Manager, Privacy & Compliance

Job Title: Manager, Privacy & Compliance

Reports To: Head of Compliance and Enterprise Risk

Location: Preference will be given to Calgary based applicants; but open to remote workers, based in Canada.

About the Job:

atVenu's Compliance & Risk team is seeking an experienced privacy professional to lead and mature our privacy function. As a live event commerce platform handling transaction data for venues, promoters, artists, and fans across North America and expanding in Europe, we operate at the intersection of B2B SaaS and payments. Privacy isn't an afterthought; its core to how we build and operate.

This is a high-impact individual contributor role with real ownership. You'll be atVenu's only dedicated privacy resource, working across Legal, Engineering, Product, and Operations to ensure we're meeting our obligations under GDPR, CCPA/CPRA, PIPEDA, and other applicable frameworks. 

This is a hands-on role. You'll be expected to draft policies, oversee cookie consent configurations, review contracts, engage with product teams during development, and manage DSARs (low volume), while also thinking strategically about where the program needs to go. It requires someone with the technical depth to understand what privacy compliance really means in a SaaS/payments context, and the experience to execute in collaboration with the business.

What You’ll Do:

• Lead the day-to-day operation and continued development of atVenu’s privacy compliance program, including maintaining privacy policies, and internal standards.
• Champion privacy requirements across new business initiatives from concept through to operation, managing cross-functional stakeholder engagement to ensure privacy considerations are identified early and carried through to implementation.
• Conduct and manage Data Protection Impact Assessments (DPIAs) for new products, features, integrations, and third-party service providers.
• Serve as the company’s subject matter expert on GDPR, CCPA/CPRA, PIPEDA, and emerging privacy regulations, providing practical, risk-based guidance to business and technical teams.
• Partner with Legal to review and negotiate data processing agreements (DPAs), vendor contracts, and other agreements with privacy implications.
• Manage and maintain atVenu’s OneTrust Cookie Consent implementation, ensuring it reflects current data flows and regulatory requirements.
• Review customer agreements and data-related contractual obligations to identify permitted and restricted uses of customer data, and work with Legal and Operations to ensure those obligations are understood and operationalized across the business.
• Monitor ongoing data practices to ensure customer data is being used in a manner consistent with contractual commitments, flagging and remediating gaps where they arise.
• Work with Engineering and Product teams to embed privacy-by-design principles into the development lifecycle.
• Manage and respond to data subject access requests (DSARs) and privacy inquiries in a timely and compliant manner.
• Lead the privacy workstream during incidents including conducting privacy impact assessments, managing regulatory notifications, and coordinating communication with affected individuals where required.
• Assess the privacy implications of AI and machine learning systems at every stage, from evaluating third-party tools before adoption, to reviewing internally developed models from design through deployment, ensuring data use is lawful, transparent, and aligned with regulatory and contractual expectations.
• Monitor the evolving regulatory landscape and assess the impact of new or amended privacy laws on atVenu’s operations.
• Cultivate a lasting privacy-aware culture by designing and delivering training, creating practical guidance, and serving as a trusted resource for teams navigating privacy questions in their work.

What You’ll Bring:

• 8+ years of hands-on privacy compliance experience, ideally in a B2B SaaS, fintech, or a payments environment.
• Deep, practical knowledge of GDPR, CCPA/CPRA, and PIPEDA, including how these frameworks apply to transaction data and third-party data sharing.
• Proven experience conducting DPIAs and translating their findings into actionable risk mitigations.
• Experience reviewing and negotiating data processing agreements and vendor contracts with privacy implications to ensure standards are being met.
• Strong project management skills, with a demonstrated ability to own a program, set priorities, and drive initiatives to completion without heavy supervision.
• Experience assessing the privacy and compliance risks of AI and machine learning systems, including evaluating third-party AI tools and contributing to internal governance frameworks.
• Familiarity with information security principles and how privacy and security controls intersect (e.g., access management, data minimization, retention, incident response).
• Experience reviewing commercial contracts or data agreements with an eye toward data use restrictions and obligations, and translating those requirements into practical operational guidance.
• Excellent communication skills and the ability to translate complex regulatory requirements into clear, practical guidance for technical and non-technical stakeholders alike.
• Comfortable operating in a lean, fast-moving organization where processes are still maturing and ambiguity is part of the job.
• A pragmatic and collaborative approach that balances rigour with business reality, and the ability to drive outcomes through influence rather than direct authority.

Nice to Have:

• IAPP certification (CIPP/E, CIPP/C, CIPP/US, CIPM, or CIPT).
• Experience with OneTrust (specifically Cookie Consent).
• Experience managing privacy controls in a GRC platform like Vanta.
• Experience supporting external audits and responding to customer assurance requests related to privacy and data protection.
• Exposure to regulatory compliance programs beyond privacy (e.g., SOC 2, PCI-DSS, ISO 27001, ISO 42001).