Senior Compliance Officer (Part-time/Contract)
Join our Berlin Team
This position has been paused for the moment.
Our product Small Improvements helps employees at Marley Spoon, GetYourGuide, SoundCloud, DISQUS and Twitch give and receive feedback about their work so they can improve and achieve their goals. We’ve signed up 750 clients in 35 countries mainly by word-of-mouth and we’re growing.
Who we are
We’re a small company with very sophisticated challenges. We’re working with demanding international clients, they store very sensitive data in our systems, and we need to live up to EU GDPR and US legal expectations alike. So far we’ve shared the work between the CEO, Product, Development, and Sales, but would like to streamline processes. If we were 100 people rather than the current 32, we’d hire a CIO. At our size, we don’t have enough work for a full-time position – but the challenges are basically the same. So we’re looking for a part-time/contract Compliance Officer to help us navigate legal, compliance, security and data protection challenges and ensure our customers are happy, their data is safe, and our employees can maintain their sanity.
We anticipate that the work will be some 8h-12h on average per week, with some spikes and some downtimes. This could be a great position for someone who aspires to become a CIO longer term, or for someone who has seen it all and wants to reduce work hours temporarily.
What you’ll do
- Own our systems overview, track and manage what data is used where, and ensure need-to-know level access to data
- Ensure we have an adequate set of compliance mechanisms in place and update them continuously
- Come up with and publish pragmatic policies externally and internally (public samples here, here, here)
- Communicate with vendors to set up DPAs and contracts
- Communicate with customers who want to adjust DPAs or contracts or make changes to our ToS
- Work with our external data protection officer, with our US law attorney, with the product team and sales alike
- Find our blind spots and fix them!
- You’re a self-starter who loves to come up with pragmatic proposals
- You enjoy working with people, and rally them for support – a policy nobody understands won’t be followed after all
- You’re decisive and own the outcomes: You’ll be happy to give a definite answer to a customer, or to take a new policy live
- You’re happy to admit when you don’t know something, and will learn new things day in day out
- You’re the first one to call bullshit on complicated enterprisey processes that just increase complexity
- You’re highly organized, you can break down large projects into smaller chunks, and you document diligently
- You have at least three years of experience in demanding international startups in compliance/legal positions. Further experience in mid-sized companies is a huge plus
- You have led the setup of dozens of policies and plans, and know how to strike a pragmatic balance
- You’ve worked with CEOs, vendors and with customers alike, and know how to get buy-in
- You’re either an English native speaker, or very very fluent and experienced. 90% of the work is in English.
- Huge bonus if you can read and write German well too.
More reasons to work at SI
- We’re international: We sell mainly to the US and to Australia, and all our written communication is in English.
- We’re self-funded — our only “investors” are customers and our base is growing!
- We frequently ship new features and focus on quality product rather than on aggressive sales.
- There are very few regular meetings, and processes are kept to a bare minimum. Need to improve some process? Just do it!
- You’ll participate in our Hackathons and ShipIt weeks, and you’re welcome to contribute to our product blog and to our tech blog.
- Our office near Hackescher Markt is stylish yet cozy, and it has has plenty of doors to reduce distractions to a minimum. Take an office tour.
- There are free snacks, fresh fruit, juices, tea and lemonades, you can make your own lattes with our amazing coffee machine, and we never run out of Club Mate.
- We care about our employees’ happiness. Check-out what they are saying about working here.
And we love to travel! Check out our recent company trip:
Don’t waste time polishing your CV, your LinkedIn profile will be entirely sufficient. A personal cover letter on the other hand is very important to us, and so is attention to detail. We’d like to know what specifically attracts you to the role, and how you will contribute. Please also tell us about one or two challenging projects you have worked on and how they might relate to our work. No need to write a novel, brief and casual is definitely preferred.
Do the self-test!
Our challenges are not for everyone. As an example, here are some of the questions customers send us. If you get excited about not only answering “yes” or “no”, but feel the itch ask for clarification and also to create some of the policies in question, so you can send them back to customers and excite staff about them too, then we should talk!
- Are regulated and/or other types of confidential data ever stored on non-company managed PC(s) and/or other types of mobile devices?
- Do you have an inventory of all your DPA with your vendors?
- Do you have a documented Access Control and Authorization policy?
- Is there a Data Classification and Handling policy in place?
- Do you have a documented Security Incident Reporting and Management policy in place?
- If you have a data breach how will you report it to your customers to meet the requirements of GDPR?
- Is there a Business Continuity policy and program in place?
- Is there a process for communicating privacy policies and related procedures to all employees that handle or have access to Personal Data?
- How will the data subjects exercise their rights to restrict and/or object to the processing of their personal data ?
And as another example, consider if you’d grant, reject or modify these two paragraphs:
- Die Datensicherheitsmaßnahmen können der technischen und organisatorischen Weiterentwicklung entsprechend angepasst werden, solange das hier vereinbarte Niveau nicht unterschritten wird. Zur Aufrechterhaltung der Informationssicherheit erforderliche Änderungen hat der Auftragnehmer unverzüglich umzusetzen. Änderungen sind dem Auftraggeber unverzüglich mitzuteilen. Wesentliche Änderungen sind zwischen den Parteien zu vereinbaren.
- Der Auftragnehmer ist verpflichtet den regelmäßigen Nachweis der Erfüllung seiner Pflichten zu führen, insbesondere der vollständigen Umsetzung der vereinbarten technischen und organisatorischen Maßnahmen sowie ihrer Wirksamkeit. Der Nachweis ist dem Auftraggeber spätestens alle 12 Monate unaufgefordert und sonst jederzeit auf Anforderung zu überlassen. Der Nachweis kann ebenso durch genehmigte Verhaltensregeln oder ein genehmigtes Zertifizierungsverfahren nach Art. 40 und 42 EU DS-GVO erbracht werden.
Naturally we don’t expect you to have seen everything already, but the more you know and have experienced, the better. You can send us your application here. Looking forward to hearing from you!