Data Protection Officer

This role ensures St. Jude meets its obligations under HIPAA, GDPR and other relevant domestic and international laws. Collaborates closely with the Chief Privacy Officer (CPO) to coordinate enterprise-wide strategy, strengthen governance, align policies and standards, and manage risks across clinical care, research, global partnerships, and digital systems. Serves as the statutorily designated data protection authority with a regulatory-facing role for GDPR and other international requirements, while the Chief Privacy Officer leads U.S.-centric strategy—together ensuring comprehensive, unified oversight and risk management across St. Jude's operations.

This position may be eligible for remote work. However, St. Jude requires all remote employees to:

• Travel to our Memphis campus for the interview process and/or orientation, if selected

• Travel to Memphis to work on-site for one week per quarter, or as requested based on business needs, if hired

Job Responsibilities:

• Co-develop and implement enterprise data protection governance in partnership with the CPO by aligning global regulatory requirements, maintaining policies and standards, monitoring compliance and emerging laws, overseeing risk and impact assessments, legally advising on data protection and cybersecurity matters, and supporting incident response and remediation while appropriately preserving attorney-client privilege.

• Act as the independent liaison with GDPR and international regulators, partnering with the CPO on privacy-related incident response, regulatory reporting, and remediation, and supporting cross‑functional investigations, audits, and regulatory inquiries.

• Collaborate with the CPO and Research Administration to ensure data protection compliance across clinical, genomic, and global research activities; advise IRB and research oversight bodies on lawful processing, consent, secondary use, and international data sharing; and jointly guide privacy‑by‑design for digital, AI/Machine Learning, clinical technology, and global data platform initiatives.

• Work with the CPO, Procurement, and Information Security to review vendor obligations, including Business Associate Agreements (BAAs), Data Processing Agreements (DPAs), Standard Contractual Clauses (SCCs), and international data transfer mechanisms.

• Collaborate with the CPO to develop enterprise‑wide data protection training for clinical, research, administrative, and fundraising teams, and foster a shared culture of data stewardship across St. Jude.

• Collaborate with the CPO to develop and harmonize enterprise policies and standards, while jointly tracking emerging legislation and recommending impacts, mitigation strategies, and institutional priorities.

• Serve on key governance committees and collaborate closely with the CPO, Compliance, and Information Security to coordinate shared data governance activities, including classification, retention, access management, and incident response, while delivering data protection metrics, insights, and recommendations to executive leadership.

• Execute complex contracts independently (e.g., agreement preparation and negotiation, deviation review).

• Serve as the primary point of contact for one or more St. Jude departments.

• Direct and guide resolution of complex legal services needs across internal teams.

• Make informed recommendations about use of outside counsel.

• Consistently manage outside counsel and related matter budgets as authorized by the Chief Legal Officer.

• Provide mentoring opportunities for legal staff and serve as a resource for legal staff.

• Actively drive processes for training and development, and engagement.

• Develop and implement processes to improve the quality, efficacy, and cost-effectiveness of legal services.

• Perform other duties as assigned to meet the goals and objectives of the department and institution.

• Maintain regular and predictable attendance.

• Consistently meet job expectations, adhere to policies, and deliver quality work while applying. St. Jude values and principles. Managers evaluate employee performance throughout the year—specifically through the spring and fall Check‑In milestones and the Annual Performance Review. All employees are encouraged to actively participate in these performance management processes.

Minimum Education and/or Training:

• A Doctorate of Jurisprudence (JD) degree required.

Minimum Experience:

• 12+ years of experience in legal and regulatory compliance, with a minimum of five (5) years of experience in privacy, data protection, information governance, or related fields.

• Demonstrated experience with HIPAA, GDPR, research, and cross-border data protection.

• Experience in healthcare, academic medical centers, pharmaceuticals, biotechnology, or similarly regulated environments strongly preferred.

• Experience building or supporting enterprise-wide programs preferred.

Licensure, Registration and/or Certification Required by Law:

• Active license to practice law in at least one U.S. jurisdiction.

