We are looking for a mid-level Security GRC Analyst with a specialism in Privacy and AI Governance to join our Security Function. You will be joining an established team that spans Security GRC, Security Engineering, and Security Operations — a cohesive unit that works closely across disciplines to deliver a mature, business-aligned security programme. Reporting into the Head of Security GRC, you will own the day-to-day operation of our privacy and AI governance frameworks, bridging the gap between our engineering and product teams and the organisation’s compliance obligations. This is a high-visibility role for a structured, analytical professional who wants to shape how a fast-moving tech company approaches data privacy and responsible AI at scale.
Key Responsibilities
Privacy Framework Ownership | Supports the ongoing implementation and continuous improvement of our Privacy Information Management System (PIMS) aligned to ISO 27701. Maintain Records of Processing Activities (RoPA), data flow maps, and consent registers, ensuring compliance with GDPR, UK GDPR, and applicable regional data protection regulations.
AI Governance | Supports the operational maintenance of our AI governance programme under ISO 42001. Facilitate AI impact assessments across product and engineering initiatives, identifying bias, explainability, and transparency risks. Maintain the AI systems register and escalate findings to relevant stakeholders.
GRC Documentation & Tooling | Collaborate with the team to maintain a clean, audit-ready repository of GRC artefacts within our GRC platform (e.g. ServiceNow, Drata, or equivalent). Enforce version control discipline across policies, standards, and procedures. Support evidence collection for ISO 27001, SOC 2, and internal audits.
Risk Assessments | Compliment the existing risk assessment process by operating privacy and AI-specific risk assessments, Data Protection Impact Assessments (DPIAs), and AI Impact Assessments (AIIAs) across product and business initiatives. Identify control gaps, document risk treatment decisions, and track remediation activities through to closure in line with NIST or other similar methodologies.
Stakeholder Engagement | Act as a trusted advisor to product, engineering, and data science teams. Translate regulatory requirements into practical, actionable guidance. Champion privacy-by-design and security-by-default principles throughout the software development lifecycle (SDLC). You will be comfortable engaging directly with business stakeholders and, where required, with external clients — representing the Security GRC function with confidence and clarity.
Vendor & Third-Party Risk | Support third-party risk assessments with a focus on data processor obligations, AI sub-processor relationships, and contractual compliance. Review Data Processing Agreements (DPAs) and standard contractual clauses (SCCs) in partnership with Legal.
Incident & Audit Support | Participate in privacy-related incident response activities, including breach notification workflows under GDPR Article 33/34. Prepare materials for internal and external audits, managing evidence requests and auditor queries.
AI Governance | Supports the operational maintenance of our AI governance programme under ISO 42001. Facilitate AI impact assessments across product and engineering initiatives, identifying bias, explainability, and transparency risks. Maintain the AI systems register and escalate findings to relevant stakeholders.
GRC Documentation & Tooling | Collaborate with the team to maintain a clean, audit-ready repository of GRC artefacts within our GRC platform (e.g. ServiceNow, Drata, or equivalent). Enforce version control discipline across policies, standards, and procedures. Support evidence collection for ISO 27001, SOC 2, and internal audits.
Risk Assessments | Compliment the existing risk assessment process by operating privacy and AI-specific risk assessments, Data Protection Impact Assessments (DPIAs), and AI Impact Assessments (AIIAs) across product and business initiatives. Identify control gaps, document risk treatment decisions, and track remediation activities through to closure in line with NIST or other similar methodologies.
Stakeholder Engagement | Act as a trusted advisor to product, engineering, and data science teams. Translate regulatory requirements into practical, actionable guidance. Champion privacy-by-design and security-by-default principles throughout the software development lifecycle (SDLC). You will be comfortable engaging directly with business stakeholders and, where required, with external clients — representing the Security GRC function with confidence and clarity.
Vendor & Third-Party Risk | Support third-party risk assessments with a focus on data processor obligations, AI sub-processor relationships, and contractual compliance. Review Data Processing Agreements (DPAs) and standard contractual clauses (SCCs) in partnership with Legal.
Incident & Audit Support | Participate in privacy-related incident response activities, including breach notification workflows under GDPR Article 33/34. Prepare materials for internal and external audits, managing evidence requests and auditor queries.
Who are you?
Skills & Competencies
- Structured thinker with a natural instinct for documentation, process, and record-keeping.
- Strong written and verbal communication skills; able to present complex regulatory concepts clearly to non-specialist audiences.
- Ability to build trusted relationships across engineering, product, legal, and leadership without relying on formal authority.
- Comfortable operating in a fast-paced, ambiguous environment and managing multiple workstreams concurrently.
- Confident and professional in direct business and client-facing engagements. You are comfortable representing the GRC function in conversations with internal stakeholders and external parties, and can hold your own in discussions about our security and compliance posture.
- A team-first mindset with the flexibility to pick up broader GRC work when colleagues are unavailable. As a small, collaborative unit, everyone covers for each other — whether that means supporting a customer engagement, fielding a security questionnaire, or assisting with an audit response outside your primary domain.
- Proficiency with GRC tooling (e.g. ServiceNow GRC, Drata, Vanta, OneTrust, or similar) is advantageous.
Essential Experience
- A formal degree in Law (LLB), Computer Science, Information Systems, or Business (BCom) is advantageous, but we value substance over credentials. Equivalent experience, diplomas, higher certificates, or vocational qualifications that demonstrate analytical rigour and a structured approach to problem-solving are equally welcomed.
- Professional certifications in privacy or GRC are a welcome addition to your profile — not a requirement. Relevant examples include CIPP/E, CIPM, CISA, or ISO 27001 Foundation. If you’re working towards one, tell us.
- 3–5 years of experience in a GRC, compliance, information security, or data privacy role, ideally within a tech, SaaS, or data-driven environment.
- Working knowledge of GDPR and/or UK GDPR, including practical experience drafting or reviewing DPIAs, RoPAs, and DPAs.
- Familiarity with ISO 27001, ISO 27701, and an awareness of ISO 42001 or equivalent AI governance frameworks (NIST AI RMF, EU AI Act).
- Demonstrable experience maintaining GRC documentation to audit-ready standard, with strong version control discipline.
- Experience conducting risk assessments and translating findings into prioritised, business-relevant recommendations.
Benefits
- Unlimited holidays – we want well rested and motivated teams so encourage people to take plenty of time off. We don’t cap your allowance, but do set a minimum of at least 20 days per year plus national holidays
- Three company-paid mental health days of rest every year (these are pre-scheduled, so the entire company can take the same days off regularly to reset)
- Thoughtfully designed offices to support both individual work and collaboration without interrupting others
- Private medical healthcare cover
- Medical Aid
- Group risk, life & disability contributions
- Wellbeing benefits such as free yoga and access to trained therapists / counsellors
- Paid 24h secure parking in Cape Town
- Free coffee, lunches and in-office snacks
- Tailored personal development through training allowances, coaching, mentorship and career framework