CPA Step 06: Data Protection Assessments
Colorado’s privacy law requires businesses to perform data protection assessments (DPAs). DPAs are meant for businesses to evaluate the business benefits of processing users' personal data with the potential risks to users. This includes processing the personal data for purposes of:
- Any processing activities involving personal data that present a heightened risk of harm to consumers.
- Processing sensitive data.
- Targeted advertising.
- The sale of personal data.
The final rules (opens in a new tab) of the Colorado Privacy Act specify the content your business needs to include in DPAs. Generally, your business must include the following information:
|Title||In simple terms...||Description|
|Data Categories||What data am I processing?||The type or category of personal data your business is processing.|
|Purpose of Processing||Is this data truly necessary to fulfill a specific purpose?||Is the user data I’m processing adding value to the user or necessary for my business? Or is it just creating unnecessary risk to the user and the business?|
|Data Retention||How long are we keeping the data?||Are we disposing of data as quickly as we reasonably can to minimize and reduce the risk to our users and our company?|
|Location||Where is the data flowing? (Organizationally and geographically)||Due to different policies internationally, data flows between various geographies create risk for your users. For example, data traveling between the U.S. and the EU is only permitted under specific conditions.|
|Data Processing Contracts||Are our vendor's policies and agreements up to date?||You are responsible for ensuring that your vendors are complying with your security and privacy practices for the safety of your users.|
|Security Controls||Is our users' data secure?||A broad review of security controls to ensure that your business is adequately protected. This includes special considerations for de-identified data.|
Businesses are also required to document the measures taken to mitigate such risks. Be sure to review and update your DPAs any time your data processing activities change. The Colorado Attorney General may request that a company submits a DPA within 30 days to determine compliance.
Unlike Europe's GDPR, there is no single standard form for risk evaluations today. However, answering the above questions for your business regularly and recording this evaluation as part of an audit trail will set you up for success to comply with Colorado’s privacy law.