Acadia Healthcare is a leading provider of behavioral healthcare services across the United States. Acadia operates a growing network of 250 plus behavioral healthcare facilities with approximately 11,100 beds in 39 states and Puerto Rico. With more than 23,000 employees serving approximately 75,000 patients daily, Acadia is the largest stand-alone behavioral health company in the U.S.

We are seeking a Data Protection & Risk Specialist to join our team in Franklin, TN.  The first 90 days in this role will be fully in-person to ensure comprehensive onboarding and training. After the initial period, the position will transition to a hybrid model, with 2 days remote and 3 days in the office each week

The Data Protection & Risk Specialist will play a critical role in safeguarding Acadia’s sensitive information by serving as the subject matter expert for data classification, data loss prevention (DLP), and insider risk management. This role is responsible for designing, implementing, and optimizing Acadia’s data protection framework to ensure data is properly tagged, secured, and governed throughout its lifecycle. The Specialist will partner with IT, compliance, privacy, and business units to reduce risks associated with data misuse, strengthen regulatory compliance, and embed best practices in data protection and risk management across the organization.

ESSENTIAL FUNCTIONS:

• Data Protection Leadership: Act as Acadia’s subject matter expert for data classification, labeling, and protection practices. Develop and enforce policies, standards, and procedures to ensure sensitive data is safeguarded consistently.
• Insider Risk Management: Implement and optimize insider risk detection and prevention capabilities. Define monitoring use cases, incident response processes, and mitigation strategies.
• Data Loss Prevention (DLP): Configure, tune, and maintain DLP technologies to reduce the risk of data leakage. Collaborate with business units to ensure DLP controls align with operational needs and compliance requirements.
• Risk & Governance: Support enterprise risk assessments related to data protection and insider threats. Document risks, propose mitigations, and ensure alignment with NIST, ISO, HIPAA, and other governance frameworks.
• Compliance & Regulatory Alignment: Ensure Acadia’s data protection practices comply with HIPAA, 42 CFR Part 2, SOX, PCI, GDPR, and other relevant regulations. Participate in audits, assessments, and compliance reviews.
• Cross-Functional Collaboration: Work closely with IT, compliance, and business leaders to embed data protection into operations and projects. Provide expertise during security reviews and incident investigations.
• Awareness & Training: Support development of training programs and awareness campaigns to strengthen organizational culture around data protection and responsible data use.
• Continuous Improvement: Stay informed on evolving insider threats, regulatory changes, and emerging technologies. Recommend enhancements to data protection and risk management strategies.

OTHER FUNCTIONS:

• Performs other tasks as assigned.

STANDARD EXPECTATIONS:

• Complies with organizational policies, procedures, and performance improvement initiatives while maintaining industry standards of confidentiality.
• Builds constructive and cooperative working relationships across teams.
• Fosters mutual trust, respect, and cooperation among colleagues.

EDUCATION/EXPERIENCE/SKILL REQUIREMENTS:

• Education: Bachelor’s degree in Cybersecurity, Computer Science, Information Technology, Risk Management, or related field; or equivalent work experience.
• Experience: Minimum 4–6 years in cybersecurity, with 3+ years focused on data protection, insider risk, or DLP. Broader experience in governance, risk management, and compliance preferred.
• Expertise: Strong knowledge of data classification frameworks, DLP tools, and insider risk programs. Familiarity with Microsoft Purview, insider risk management solutions, and data tagging technologies preferred.
• Compliance Knowledge: Deep understanding of healthcare regulations (HIPAA, 42 CFR Part 2) and familiarity with frameworks such as NIST, ISO, and CIS.
• Communication: Skilled in explaining data protection and risk concepts to both technical and non-technical audiences.
• Project Management: Ability to manage cross-functional security initiatives, prioritize competing tasks, and deliver on time.
• Soft Skills: High level of discretion, collaboration, and problem-solving abilities; proactive and detail-oriented.
• Continuous Learning: Committed to staying current on emerging cyber risks, technologies, and best practices in data protection.

LICENSES/DESIGNATIONS/CERTIFICATIONS:

• Desired but not required: CISSP, CISM, CRISC, CIPP, Microsoft Certified: Information Protection Administrator, GIAC DLP Engineer (GDLPE), HCISPP, or equivalent certifications.

SUPERVISORY REQUIREMENTS: This position is an Individual Contributor

While this job description is intended to be an accurate reflection of the requirements of the job, management reserves the right to add or remove duties from particular jobs when circumstances (e.g. emergencies, changes in workload, rush jobs or technological developments) dictate.