GRC Manager
Omilia · TELECOMMUTE · Posted Jul 7, 2026
Apply on company site Track it in JobSkout
The GRC Manager owns Omilia's regulatory compliance programmes and certification portfolio end to end. This is a delivery role, not an advisory one: the person in it runs the ISMS, manages certification body relationships, drives data protection governance, and coordinates evidence across SOC 2, ISO 27001, and adjacent frameworks. Omilia operates under EU law with enterprise clients in regulated industries around the world. The GRC Manager is the operational backbone that keeps those relationships defensible and those certifications current.
Accountabilities
Own the full lifecycle of ISO 27001, SOC 2 Type II, C5, PCI-DSS, and Cyber Essentials certifications: scoping, evidence library, audit coordination, management responses, and remediation tracking.
Own the GDPR operational compliance framework: DPIA process, LIA and TIA governance, RoPA maintenance, breach response documentation, and cross-border transfer mechanisms in collaboration with the DPO.
Maintain active compliance frameworks for DORA, NIS2, HIPAA, CCPA/CPRA, and the EU Data Act, maintaining current obligation tracking and client assurance artefacts.
Own breach and incident response governance end to end: process, regulatory notification decision support, Art. 33/34 documentation, and the regulatory notification register.
Drive control owner accountability without direct authority: translate regulatory obligation into business consequence, manage evidence deadlines, escalate where necessary.
Key Responsibilities
Manage the ISMS evidence library, own the certification body relationship for ISO 27001 and C5.
Coordinate SOC 2 Type II readiness: TSC scoping, evidence collection, auditor engagement, report distribution, and management response drafting.
Maintain the RoPA, conduct DPIAs and LIAs, and manage data subject rights governance under GDPR.
Track and implement obligations under DORA, NIS2, HIPAA, CCPA/CPRA, EU Data Act, and Cyber Resilience Act as live regulatory requirements, not awareness items.
Coordinate BAA execution and PHI obligation documentation with Legal for healthcare accounts.
Run the compliance deliverable tracker; close loops on evidence collection without being managed.
Translate regulatory obligations into plain-language business impact and secure timely responses from technical and product stakeholders who do not report to this role.
Manage the end-to-end coordination of client compliance audits: evidence packs, management responses, findings remediation.
Maintain and administer the GRC automation platform, including uploading evidence and monitoring control status.