lendistry personal data, for what purpose, under what contractual protections, and with what track record.
• Review SOC 2 reports, privacy attestations, and breach histories of vendors handling borrower or employee data.

Training \& Culture

• Own privacy training — role-based training for engineering, credit, servicing, marketing, and customer-facing teams, plus executive and Board-level education.
• Build a privacy-aware culture — one where the right answer to a data question is a conversation rather than a workaround.
• Serve as a credible, accessible partner to every business unit that handles personal information.

AI-Assisted Work Practice

Lendistry expects its privacy leadership to be among the most thoughtful users of AI tools in the company — both as a productivity multiplier and as a matter of professional credibility.

• Use AI tools effectively — Claude, Copilot, or equivalents — for policy drafting, regulatory analysis, privacy impact assessment support, and summarization of long regulatory documents.
• Bring expert judgment about when AI output is trustworthy and when it is not, particularly for privacy analyses that may be read by regulators, auditors, or plaintiffs.
• Model responsible AI use for the organization — and help shape the policies, training, and controls that govern it.

Your Areas of Knowledge and Expertise

Essential Competencies

• Integrity. The role is only credible if your advice is.
• Regulatory judgment. Reads the law, reads the enforcement pattern, and reads the business — then makes a defensible call.
• Program leadership. Builds durable processes, not one-off heroics.
• Communication. Explains privacy in plain language to every audience — engineers, executives, regulators, and consumers.
• Collaboration. Partners effectively with Legal, the CISO, Product, Engineering, and the AI team — and is comfortable disagreeing respectfully when necessary.
• Composure. The incidents and examinations that define this role rarely arrive on schedule. Steady judgment under pressure is the job.

Core Experience

• 5\+ years in privacy, data protection, privacy law, or a closely adjacent field, with a clear pattern of growing program ownership and regulatory accountability.
• Experience serving as a Data Privacy Officer, Chief Privacy Officer, Privacy Counsel, or Head of Privacy at a financial-services, fintech, healthcare, or consumer-technology company.
• Deep working knowledge of CCPA/CPRA — consumer rights, sensitive personal information, service provider vs. third-party distinctions, opt-out signals, and California Privacy Protection Agency enforcement expectations.
• Deep working knowledge of GLBA — Privacy Rule and Safeguards Rule — and how GLBA interacts with state privacy laws for financial institutions.
• Working knowledge of the broader U.S. state privacy landscape — Virginia, Colorado, Texas, and the pattern of state laws that continue to emerge.
• Familiarity with GDPR and international data transfer mechanisms, sufficient to prepare Lendistry for future expansion.

Program \& Operations Skills

• Proven track record building or scaling a privacy program — data inventory, PIAs/DPIAs, consumer rights handling, privacy notices, vendor diligence, training, and incident response.
• Hands-on experience with privacy and GRC tooling — OneTrust, TrustArc, Transcend, Osano, Securiti, or equivalent — for data subject rights, consent management, and data mapping.
• Experience leading privacy incident response — including regulatory notification decisions under multi-state breach laws and GLBA.
• Experience embedding privacy into product development — reviewing features, data flows, and vendor integrations at the point of design rather than at launch.
• Experience overseeing privacy for AI or automated decisioning systems — data minimization, training data governance, consumer disclosure, and fair lending intersections.

Leadership \& Communication

• Board- and executive-level communication skills — the ability to explain privacy risk and regulatory exposure to non-specialists and to argue for investment when needed.
• Credibility with regulators and external examiners — and the composure to be the named voice of Lendistry on privacy matters.
• Collaborative leadership style — privacy is most effective when product, engineering, credit, and marketing partners see you as an enabler, not a gate.
• Sound judgment under uncertainty — privacy law moves faster than rulebooks do, and you need to be comfortable making defensible calls on incomplete information.

Preferred Qualifications

• Privacy certifications — CIPP/US, CIPP/E, CIPM, CIPT, or FIP.
• J.D. and active bar membership, or equivalent regulatory credential.
• Experience in SBA lending, CDFI operations, or other federally regulated financial institutions.
• Experience with state lending examinations, CFPB matters, or other consumer-protection regulator engagement.
• Experience with the NIST Privacy Framework and the NIST AI Risk Management Framework.
• Experience building privacy programs across multiple legal entities or operating subsidiaries.
• Experience with cross-border operations (e.g., India-based technology or services functions).

Why You'll Love Working Here

• Comprehensive Medical, Dental, and Vision Insurance
• Generous Paid Time Off
• Birthday Day Off
• 12 Paid Company Holidays
• 401(k) Match
• FSA and HSA
• Paid Life Insurance
• Paid Disability Insurance
• Pet Insurance
• Employee Assistance Program (EAP)
• Professional Development Courses
• In Office Provided Snacks and Drinks
• Gym Facilities (LA \& Tustin/CEC Offices)
• In Office Engagement Activities

Compensation Range

The US base salary range for this full-time position is

$118,500 - $185,000

annually.

Our salary ranges are determined by role, level, and location.

The range displayed on each job posting reflects the minimum and maximum base salary for new hires for the position across all US locations. Within the range, individual pay is determined by multiple factors like job-related skills, experience, and state of residence. Your recruiter can share more about the specific salary range during the interview process.

Please note that the compensation details listed in US role postings reflect the base salary only, and do not include any variable compensation elements.

Physical Requirements

This is a stationary position that requires frequent sitting (approximately 95%), repetitive wrist motions, grasping, speaking, listening, close vision, and the ability to adjust focus. It also may require occasional standing, lifting, carrying of 20lbs or less, walking, kneeling, bending/stooping, twisting, pulling/pushing, and reaching above the shoulder. Employees in this position must be physically able to efficiently perform the essential functions of the position.

ACKNOWLEDGEMENT

B.S.D. Capital, Inc. dba Lendistry is an equal employment opportunity employer committed to providing its employees, applicants and other covered persons with equal opportunities without regard to race, color, age (40 or older), religious creed (including religious belief, practice or dress and grooming practices), national origin, ancestry, physical disability, mental disability, medical condition, genetic information, marital status, sex, gender (including pregnancy, childbirth or medical condition related to pregnancy or childbirth), gender expression, gender identity, sexual orientation, military or veteran status (including past, current or prospective service), or any other characteristic protected under applicable federal, state or local law.