Unless you’re a lover of scholarly legal documents, the word “compliance” probably doesn’t elicit much excitement. Even its definition—“the state or fact of according with or meeting rules or standards”—seems rather dry.
But at VSA, we take compliance very seriously. We know abiding by major privacy regulations is a necessity—for ourselves, our clients, and anybody we communicate with on our client’s behalf.
Some lead generation firms choose not to prioritize compliance, maybe because they’re unwilling or unable to fully invest enough time, money, and resources. But the legal, ethical, and financial repercussions of not being compliant can be devastating.
To put it in terms we can all understand and appreciate, compliance really comes down to two words: Data privacy.
“Compliance is bigger than the word itself,” says Rob Van Buskirk, co-founder of VanRein Compliance, a Texas-based consulting firm that has helped VSA stay up to date with the growing compliance regulations over the last three years. “What we focus on and what VSA is focused on is data privacy. Everyone wants to know that their data is secure. It’s a human right that our data is protected by any company we give information to.”
VSA is compliant in multiple areas, spanning the wide range of industries and geographic locations we service. The list of acronyms might seem hard to keep straight at first, but each is vitally important to ensure that all data we work with is properly obtained, housed, and accessed. These compliance regulations include:
- HIPAA: Health Insurance Portability and Accountability Act, which addresses the use and disclosure of individuals’ health information
- GDPR: General Data Protection Regulation, a privacy law that regulates how companies collect, handle, and process personal data from consumers in the European Union
- CCPA: California Consumer Privacy Act, which enhances privacy rights and consumer protection for California residents
- New York SHIELD: Stop Hacks and Improve Electronic Data Security Act, which strengthens New York’s existing data security laws
- PCI: Payment Card Industry compliance, which helps ensure the security of credit card transactions
- FERPA: Family Educational Rights and Privacy Act, which governs access to educational information and records
“Among our peers, we do not know of any other lead generation firm that has taken compliance with the new privacy regulations as seriously as we have,” says Valerie Schlitt, VSA’s founder, and CEO. “What started out as a single client requirement is now a major competitive advantage for VSA.”
Here are some of the key factors that have played a role in our remaining compliant, and the added ways we’re able to serve our clients as a result:
Working with an outside partner
VSA has always taken robust data security precautions on our own, but fully absorbing the complicated world of modern compliance really does require a trusted outside adviser. Our partnership with VanRein allows us to regularly consult on strategic and tactical measures and provides us with a valuable asset that distinguishes us from many of our competitors.
As a third-party auditor, VanRein significantly reduces our risk of non-compliance and ensures we’re not letting any important details slip through the cracks.
“When we started working with Valerie and the team at VSA three years ago, she noticed that compliance is bigger than just a checkbox,” says Mr. Van Buskirk. “There are a lot of platforms out there that automate everything and ask you to just check a box. Well, if you want to just check a box, you better not be in an industry where you have sensitive data, because it does not fully work. There are so many nuances of the laws, you really need somebody to guide you through.”
An internal Compliance Officer
Even with an outside partner, you need a person on staff responsible for creating and implementing an internal compliance program. VSA has that in Kevin Schroeder, our Director of Shared Services. Kevin’s duties include overseeing all technical and organizational measures necessary for ensuring the security of our data and developing solutions for potential issues.
He recently took steps to help us maintain GDPR compliance for an international client by working with one of our software providers to change the location of their physical servers. He also instituted a policy change that allowed VSA’s daughter company PubSEG (which performs COVID-19 contact tracing and overall pandemic management) to remain HIPAA compliant in a cost-effective manner.
Under Kevin’s leadership, VSA’s tech team is well-equipped to quickly address any compliance issues that arise. Data protection influences nearly everything he and his team do, even relatively small steps such as switching over to Microsoft Teams, in part because it’s more secure than other platforms.
Employee training
It’s not enough for just upper management to be compliant. Our Business Development Representatives and other call center employees interact with the public every day and are privy to personal information that is protected under various laws. That’s why our employees are trained in multiple regulatory requirements, both national and international.
Take the financial services industry, for example, which requires callers to use very specific language. We have to make sure we’re not saying anything our clients don’t want us to say.
“The VSA team is really focused on ensuring all employees are trained because the best firewall is the human firewall,” Mr. Van Buskirk says.
A competitive advantage
Remaining compliant obviously makes sense from a moral and legal perspective, but it’s no secret that it also pays huge dividends from a competitive standpoint. We’ve had clients in recent years who signed with us specifically because we were able to demonstrate compliance relevant to their industry or location. Having the knowledge and skillset to stay in compliance will be critical for more and more clients moving forward.
As Mr. Van Buskirk explains it: “Clients want to know your security posture. You want to be in front of that. You want to be able to say, ‘Hey, we’ve already built out our compliance and security framework, here’s all the documentation.’ You put that up against anybody, you’re going to shine.”
Ultimately, no company wants to get a call from an attorney or a government agency saying they may have violated somebody’s rights. Becoming compliant isn’t easy, but it’s a heck of a lot easier than finding out you’re not compliant after the fact.
VSA has always taken data privacy very seriously, and we always will. If you’d like to learn more about how we can keep your data secure, give us a call. Compliance might not be the juiciest topic in the world, but we’re very happy to talk about it.