4 Colo. Code Regs. § 904-3-8.04

Current through Register Vol. 47, No. 20, October 25, 2024
Section 4 CCR 904-3-8.04 - DATA PROTECTION ASSESSMENT CONTENT
A. At a minimum, a data protection assessment must include the following information:
1. A short summary of the Processing activity;
2. The categories of Personal Data to be Processed and whether they include Sensitive Data, including Personal Data from a known Child as described in C.R.S. § 6-1-1303(24);
3. The context of the Processing activity, including the relationship between the Controller and the Consumers whose Personal Data will be Processed, and the reasonable expectations of those Consumers;
4. The nature and operational elements of the Processing activity. In determining the level of detail and specificity to provide pursuant to this section, the Controller shall consider the type, amount, and sensitivity of Personal Data Processed, the impacts that operational elements will have on the level of risk presented by the Processing activity, and any relevant unique relationships. Relevant operational elements may include:
a. Sources of Personal Data;
b. Technology or Processors to be used;
c. Names or categories of Personal Data recipients, including Third Parties, Affiliates, and Processors that will have access to the Personal Data, the processing purpose for which the Personal Data will be provided to those recipients, and categorical compliance processes that the Controller uses to evaluate that type of recipient;
d. Operational details about the Processing, including planned processes for Personal Data collection, use, storage, retention, and sharing;
e. Specific types of Personal Data to be processed.
5. The core purposes of the Processing activity, as well as other benefits of the Processing that may flow, directly and indirectly to the Controller, Consumer, other expected stakeholders, and the public;
6. The sources and nature of risks to the rights of Consumers associated with the Processing activity posed by the Processing activity. The source and nature of the risks may differ based on the processing activity and type of Personal Data processed. Risks to the rights of Consumers that a Controller may consider in a data protection assessment include, for example, risks of:
a. Constitutional harms, such as speech harms or associational harms;
b. Intellectual privacy harms, such as the creation of negative inferences about an individual based on what an individual reads, learns, or debates;
c. Data security harms, such as unauthorized access or adversarial use;
d. Discrimination harms, such as a violation of federal antidiscrimination laws or antidiscrimination laws of any state or political subdivision thereof, or unlawful disparate impact;
e. Unfair, unconscionable, or deceptive treatment;
f. A negative outcome or decision with respect to an individual's eligibility for a right, privilege, or benefit related to financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services;
g. Financial injury or economic harm;
h. Physical injury, harassment, or threat to an individual or property;
i. Privacy harms, such as physical or other intrusion upon the solitude or seclusion or the private affairs or concerns of Consumers, stigmatization or reputational injury;
j. Psychological harm, including anxiety, embarrassment, fear, and other mental trauma; or
k. Other detrimental or negative consequences that affect an individual's private life, private affairs, private family matters or similar concerns, including actions and communications within an individual's home or similar physical, online, or digital location, where an individual has a reasonable expectation that Personal Data or other data will not be collected, observed, or used.
7. Measures and safeguards the Controller will employ to reduce the risks identified by the Controller pursuant to 4 CCR 904-3, Rule 8.04 . Measures shall include the following, as applicable:
a. The use of De-identified Data;
b. Measures taken pursuant to the Controller duties in C.R.S. § 6-1-1308, including an overview of data security practices the Controller has implemented, any data security assessments that have been completed pursuant to C.R.S. § 6-1-1308(5), and any measures taken to comply with the consent requirements of 4 CCR 904-3, Rule 7; and
c. Measures taken to ensure that Consumers have access to the rights provided in C.R.S. § 6-1-1306.
8. A description of how the benefits of the Processing outweigh the risks identified pursuant to 4 CCR 904-3, Rule 8.04 , as mitigated by the safeguards identified pursuant to 4 CCR 904-3, Rule 8.04(A)(7).
a. Contractual agreements in place to ensure that Personal Data in the possession of a Processor or other Third Party remains secure; or
b. Any other practices, policies, or trainings intended to mitigate Processing risks.
9. If a Controller is Processing Personal Data for Profiling as contemplated in C.R.S. § 6-1-1309(2)(a), a data protection assessment of that Processing activity must also comply with 4 CCR 904-3, Rule 9.06;
10. If a Controller is Processing Sensitive Data pursuant to the exception in section 4 CCR 904-3, Rule 6.10 , the details of the process implemented to ensure that Personal Data and Sensitive Data Inferences are not transferred and are deleted within twenty-four (24) hours of the Personal Data Processing activity;
11. Relevant internal actors and external parties contributing to the data protection assessment;
12. Any internal or external audit conducted in relation to the data protection assessment, including, the name of the auditor, the names and positions of individuals involved in the review process, and the details of the audit process; and
13. Dates the data protection assessment was reviewed and approved, and names, positions, and signatures of the individuals responsible for the review and approval.

4 CCR 904-3-8.04

46 CR 06, March 25, 2023, effective 7/1/2023