managed services > strategy & oversight
Virtual Data Privacy Office
Privacy expertise and assistance customized to your needs. vDPO is a flexible, cost-effective alternative to in-house resources, focused on practical, risk-based privacy compliance solutions.
Approach
Privacy Expertise with a Business Mindset
You choose the type and amount of privacy help you need, from simply a go-to resource for ad hoc issues to full leadership of your privacy program. Your Virtual Data Privacy Office will comprise both privacy and information security experts.
Benefits
Privacy Peace of Mind in an Ever-Changing Legal Landscape
Whether you operate locally, nationally, or globally, data privacy obligations are multiplying. vDPO helps you keep pace with laws & regulations, industry best practices, and the expectations of your clients and consumers.
Notices and Policies
Tap into our experience to draft or update your public privacy notice and related internal governance policies.
Contractual Privacy Terms
Make sure you understand, and can fulfill, the privacy terms in contracts you enter into with clients, partners, and vendors.
Team Training & Internal Communications
Build, operationalize, and leverage a culture of privacy in your organization.
Data Breach Response Preparation
Be prepared to meet your legal notification obligations in the event of a personal data breach—the “to whom, how, and when” of breach notification.
vDPO College
vDPO focused on higher education privacy.
GDPR Data Protection Officer
GDPR-compliant external Data Protection Officer for organizations subject to GDPR and meeting certain GDPR personal data-processing criteria.
Compliance Simplified
How We Start
Data Privacy Risk Assessment
Most vDPO engagements begin with a Data Privacy Risk Assessment, comprising three main elements.
Personal Data Inventory/Mapping
Identify the personal information assets that your organization collects, stores, and uses
Compliance Gap Analysis
Understand the privacy laws & regulations that apply to your personal data processing. Identify gaps between the legal requirements and your practices
Remediation Plan
Evaluate the risk of each compliance gap. Identify and prioritize remediation measures
Data Privacy Laws “Cheat Sheet”
Vancord has prepared this little “cheat sheet” of data privacy laws that could apply to your organization. Keep in mind that our list is illustrative and non-exhaustive. It should not be used to make compliance decisions.
APPLIES TO: Larger businesses operating in/selling into CT, VA, CO, UT and CA. To qualify, a business must use the PI of over 100,000 CT consumers (or 25,000 if it makes over 25% of its revenue from selling PI)
EXEMPT: State and local government, nonprofits, higher education, businesses subject to GLBA or HIPAA, HR PI, B2B consumer PI, FERPA data
APPLIES TO: Larger entities doing business in CA. To qualify, a business must have revenues of over $25 mi, or buy/sell/share the PI of over 100,000 consumers, or make over 50% of its revenue from selling PI
EXEMPT: Government, nonprofits, public education, data covered by GLBA or HIPAA
APPLIES TO: Organizations offering their service/product to European/UK residents, or tracking European/UK residents online even if those organizations have no European/UK presence.
EXEMPT: None
APPLIES TO: “Covered entities” (principally doctors’ offices, hospitals, pharmacies, and insurers, plus their “business associates” (service providers).
EXEMPT: Other entities that collect and use health data (but they are subject to other laws & rules)
APPLIES TO: Schools and colleges that receive funds from the Department of Education (i.e. nearly all of them)
EXEMPT: None
APPLIES TO: Operators of websites or online services directed to/used by children under 13 years of age
EXEMPT: None
APPLIES TO: Financial institutions, broadly defined (and including colleges that process student financial records containing PI)
EXEMPT: None
APPLIES TO: Federal and state regulators like the Federal Trade Commission (FTC) and state AGs have wide powers to take action against any “unfair and deceptive” practices, for example misleading consumers about how their PI is used. Citizens, often via class action lawsuits, may also take action against organizations that they perceive to have violated their privacy.
EXEMPT: None
Stay informed of relevant information technology, security and compliance topics
Featured Episodes
CyberSoundTM is a podcast built by and for business owners and professionals. Tune in as our cybersecurity experts cover the latest news regarding IT security, the most recent and relevant threats organizations are facing today, and provide tips to keep your business safe.
Play Video
PODCAST EPISODE 76
Understanding Data Breach Notification Laws
A data breach has occurred in your organization– what now? Who do I legally have to notify? What types of data require notification? There are many influencing factors in state data breach laws that organizations must consider regarding discloser requirements.
Today on Cybersound, Jason, Steve, and Matt are joined by Vancord’s Data Privacy Consultant, Rob McWilliams, to discuss the overall message: If you are equipped to respond properly to incidents, you should seek guidance to meet your regulatory obligations.
Play Video
PODCAST EPISODE 3
Data Privacy: Do I Need to Comply?
With digital transformation creating vast amounts of data, the need for greater security and privacy arises.
What are the differences between security and privacy? What laws and regulations do you need to follow, both locally and globally? What are the consequences for non-compliance? We answer all these questions, and more.
