Virtual Data Privacy Office
Privacy expertise and assistance customized to your needs. vDPO is a flexible, cost-effective alternative to in-house resources, focused on practical, risk-based privacy compliance solutions.
Privacy Expertise with a Business Mindset
You choose the type and amount of privacy help you need, from simply a go-to resource for ad hoc issues to full leadership of your privacy program. Your Virtual Data Privacy Office will comprise both privacy and information security experts.
Privacy Peace of Mind in an Ever-Changing Legal Landscape
Whether you operate locally, nationally, or globally, data privacy obligations are multiplying. vDPO helps you keep pace with laws & regulations, industry best practices, and the expectations of your clients and consumers.
How We Start
Data Privacy Risk Assessment
Most vDPO engagements begin with a Data Privacy Risk Assessment, comprising three main elements.
Personal Data Inventory/Mapping
Identify the personal information assets that your organization collects, stores, and uses
Compliance Gap Analysis
Understand the privacy laws & regulations that apply to your personal data processing. Identify gaps between the legal requirements and your practices
Evaluate the risk of each compliance gap. Identify and prioritize remediation measures
Data Privacy Laws “Cheat Sheet”
Vancord has prepared this little “cheat sheet” of data privacy laws that could apply to your organization. Keep in mind that our list is illustrative and non-exhaustive. It should not be used to make compliance decisions.
APPLIES TO: Larger businesses operating in/selling into CT, VA, CO, UT and CA. To qualify, a business must use the PI of over 100,000 CT consumers (or 25,000 if it makes over 25% of its revenue from selling PI)
EXEMPT: State and local government, nonprofits, higher education, businesses subject to GLBA or HIPAA, HR PI, B2B consumer PI, FERPA data
APPLIES TO: Larger entities doing business in CA. To qualify, a business must have revenues of over $25 mi, or buy/sell/share the PI of over 100,000 consumers, or make over 50% of its revenue from selling PI
EXEMPT: Government, nonprofits, public education, data covered by GLBA or HIPAA
APPLIES TO: Organizations offering their service/product to European/UK residents, or tracking European/UK residents online even if those organizations have no European/UK presence.
APPLIES TO: “Covered entities” (principally doctors’ offices, hospitals, pharmacies, and insurers, plus their “business associates” (service providers).
EXEMPT: Other entities that collect and use health data (but they are subject to other laws & rules)
APPLIES TO: Schools and colleges that receive funds from the Department of Education (i.e. nearly all of them)
APPLIES TO: Operators of websites or online services directed to/used by children under 13 years of age
APPLIES TO: Financial institutions, broadly defined (and including colleges that process student financial records containing PI)
APPLIES TO: Federal and state regulators like the Federal Trade Commission (FTC) and state AGs have wide powers to take action against any “unfair and deceptive” practices, for example misleading consumers about how their PI is used. Citizens, often via class action lawsuits, may also take action against organizations that they perceive to have violated their privacy.
Stay informed of relevant information technology, security and compliance topics
CyberSoundTM is a podcast built by and for business owners and professionals. Tune in as our cybersecurity experts cover the latest news regarding IT security, the most recent and relevant threats organizations are facing today, and provide tips to keep your business safe.