Data Protection Impact Assessment (DPIA) (AK)

DATA PROTECTION IMPACT ASSESSMENT (DPIA)

(State overlay: AK)

1. Project Overview

• Project name/ID: [name]; owner: [business owner]; sponsor: [executive].
• Purpose and objectives: [describe].
• Timeline and launch date: [dates].

2. Scope of Processing

• Data subjects: [customers/employees/vendors/end users].
• Personal data categories: [contact, IDs, financial, location, biometric, health, minors].
• Sensitive data (state definition): [list per state law if applicable]; lawful basis/consent requirements: [insert].
• Volume and retention: [records/year], [retention schedule and deletion triggers].
• Processing activities: [collection, storage, analysis, sharing/sale/sharing status].

3. Legal Basis, Notices, and Rights

• No comprehensive consumer privacy law. Alaska has breach notification statute only.
• Applicability: Any person doing business in AK, governmental agency (except judicial), or entity with >10 employees that owns/licenses PI of AK residents.
• Consumer rights: No state-mandated access, correction, deletion, or opt-out rights (apply federal laws: GDPR for EU, COPPA for children, GLBA, HIPAA if applicable).
• Primary compliance obligation: Breach notification under AS 45.48.
• Security standard: Reasonable security measures to protect PI (industry best practices).

4. Data Flow and Transfers

• Source systems: [list]; storage/hosting locations: [cloud region/data centers].
• Cross-border transfers: [EU/UK/other]; transfer tool: [SCCs/IDTA/CBPR if applicable].
• Recipients/vendors: [processors/subprocessors/controllers]; due diligence status and DPAs in place.
• Access controls: RBAC groups, least privilege, joiner/mover/leaver process.

5. Security and Controls

• Technical controls: encryption in transit/at rest [specify], key management, network segmentation, endpoint protections, logging/monitoring, DLP, backups, vulnerability management.
• Organizational controls: policies, training cadence, vendor due diligence, incident response playbook, change management.
• Authentication/authorization: [MFA/SAML/SSO]; session timeouts; privileged access reviews cadence.

6. Risks and Impact Assessment

• Risks/threats: [unauthorized access, data minimization failure, purpose creep, profiling risk, transfer risk, children/minors risk].
• Likelihood: [low/medium/high]; Impact: [low/medium/high]; Risk rating matrix: [insert].
• POWR/State-specific equal employment or anti-discrimination considerations (if applicable): [insert].

7. Mitigations and Residual Risk

• Planned mitigations: [controls, timelines, owners].
• Testing/validation: [pen test, DPIA/ROPA updates, privacy-by-design checklist].
• Residual risk after mitigations: [rating]; decision: [accept/mitigate further/block].

8. Incident Response and Breach Notification

• Statute: Alaska Stat. § 45.48.010 et seq. (Personal Information Protection Act); effective July 1, 2009; signed June 13, 2008.
• Timeline: Most expeditious time without unreasonable delay. Must determine scope and restore system integrity.
• AG notice: Written notification to AK Attorney General required if no reasonable likelihood of harm (document for 5 years). Law enforcement delay permitted.
• Triggers: Unauthorized acquisition (or reasonable belief thereof) compromising security/confidentiality/integrity. PI = individual info not publicly available + (includes biometric data, login credentials).
• Exception: Harm threshold - no notice if after investigation and AG written notice, entity determines no reasonable likelihood of harm (document 5 years). Encryption/redaction safe harbor (if key not accessed).
• CRA notice: If 1,000+ residents, notify consumer credit reporting agencies without unreasonable delay (timing, distribution, content).
• Private right of action: Individuals may recover actual economic damages up to $500 + costs/attorneys' fees under Unfair Trade Practices Act.
• Coordination with other states/GLBA/HIPAA requirements if multi-state: [plan].

9. State Overlay Checklist (AK) - Breach Notification Only

• No comprehensive privacy law. Breach notification statute only (AS 45.48).
• Applicability: Any person doing business in AK, governmental agency (except judicial), or entity with >10 employees that owns/licenses PI of AK residents.
• Sensitive data/Consumer rights: No state-specific definitions or mandated rights. Apply federal laws (GDPR, COPPA, GLBA, HIPAA) as applicable.
• Security: Reasonable security measures to protect PI (industry best practices).
• Breach notice: Most expeditious time without unreasonable delay. AG written notice if no harm. If 1,000+, notify CRAs. Includes biometric data, login credentials in PI definition.
• Harm threshold: No notice if after investigation and AG notice, no reasonable likelihood of harm (document 5 years). Encryption/redaction safe harbor.
• Private right of action: Yes - up to $500 actual damages + costs/fees under Unfair Trade Practices Act.
• Recordkeeping: 5-year retention of harm determination if no notice provided.
• Children: COPPA compliance for children under 13.
• DPA/ROPA: Not required by state law (apply GDPR/industry standards if applicable).

10. Approvals and Accountability

• Privacy lead/DPO review: [name/date].
• Security review: [name/date].
• Legal review (state law overlay): [name/date].
• Business owner certification: [name/date].
• Executive approver: [name/title/date].

11. Attachments

• Data flow diagrams/architecture.
• Records of processing activities entry.
• Vendor list and DPAs/SCCs.
• Legitimate interests assessment or risk assessment (if applicable).
• Testing summaries and pen test reports (if applicable).
• State-specific notices/links and breach templates.