Vancord logo
managed services > strategy & oversight

Virtual Data Privacy Office

Privacy expertise and assistance customized to your needs. vDPO is a flexible, cost-effective alternative to in-house resources, focused on practical, risk-based privacy compliance solutions.

Approach

Privacy Expertise with a Business Mindset

You choose the type and amount of privacy help you need, from simply a go-to resource for ad hoc issues to full leadership of your privacy program. Your Virtual Data Privacy Office will comprise both privacy and information security experts.

Benefits

Privacy Peace of Mind in an Ever-Changing Legal Landscape

Whether you operate locally, nationally, or globally, data privacy obligations are multiplying. vDPO helps you keep pace with laws & regulations, industry best practices, and the expectations of your clients and consumers.

Notices and Policies

Tap into our experience to draft or update your public privacy notice and related internal governance policies.

Contractual Privacy Terms

Make sure you understand, and can fulfill, the privacy terms in contracts you enter into with clients, partners, and vendors.

Team Training & Internal Communications

Build, operationalize, and leverage a culture of privacy in your organization.

Data Breach Response Preparation

Be prepared to meet your legal notification obligations in the event of a personal data breach—the “to whom, how, and when” of breach notification.

vDPO College

vDPO focused on higher education privacy.

GDPR Data Protection Officer

GDPR-compliant external Data Protection Officer for organizations subject to GDPR and meeting certain GDPR personal data-processing criteria.

Compliance Simplified

How We Start

Data Privacy Risk Assessment

Most vDPO engagements begin with a Data Privacy Risk Assessment, comprising three main elements.

Personal Data Inventory/Mapping

Identify the personal information assets that your organization collects, stores, and uses

Compliance Gap Analysis

Understand the privacy laws & regulations that apply to your personal data processing. Identify gaps between the legal requirements and your practices

Remediation Plan

Evaluate the risk of each compliance gap. Identify and prioritize remediation measures

Data Privacy Laws “Cheat Sheet”

Vancord has prepared this little “cheat sheet” of data privacy laws that could apply to your organization. Keep in mind that our list is illustrative and non-exhaustive. It should not be used to make compliance decisions.    

APPLIES TO: Larger businesses operating in/selling into CT, VA, CO, UT and CA. To qualify, a business must use the PI of over 100,000 CT consumers (or 25,000 if it makes over 25% of its revenue from selling PI)

EXEMPT: State and local government, nonprofits, higher education, businesses subject to GLBA or HIPAA, HR PI, B2B consumer PI, FERPA data

APPLIES TO: Larger entities doing business in CA. To qualify, a business must have revenues of over $25 mi, or buy/sell/share the PI of over 100,000 consumers, or make over 50% of its revenue from selling PI  

EXEMPT:  Government, nonprofits, public education, data covered by GLBA or HIPAA

APPLIES TO: Organizations offering their service/product to European/UK residents, or tracking European/UK residents online even if those organizations have no European/UK presence.

EXEMPT: None

APPLIES TO: “Covered entities” (principally doctors’ offices, hospitals, pharmacies, and insurers, plus their “business associates” (service providers). 

EXEMPT: Other entities that collect and use health data (but they are subject to other laws & rules) 

APPLIES TO: Schools and colleges that receive funds from the Department of Education (i.e. nearly all of them)

EXEMPT: None

APPLIES TO: Operators of websites or online services directed to/used by children under 13 years of age

EXEMPT: None

APPLIES TO: Financial institutions, broadly defined (and including colleges that process student financial records containing PI) 

EXEMPT: None

APPLIES TO: Federal and state regulators like the Federal Trade Commission (FTC) and state AGs have wide powers to take action against any “unfair and deceptive” practices, for example misleading consumers about how their PI is used. Citizens, often via class action lawsuits, may also take action against organizations that they perceive to have violated their privacy.      

EXEMPT: None

Stay informed of relevant information technology, security and compliance topics

Vancord CyberSound Podcast

Featured Episodes

CyberSoundTM is a podcast built by and for business owners and professionals. Tune in as our cybersecurity experts cover the latest news regarding IT security, the most recent and relevant threats organizations are facing today, and provide tips to keep your business safe.

A data breach has occurred in your organization– what now? Who do I legally have to notify? What types of data require notification? There are many influencing factors in state data breach laws that organizations must consider regarding discloser requirements.
With digital transformation creating vast amounts of data, the need for greater security and privacy arises.