UCPA Step 05: Portability Requests for UCPA
Generally, your business must include the following information in your DPAs:
| Title | In simple terms... | Description |
| Data Categories | What data am I processing? | The type or category of personal data your business is processing. |
| Purpose of Processing | Is this data truly necessary to fulfill a specific purpose? | Is the user data I’m processing adding value to the user or necessary for my business? Or is it just creating unnecessary risk to the user and the business? |
| Data Retention | How long are we keeping the data? | Are we disposing of data as quickly as we reasonably can to minimize and reduce the risk to our users and our company? |
| Location | Where is the data flowing? (Organizationally and geographically) | Due to different policies internationally, data flows between various geographies create risk for your users. For example, data traveling between the U.S. and the EU is only permitted under specific conditions. |
| Data Processing Contracts | Are our vendor's policies and agreements up to date? | You are responsible for ensuring that your vendors are complying with your security and privacy practices for the safety of your users. |
| Security Controls | Is our users' data secure? | A broad review of security controls to ensure that your business is adequately protected. This includes special considerations for de-identified data. |
Unlike Europe's GDPR, there is no single standard form for risk evaluations today. However, answering the above questions for your business regularly and recording this evaluation as part of an audit trail will set you up for success to comply with Utah's privacy law.