CTDPA Step 05: Portability Requests for CTDPA
Connecticut’s privacy law requires businesses to perform data protection assessments (DPAs). DPAs are meant for businesses to evaluate the business benefits of processing users' personal data with the potential risks to users. This includes processing the personal data for purposes of:
- Targeted advertising.
- The sale of personal data.
- Profiling that could present a heightened risk of harm to consumers, which includes:
- Unfair or deceptive treatment.
- Financial, physical, or reputational injury.
- Physical or other intrusion upon private affairs.
- Other substantial injury.
Generally, your business must include the following information in your DPAs:
Title | In simple terms... | Description |
Data Categories | What data am I processing? | The type or category of personal data your business is processing. |
Purpose of Processing | Is this data truly necessary to fulfill a specific purpose? | Is the user data I’m processing adding value to the user or necessary for my business? Or is it just creating unnecessary risk to the user and the business? |
Data Retention | How long are we keeping the data? | Are we disposing of data as quickly as we reasonably can to minimize and reduce the risk to our users and our company? |
Location | Where is the data flowing? (Organizationally and geographically) | Due to different policies internationally, data flows between various geographies create risk for your users. For example, data traveling between the U.S. and the EU is only permitted under specific conditions. |
Data Processing Contracts | Are our vendor's policies and agreements up to date? | You are responsible for ensuring that your vendors are complying with your security and privacy practices for the safety of your users. |
Security Controls | Is our users' data secure? | A broad review of security controls to ensure that your business is adequately protected. This includes special considerations for de-identified data. |
Unlike Europe's GDPR, there is no single standard form for risk evaluations today. However, answering the above questions for your business regularly and recording this evaluation as part of an audit trail will set you up for success to comply with Connecticut’s privacy law.