Regional Data Privacy Lead

As a Regional Data Privacy Manager in the Controlling function, you are responsible for managing privacy compliance within all countries of Region Americas (United States, Canada, Mexico, Colombia, Ecuador). In this role, you will work closely with H&M Group’s global data privacy community, ensuring alignment and collaboration across regions. This hybrid role reports into our Regional Legal and Corporate Governance Manager and is based out of New York, NY.

Working at H&M means no two days are ever the same, but a typical day will include the following responsibilities:

• Lead privacy governance for Region Americas, ensuring compliance with local laws while aligning with H&M Group’s global data privacy standards in both the Customer and Employees areas.
• Act as primary regional point of contact for global stakeholders on Data Privacy matters.
• Stay updated on local regulatory developments and translate the global standards into regional ones when necessary.
• Advise on and implement changes across business functions and brands in accordance with new privacy legislation and global privacy standards.
• Create, implement, and uphold Regional Privacy Guidelines based on the global standards and local legislation, applying a risk-based and pragmatic mindset.
• Oversee key compliance areas such as Privacy Policy/Notice Development, Regulatory Response, Consent Management, Cookie and Tracking Technology Compliance, and Data Subject Rights Management.
• Collaborate with Group DPO and the global privacy community and oversee outside counsel to interpret the law and assess business application, scope, and risks.

• Establish regional understanding and commitment to global privacy principles, adapting them to local context.
• Conduct privacy monitoring and testing across all brands and markets in both the Customer and Employee areas.
• Drive awareness and training initiatives in line with global programs, ensuring regional relevance.

• Offer hands‑on support and guidance to regional and local stakeholders in each function on new and changing processes, tools, and initiatives that collect or use personal data.
• Identify Personal Data needs in future business plans and initiatives – take actions to support, guide, and help navigate to do right while reaching business targets.
• Empower local teams to carry out and monitor ongoing Data Privacy mandates and responsibilities.

• Oversee regional privacy risk management, including risk identification and assessment process following the global risk framework.
• Identify potential gaps and be the owner of the risk‑based action plan including recurring reviews as well as follow‑up, decision making, and hands‑on support.
• Create and implement data retention & deletion policies and standard operating procedures.
• Report status, risks, and plans to regional and global key stakeholders such as the Group Data Protection Officer.
• Oversee and advise on third‑party management, ensuring new vendors and/or service providers comply with applicable privacy and employment laws, revise and implement contractual privacy safeguards to align with company and industry data privacy compliance standards.
• Lead regional data breach strategy and response in cooperation with global Customer Service and Business Tech teams, ensuring compliance with local breach notification laws.

• Efficient way of working and decision making. Active member of H&M’s global data privacy community, collaborating with the Group DPO and peers worldwide to share best practices and drive global standards.
• Instruct teams on privacy technical safeguards and “privacy by design” principles to be incorporated into new and/or improved tools, systems, and platforms.
• Ensure well working processes and tools to be and stay compliant within the region including handing data subject’s rights as well as supporting working efficiently – using our group common processes and tools if possible, or with local adaptations if needed.

• Be the “go‑to” person internally (within H&M Group) for knowledge about regional privacy framework/requirements and for regional/country…