• License to practice law in the State of Tennessee is required within nine (9) months from date of hire into the position. Registration as in-house counsel in lieu of a full license to practice is an option but must be obtained within six (6) months of date of hire into the position.

Licensure, Registration and/or Certification Required by SJCRH Only:

• Certified Information Privacy Professional/Europe (CIPP/E) preferred

• Certified Information Privacy Professional/United States (CIPP/US) preferred

• Certified Information Privacy Manager (CIPM) preferred

• Certified Information Privacy Technologist (CIPT) preferred

• Certified in Healthcare Privacy Compliance (CHPC) preferred

• Certified Healthcare Privacy (CHP) preferred

• Certified Information Security Manager (CISM) preferred

Special Skills, Knowledge and Abilities:

• Encourages a culture of customer centricity among peers and teams.

• Understands nuances and complexities of a customer issue/ requirement and goes beyond the task to think through new alternatives.

• Anticipates and addresses critical customer needs through engagement with cross-functional stakeholders.

• Drives and monitors clear goal setting, accountability, and feedback for the department (and matrixed teams). Manages ER issues as they arise.

• Guides performance of direct reports (or indirect if managing people indirectly) through coaching and development.

• Consistently evaluates and addresses the team’s overarching development, in line with the talent and St. Jude’s overall culture principles and values

• Establishes and drives legal research and analysis processes and approaches across specialized areas of law.

• Guides teams in identification and investigation of relevant legal issues to support overall legal outcomes.

• Consistently anticipates potential legal issues or client concerns and proactively addresses them.

• Anticipates complex needs of business teams across areas of law and provides strategic legal/regulatory counsel using the right processes, tools, and frameworks.

• Evaluates legal advisory processes/systems in light of external legal landscape and leads cross-functional projects/initiatives of strategic value.

• Leads resolution of complex legal disputes/issues through claim evaluation and development of appropriate defense in collaboration with external counsel.

• Models resourcefulness by reaching out to people within and outside functional groups to get work done effectively.

• Keeps large teams/ departments energized and focused on high-quality results by leveraging data/ analytics-based approaches.

• Builds systems, processes, and capabilities that can set and deliver a high-performance culture.

• Shows strong skills in thinking critically with a systemic view.

• Shows expertise in taking a structured approach to analyze and resolve issues.

• Able to distinguish between different sets of issues, set priorities, and make decisions.

• Can present/facilitate independently in senior-level meetings. Presents information as a structured story and anticipates questions well.

• Addresses difficult questions and challenges effectively.

• Able to effectively influence others using facts and logic.

• Drives the establishment, evolution, and implementation of processes/ approaches to optimize legal contracting outcomes across areas of law.

• Monitors changing external landscapes across areas of law and proposes strategic actions to address implications on institutional contracting approaches.

• Navigates strategic contract negotiations effectively showing advanced levels of emotional intelligence, situational awareness, and agility.

• Extensive knowledge of global data protection regulations and healthcare frameworks.

• Understanding research data, clinical workflows, and health information management.

• Technical knowledge of IT systems and data management.

• Strong communication, collaboration, and influence skills, including working alongside a CPO.

• Ability to manage multiple complex projects independently with precision and attention to detail.

• Proven ability to handle confidential and sensitive information with discretion.

Compensation

In recognition of certain U.S. state and municipal pay transparency laws, St. Jude is including a reasonable estimate of the compensation range for this role. This is an estimate offered in good faith and a specific salary offer takes into account factors that are considered in making compensation decisions including but not limited to skill sets, experience and training, licensure and certifications, and other business and organizational needs. It is not typical for an individual to be hired at or near the top of the salary range and compensation decisions are dependent on the facts and circumstances of each case. A reasonable estimate of the current salary range is $160,160 - $329,680 per year for the role of Data Protection Officer.

Explore our exceptional benefits!

No Search Firms

St. Jude Children's Research Hospital does not accept unsolicited assistance from search firms for employment opportunities. Please do not call or email. All resumes submitted by search firms to any employee or other representative at St. Jude via email, the internet or in any form and/or method without a valid written search agreement in place and approved by HR will result in no fee being paid in the event the candidate is hired by St. Jude.