VCDPA Step 06: Data Protection Assessments
Virginia’s privacy law requires businesses to perform data protection assessments (DPAs). DPAs are meant for businesses to evaluate the business benefits of processing users' personal data with the potential risks to users. Companies subject to VCDPA should assess the potential risks of:
- Processing data for purposes of targeted advertising.
- The sale of personal data.
- Processing personal data for purposes of profiling.
- Processing sensitive data.
- Any processing activities involving personal data that present a heightened risk of harm to consumers.
| Title | In simple terms... | Description |
| Data Categories | What data am I processing? | The type or category of personal data your business is processing. |
| Purpose of Processing | Is this data truly necessary to fulfill a specific purpose? | Is the user data I’m processing adding value to the user or necessary for my business? Or is it just creating unnecessary risk to the user and the business? |
| Data Retention | How long are we keeping the data? | Are we disposing of data as quickly as we reasonably can to minimize and reduce the risk to our users and our company? |
| Location | Where is the data flowing? (Organizationally and geographically) | Due to different policies internationally, data flows between various geographies create risk for your users. For example, data traveling between the U.S. and the EU is only permitted under specific conditions. |
| Data Processing Contracts | Are our vendor's policies and agreements up to date? | You are responsible for ensuring that your vendors are complying with your security and privacy practices for the safety of your users. |
| Security Controls | Is our users' data secure? | A broad review of security controls to ensure that your business is adequately protected. This includes special considerations for de-identified data. |
The Attorney General may request that a company submits a DPA to determine compliance.
Unlike Europe's GDPR, there is no single standard form for risk evaluations today. However, answering the above questions for your business regularly and recording this evaluation as part of an audit trail will set you up for success to comply with Virginia’s privacy law.