We are seeking a GRC Consultant specialising in GDPR and HIPAA to build compliant governance frameworks for our healthcare AI platform.

This role establishes and maintains compliance infrastructure for DezCareAI across multiple regulated markets. You will implement governance controls, conduct risk assessments, and ensure our AI systems meet GDPR, HIPAA, and PDPA requirements while enabling rapid product iteration.

Remote or hybrid.

Entire organisation meets weekly on Tuesdays 9pm-10pm Singapore which you must be able to attend.

Key Responsibilities

• Multi-jurisdiction compliance framework
  • Design and implement compliance programs for GDPR (EU), HIPAA (US healthcare standards), and PDPA (Singapore).
  • Establish policies, procedures, and controls for cross-border patient data handling.
  • Maintain compliance documentation, records of processing activities (ROPA), and data flow mappings.
  • Conduct gap assessments against regulatory requirements and industry standards.
• Healthcare data governance
  • Define data classification schemes, retention policies, and handling procedures for PHI and PII.
  • Implement consent management frameworks and patient rights fulfillment processes (access, rectification, erasure, portability).
  • Establish Data Protection Impact Assessment (DPIA) processes for new AI features.
  • Ensure lawful basis documentation for all data processing activities.
• AI system compliance & risk
  • Assess regulatory implications of LLM-powered features handling sensitive health data.
  • Implement governance controls for AI model training, fine-tuning, and inference on patient data.
  • Establish transparency and explainability requirements for AI-driven decisions affecting care.
  • Monitor emerging AI regulations (EU AI Act, Singapore Model AI Governance Framework).
• Third-party risk management
  • Conduct vendor due diligence and security assessments for cloud providers, LLM APIs, and data processors.
  • Negotiate and review Data Processing Agreements (DPA) and Business Associate Agreements (BAA).
  • Maintain vendor risk registry and monitor ongoing compliance obligations.
  • Ensure subprocessor notifications and documentation meet GDPR Article 28 requirements.
• Audit, reporting & continuous monitoring
  • Prepare for and coordinate external audits (ISO 27001, SOC 2, HIPAA assessments).
  • Implement continuous compliance monitoring using automated tools and dashboards.
  • Report compliance metrics and risk indicators to leadership and stakeholders.
  • Manage incident response procedures for data breaches and regulatory notifications.
• Training & cross-functional collaboration
  • Deliver compliance training to engineering, product, and operations teams.
  • Provide practical guidance on privacy-by-design and compliance requirements during feature development.
  • Serve as compliance liaison for customer inquiries and regulatory interactions.
  • Document compliance procedures, runbooks, and decision frameworks.

Must-Have Experience

• Compliance expertise
  • 4+ years in GRC roles with direct GDPR and HIPAA implementation experience.
  • Deep knowledge of GDPR requirements (lawful basis, data subject rights, DPIAs, cross-border transfers).
  • Strong understanding of HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.
  • Experience with PDPA (Singapore) or ability to quickly master additional privacy frameworks.
• Healthcare & regulated environments
  • Hands-on experience implementing compliance programs in healthcare, digital health, or medical device companies.
  • Understanding of healthcare data flows, clinical workflows, and patient data sensitivity.
  • Knowledge of additional frameworks: ISO 27001, SOC 2, NIST, or similar.
• Risk assessment & documentation
  • Proven ability to conduct DPIAs, risk assessments, and gap analyses.
  • Strong documentation skills for policies, procedures, and compliance evidence.
  • Experience building Records of Processing Activities (ROPA) and data inventory systems.
• Cross-functional collaboration
  • Ability to translate regulatory requirements into practical engineering and product requirements.
  • Experience working with technical teams on compliance implementation.
  • Comfort navigating ambiguity in early-stage, fast-moving environments.

About You: