Code of Colorado Regulations
900 - Department of Law
904 - Attorney General-Consumer Protection Section
4 CCR 904-3 - Colorado Privacy Act Rules
Part 8 - DATA PROTECTION ASSESSMENTS
Section 4 CCR 904-3-8.04 - DATA PROTECTION ASSESSMENT CONTENT
Universal Citation: 900 CO Code Regs 4 CCR 904-3-8.04
Current through Register Vol. 47, No. 17, September 10, 2024
A. At a minimum, a data protection assessment must include the following information:
1. A short summary of the Processing
activity;
2. The categories of
Personal Data to be Processed and whether they include Sensitive Data,
including Personal Data from a known Child as described in C.R.S. §
6-1-1303(24);
3. The context of the Processing activity,
including the relationship between the Controller and the Consumers whose
Personal Data will be Processed, and the reasonable expectations of those
Consumers;
4. The nature and
operational elements of the Processing activity. In determining the level of
detail and specificity to provide pursuant to this section, the Controller
shall consider the type, amount, and sensitivity of Personal Data Processed,
the impacts that operational elements will have on the level of risk presented
by the Processing activity, and any relevant unique relationships. Relevant
operational elements may include:
a. Sources
of Personal Data;
b. Technology or
Processors to be used;
c. Names or
categories of Personal Data recipients, including Third Parties, Affiliates,
and Processors that will have access to the Personal Data, the processing
purpose for which the Personal Data will be provided to those recipients, and
categorical compliance processes that the Controller uses to evaluate that type
of recipient;
d. Operational
details about the Processing, including planned processes for Personal Data
collection, use, storage, retention, and sharing;
e. Specific types of Personal Data to be
processed.
5. The core
purposes of the Processing activity, as well as other benefits of the
Processing that may flow, directly and indirectly to the Controller, Consumer,
other expected stakeholders, and the public;
6. The sources and nature of risks to the
rights of Consumers associated with the Processing activity posed by the
Processing activity. The source and nature of the risks may differ based on the
processing activity and type of Personal Data processed. Risks to the rights of
Consumers that a Controller may consider in a data protection assessment
include, for example, risks of:
a.
Constitutional harms, such as speech harms or associational harms;
b. Intellectual privacy harms, such as the
creation of negative inferences about an individual based on what an individual
reads, learns, or debates;
c. Data
security harms, such as unauthorized access or adversarial use;
d. Discrimination harms, such as a violation
of federal antidiscrimination laws or antidiscrimination laws of any state or
political subdivision thereof, or unlawful disparate impact;
e. Unfair, unconscionable, or deceptive
treatment;
f. A negative outcome or
decision with respect to an individual's eligibility for a right, privilege, or
benefit related to financial or lending services, housing, insurance, education
enrollment or opportunity, criminal justice, employment opportunities,
health-care services, or access to essential goods or services;
g. Financial injury or economic
harm;
h. Physical injury,
harassment, or threat to an individual or property;
i. Privacy harms, such as physical or other
intrusion upon the solitude or seclusion or the private affairs or concerns of
Consumers, stigmatization or reputational injury;
j. Psychological harm, including anxiety,
embarrassment, fear, and other mental trauma; or
k. Other detrimental or negative consequences
that affect an individual's private life, private affairs, private family
matters or similar concerns, including actions and communications within an
individual's home or similar physical, online, or digital location, where an
individual has a reasonable expectation that Personal Data or other data will
not be collected, observed, or used.
7. Measures and safeguards the Controller
will employ to reduce the risks identified by the Controller pursuant to
4 CCR 904-3, Rule
8.04 . Measures shall include
the following, as applicable:
a. The use of
De-identified Data;
b. Measures
taken pursuant to the Controller duties in C.R.S. §
6-1-1308, including an overview of
data security practices the Controller has implemented, any data security
assessments that have been completed pursuant to C.R.S. §
6-1-1308(5), and
any measures taken to comply with the consent requirements of
4 CCR 904-3, Rule 7; and
c. Measures taken to ensure that Consumers
have access to the rights provided in C.R.S. §
6-1-1306.
8. A description of how the benefits of the
Processing outweigh the risks identified pursuant to
4 CCR 904-3, Rule
8.04 , as mitigated by the
safeguards identified pursuant to
4 CCR 904-3, Rule 8.04(A)(7).
a. Contractual agreements in place to ensure
that Personal Data in the possession of a Processor or other Third Party
remains secure; or
b. Any other
practices, policies, or trainings intended to mitigate Processing
risks.
9. If a
Controller is Processing Personal Data for Profiling as contemplated in C.R.S.
§
6-1-1309(2)(a), a
data protection assessment of that Processing activity must also comply with
4 CCR 904-3, Rule 9.06;
10. If a Controller is Processing Sensitive
Data pursuant to the exception in section
4 CCR 904-3, Rule
6.10 , the details of the
process implemented to ensure that Personal Data and Sensitive Data Inferences
are not transferred and are deleted within twenty-four (24) hours of the
Personal Data Processing activity;
11. Relevant internal actors and external
parties contributing to the data protection assessment;
12. Any internal or external audit conducted
in relation to the data protection assessment, including, the name of the
auditor, the names and positions of individuals involved in the review process,
and the details of the audit process; and
13. Dates the data protection assessment was
reviewed and approved, and names, positions, and signatures of the individuals
responsible for the review and approval.
Disclaimer: These regulations may not be the most recent version. Colorado may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.