Head of Compliance

 

 

Reports to: VP of Security, IT and Compliance

We're looking for someone to own compliance end-to-end at Fresha. We're already HIPAA and ISO27001 certified, we're heading into a PCI DSS audit shortly, and later this year we've got GDPR and SOC 2 Type II coming up. That's a lot of parallel work, and we need someone who can run it without constant hand-holding.

Today one person covers the day-to-day compliance operations. You'll take over that function,  grow it, and broaden its scope into data protection, vendor risk, and policy. You won't be starting from scratch — there's a working Sprinto setup, an access review cadence, and a vulnerability management process — but you'll be expected to take it to the next level.

We expect the person in this role to run a modern, automated compliance function. The volume of work across five frameworks does not scale with headcount alone — it scales with good tooling, good automation, and sensible use of AI.

To foster a collaborative environment that thrives on face-to-face interactions and teamwork, this role will be based in our dog-friendly office 5 days per week in London: The Bower, 207-122, Old Street, London EC1V 9NR.

Run the PCI DSS audit to completion, then GDPR and SOC 2 Type II this year

Be the main point of contact for external auditors — scoping, evidence, walkthroughs, findings

Keep HIPAA and ISO 27001 in good shape between recertifications

Quarterly access reviews across in-scope systems

Sprinto: make sure controls are covered, failures are triaged quickly, and evidence is current

Vulnerability management: track closure against agreed SLAs and chase what's drifting

Own the compliance risk register — keep it current, get it reviewed on a regular cadence, and make sure it actually informs decisions rather than just sitting there for auditors

Handle Subject Access Requests and Data Access Requests end-to-end

Keep the GDPR ROPA accurate as systems, vendors, and data flows change

Own and enforce data retention — not just on paper, but actually in the systems

Review new vendors before they're onboarded — security posture, data handling, DPAs

Reassess critical and high-risk vendors on a regular cycle

Keep the vendor inventory, DPAs, and sub-processor lists tidy and audit-ready

Write new policies and update existing ones as our environment, regulations, and business change

Make sure policies are usable, understood, and actually followed — not shelfware

Own the compliance and privacy training programme: annual training, role-specific training for engineers handling PHI or cardholder data, and whatever else our frameworks demand

Look at every recurring task in this role and ask "why is a human still doing this?" —evidence collection, control testing, access review workflows, vendor questionnaire triage, SAR data discovery, policy drafting, ROPA upkeep

Push Sprinto and our adjacent tooling as far as they'll go, and fill the gaps with scripts, workflows, or AI where it makes sense

Use LLMs sensibly for drafting, review, and first-pass analysis — but know where a human still has to sign off, especially anything that goes to a regulator or an auditor

Treat the function's operating model as a product: fewer manual rituals each quarter, not more

You've led compliance through at least a couple of these frameworks (PCI DSS, SOC 2, ISO27001, HIPAA, GDPR). You don't need all of them, but PCI DSS and GDPR experience would be very valuable right now

You've dealt directly with auditors and you're comfortable pushing back when scoping or findings are off

You're hands-on. This is not a role where you delegate everything and review slides — you'll be in Sprinto, in tickets, in policy drafts, and in vendor reviews

You're fluent with AI tools and comfortable building automation — whether that's Sprinto workflows, scripting against APIs, using LLMs to cut down manual work, or knowing when to bring in an engineer to build something properly. You don't need to be a developer, but "I'll wait for someone to build it for me" isn't the right mindset

You can translate between engineers and auditors without frustrating either side

Bonus: experience with GRC tooling beyond Sprinto, DPO or DPO-adjacent work, payments regulatory exposure, or a track record of measurably reducing manual compliance work through automation

You'll have one direct report from day one, and the remainder to grow the function as the workload justifies. You'll work closely with Security, IT, Legal, Engineering and People. 

Expect to spend real time with auditors during audit windows and real time with engineering and vendor teams the rest of the year.

 

 

Every job application received is reviewed manually by our talent team. While we strive to assess applications within 7 days, the sheer volume of talented individuals expressing interest may occasionally extend this timeframe