👩 💻 The Role

Location: While this position is posted in a specific location, all of Oyster’s positions are fully remote and you can work from home. Forever. To create the best experience for our new hire, this role requires you to be based in Europe +1 / +2 UTC time zone.

Oyster is on a mission to create a more equal world by enabling companies to hire anyone, anywhere. As Privacy & AI Counsel on our Trust & Technology team, you will be a key subject-matter expert for global privacy, data governance, and AI compliance. Reporting to the Director & Senior Managing Counsel, you’ll lead strategic initiatives that shape Oyster’s privacy program, operationalize the EU AI Act and adjacent frameworks, and embed privacy‑by‑design and responsible AI practices across Product, Engineering, IT/Security, People, and Commercial teams.

This role is ideal for a pragmatic, business‑first lawyer who can turn complex legal requirements into clear guidance, frameworks, and tooling that scale in a high‑growth, fully‑distributed environment

Key Responsibilities

Data Protection Leadership & Strategy

• Drive Oyster’s global privacy program and AI roadmaps and metrics with a focus on business objectives, risk appetite, and trust commitments.
• Serve as counsel for EU data protection regulations, including international transfers (SCCs, TIAs, DPF where applicable), records of processing (ROPA), retention, and data governance.
• Support the company‑wide strategy for AI governance (EU AI Act readiness, model/system classification, risk management, data/records obligations, provider/ deployer duties, transparency and human oversight).
• Partner with leadership on executive‑level and customer‑facing trust narratives; prepare briefings and documentation for team leads, execs, and auditors.

Product & Engineering (Privacy‑by‑Design + Responsible AI)

• Advise on new and existing products/workflows (including automation and ML features): run DPIAs/PIAs, AI impact assessments, dataset and data‑minimization reviews, and human‑in‑the‑loop/appeal mechanisms.
• Translate requirements into actionable controls (requirements, checklists, guardrails, redlines) and integrate with issue trackers and engineering workflows.
• Define model/data governance requirements: data sourcing, annotation, retention/deletion, access controls, evaluation, monitoring, and incident/rollback plans.

Commercial & Vendor

• Draft/maintain DPAs, SCCs, and AI‑related contractual clauses; negotiate high‑impact privacy and AI terms with customers and vendors.
• Partner with procurement and security teams on third-party due diligence, transfer impact assessments, and ongoing assurance.

Operations & Enablement

• Lead operational processes: ROPA, DSARs, consent/cookie governance, marketing/privacy for growth initiatives, retention schedules, and access controls.
• Stand up and iterate playbooks, templates, risk matrices, training, and documentation for async scale.
• Coach and mentor teammates (Legal, IT/Sec, Product, Data), upleveling privacy and AI literacy across Oyster.

Incidents & Regulatory

• Co‑lead incident response for privacy/AI‑related events (breach assessment, notification, regulator/stakeholder comms, lessons learned).
• Engage with EU regulators as needed, external counsel, and customer privacy auditors.

Tooling & Data Visibility

• Partner with Security/Engineering to leverage privacy tooling (e.g., code/data‑flow discovery, scanning, and inventory), and CLM systems to scale contracting and compliance.

Minimum Requirements

• Juris Doctorate or equivalent law degree and at least 7 years of experience advising on EU data regulations as a fully licensed practicing attorney.
• Deep expertise in EU data protection regimes; hands‑on leadership of DPIAs, TIAs, ROPAs, retention, DSARs, vendor governance, and incident response.
• Demonstrated experience operationalizing AI governance (e.g. EU AI Act readiness), including system classification, risk management, transparency/UX notices, human oversight, and documentation.
• Proven ability to build and scale playbooks, templates, and processes (privacy and AI) that measurably improve speed, quality, and risk posture.
• Commercial acumen with strong negotiation skills on privacy/AI terms, SCCs, data rights, and risk‑balancing positions.
• Strong attention to detail with clear, effective communication across technical and non-technical teams.
• Demonstrated ability to communicate clearly and effectively in asynchronous environments, effectively using written updates and documentation to collaborate across time zones with distributed teams.
• Able to work independently, exercising sound judgment in a fast-paced environment.
• Comfortable adapting to shifting priorities in high-output settings.
• Collaborative and dependable team contributor with a pragmatic, problem-solving mindset.

Bonus

• Prior experience with HR/employment data, payroll/benefits, and global EOR contexts.
• Experience building and using agentic workflows.
• Experience engaging with customer privacy and AI assessments.
• Experience with tools such as Notion and Asana.
• Familiarity with privacy and CLM tools (e.g., Ketch, SpotDraft, Privado).
• Certifications (CIPP/E, CIPM, CIPT, AIGP)
• SOC2 or ISO experience.

You'll also need

• A reliable home internet connection (or be able to get one).
• Excellent written and verbal communication in English.
• Comfort working across time zones; occasional overlap with Americas.