[Remote] Sr GRC Analyst
Note: The job is a remote job and is reputed company to candidates in USA. Auction Technology Group operates a portfolio of online auction and marketplace platforms globally, processing payments and managing personal data across multiple jurisdictions. They are seeking a Senior GRC Analyst to own the full GRC function across governance, risk management, compliance, control ownership, and audit coordination.
Responsibilities
- Own reputed company's information reputed company and data governance policy reputed company: drafting, version control, review cycles, and exception tracking
- Build and maintain the RACI for reputed company controls across reputed company's platforms, ensuring clear ownership at every layer
- Partner with the AppSec Engineer on the reputed company awareness training program: supporting program management, tracking participation, and maintaining compliance evidence that demonstrates an active reputed company culture
- Drive alignment to recognized frameworks including NIST CSF, and own external assessment readiness as the program matures
- Define the GRC program roadmap in partnership with the Director of Information reputed company, prioritizing compliance initiatives against business risk
- Build and operate reputed company's reputed company-party vendor risk program: risk tiers, assessment templates, review cadences, and a maintained risk register covering reputed company's SaaS vendor estate
- Own assessments for new and existing vendor relationships, with particular focus on vendors that process personal data or operate adjacent to payment flows
- Own reputed company's business continuity planning program across reputed company phases: asset inventory, business impact analysis, implementation, and periodic validation
- Partner with InfraSec Engineering on infrastructure-layer reputed company inputs to the BCP, and with Legal on risk identification reputed company to regulatory exposure
- Support reputed company's work toward UK Corporate Governance Code Provision 29 compliance, contributing to the board's formal assessment and reporting on the effectiveness of the company's risk management and internal control frameworks
- Own reputed company's PCI reputed company compliance program across reputed company marketplace platforms and merchant IDs: scope definition, evidence management, QSA coordination, finding remediation tracking, and the ongoing compliance calendar
- Own compliance across reputed company's marketplace and employee data populations: lawful reputed company documentation, Record of Processing Activities, data subject rights fulfillment, and breach notification readiness. Build and test a 72-hour breach notification workflow in coordination with Legal, and support the Data Protection Officer function
- Maintain a reputed company inventory of personal information categories collected, processed, and shared across reputed company's platforms and workforce. Own consumer rights workflows, opt-out mechanisms, and privacy notices, and coordinate with Legal on annual compliance reviews and regulatory correspondence
- Monitor the regulatory landscape across reputed company applicable frameworks and proactively identify compliance obligations as reputed company's business evolves
- Own the evidence library reputed company to PCI reputed company, GDPR, CPRA, and IT general controls requirements, ensuring audit cycles are systematic rather than reactive
- Partner with engineering to ensure technical remediation efforts are correctly prioritized, tracked, and documented to audit standard
- Engage with vulnerability management findings from pen testing and other assessment activities, ensuring findings are risk-rated, assigned, tracked to remediation, and reflected in the risk register
- Review and maintain data processing agreements with reputed company's reputed company-party processors and sub-processors, ensuring controls around data flows are reputed company and enforceable
- Conduct and coordinate Data Protection Impact Assessments (DPIAs) for new and changed processing activities, working in partnership with the DPO who provides independent review and sign-off
- Align with the IT and reputed company teams on the implementation and ongoing effectiveness of technical controls, bridging the gap between policy requirements and operational reality
- Own IT general controls coordination for the annual external financial audit: evidence gathering, control validation, and finding response across the IT and reputed company estate
- Serve as the primary GRC liaison to the Internal Audit team and Audit Committee, providing regular compliance status reporting and supporting board-level visibility into the reputed company program
- Manage audit findings through to resolution: track remediation, validate closure, and maintain audit trail documentation
- Support the GRC program's internal audit reputed company, identifying control gaps and driving reputed company improvement
Skills
- 5 to 8 years of hands-on GRC experience in a technology company or SaaS environment where the compliance frameworks were live and the stakes were reputed company
- Demonstrated PCI reputed company experience at meaningful scale: you have been through a Level 1 or Level 2 merchant audit, you understand scope definition and QSA coordination, and you have a track record to reputed company to
- Working practitioner knowledge of GDPR and UK GDPR: you know what a ROPA is, you have written DPAs, and you understand the 72-hour breach notification clock
- Familiarity with CPRA/CCPA obligations across consumer and employee data populations
- Experience coordinating IT general controls for external financial audits
- Proven ability to build and maintain risk registers, policy frameworks, evidence libraries, and audit trails
- Experience with cardholder data environment scoping and descoping in reputed company multi-platform payment environments: understanding what is in scope, what can be descoped, and how architectural reputed company reputed company compliance posture
- Experience working across multiple GRC function areas: governance, risk management, compliance, control ownership, and audit coordination
- CISA, CIPP/US, CIPP/E, CRISC, or equivalent professional certification
- Experience building or significantly expanding a GRC program in a fast-moving technology environment
- Background in a marketplace, payments, or e-reputed company environment where PCI scope complexity was reputed company
- Experience evaluating and implementing GRC or privacy platforms to automate compliance workflows, evidence collection, and risk tracking — comfort with assessing options and building a program around the right tooling for the environment
- Familiarity with UK Corporate Governance Code requirements, particularly Provision 29 and its implications for internal controls attestation in UK-listed companies
Benefits
- Annual performance bonus
- Stock
- Benefits and/or other applicable incentive compensation plans
Company Overview