DATA PROTECTION IMPACT ASSESSMENT (DPIA)

(State overlay: DE)

1. Project Overview

• Project name/ID: [name]; owner: [business owner]; sponsor: [executive].
• Purpose and objectives: [describe].
• Timeline and launch date: [dates].

2. Scope of Processing

• Data subjects: [customers/employees/vendors/end users].
• Personal data categories: [contact, IDs, financial, location, biometric, health, minors].
• Sensitive data (DPDPA definition - includes unique transgender/non-binary status provision): Check all that apply: (1) Personal data revealing race or ethnicity; (2) Religion; (3) Mental or physical health condition or diagnosis (including pregnancy); (4) Sex life; (5) Sexual orientation; (6) Status as transgender or nonbinary (same provision as Oregon law - unique among state laws); (7) Citizenship or immigration status; (8) Genetic data (separately defined from biometric data); (9) Biometric data processed for purpose of uniquely identifying consumer; (10) Personal data of known child; (11) Precise geolocation data. Controller must obtain consumer's consent to process sensitive data.
• Volume and retention: [records/year], [retention schedule and deletion triggers per business purpose].
• Processing activities: [collection, storage, analysis, sharing/sale/sharing status]. DPDPA definitions: "Sale" = exchange of personal data for monetary or other valuable consideration; "Targeted advertising" = displaying advertisement selected based on personal data obtained from consumer's activities over time to predict preferences or interests; "Profiling" = automated processing to evaluate, analyze, or predict consumer characteristics including economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

3. Legal Basis, Notices, and Rights

• Primary state privacy law(s): Delaware Personal Data Privacy Act (DPDPA), 6 Del. C. § 12D-101 et seq., effective January 1, 2025.
• Applicability thresholds: LOWEST CONSUMER THRESHOLD OF ANY ENACTED STATE LAW: Person conducting business in Delaware or producing products/services targeted to Delaware residents who, during preceding calendar year: (1) Controlled or processed personal data of at least 35,000 Delaware residents (excluding data solely for payment transactions); OR (2) Controlled or processed personal data of at least 10,000 Delaware residents AND derived more than 20% of gross revenue from sale of personal data. 35,000 threshold is lowest among states with enacted laws (Montana's 25,000 is lower but effective later); threshold accounts for Delaware's smaller population. No minimum revenue threshold. Applies to most nonprofit organizations and institutions of higher education (like Colorado and Oregon).
• Entity type exemptions: GLBA-covered financial institutions for activities subject to GLBA, HIPAA-covered entities/business associates for protected health information, state/tribal government entities, air carriers subject to 49 U.S.C.
• Consumer rights covered: (1) Right to confirm whether controller is processing personal data and access personal data; (2) Right to correct inaccuracies in personal data; (3) Right to delete personal data; (4) Right to obtain copy of personal data in portable and readily usable format; (5) Right to opt out of sale of personal data, targeted advertising, and profiling in furtherance of decisions producing legal or similarly significant effects. Response timeline: 45 days (with one 45-day extension if reasonably necessary; must inform consumer of extension). Authentication: Reasonable measures to verify consumer identity.
• Consent/opt-out mechanics required for sensitive data, minors, targeted ads, sale/sharing: (1) Consent required for processing sensitive data (controller must obtain consumer's consent); (2) Must recognize universal opt-out mechanisms (e.g., Global Privacy Control) effective January 1, 2026; (3) Opt-out required for sale, targeted advertising, and profiling for legal/similarly significant decisions; (4) Personal data of known child is sensitive data requiring consent.
• Notice/labeling requirements: Privacy notice must be reasonably accessible, clear, and meaningful, disclosing: categories of personal data processed, purposes, how to exercise consumer rights, categories of personal data shared with third parties, categories of third parties, how to opt out of sale/targeted advertising. Must provide method for submitting requests and opting out.
• Contracts with processors/service providers: Contract required between controller and processor. Must include: instructions for processing data; nature and purpose of processing; type of personal data; duration of processing; rights and obligations of both parties; requirement that processor assists controller in meeting DPDPA obligations; requirement that processor deletes or returns data upon completion of services.

4. Data Flow and Transfers

• Source systems: [list]; storage/hosting locations: [cloud region/data centers].
• Cross-border transfers: [EU/UK/other]; transfer tool: [SCCs/IDTA/CBPR if applicable].
• Recipients/vendors: [processors/subprocessors/controllers]; due diligence status and DPAs in place.
• Access controls: RBAC groups, least privilege, joiner/mover/leaver process.

5. Security and Controls

• Technical controls: Encryption in transit/at rest [specify algorithms/key lengths], key management [HSM/KMS], network segmentation, endpoint protections [EDR/AV], logging/monitoring [SIEM], DLP, backups [frequency/retention/testing], vulnerability management [scanning cadence/remediation SLAs].
• Organizational controls: Written information security policies, annual training cadence, vendor due diligence [security questionnaires/assessments], incident response playbook [tested annually], change management, privacy-by-design reviews.
• Authentication/authorization: [MFA method: TOTP/FIDO2/SMS]; [SSO/SAML provider]; session timeouts [specify]; privileged access reviews [quarterly/semi-annual].
• Reasonable security: Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices.

6. Risks and Impact Assessment

• Risks/threats: [unauthorized access, data minimization failure, purpose creep, profiling risk, transfer risk, children/minors risk, sensitive data including pregnancy data and transgender/non-binary status].
• Likelihood: [low/medium/high]; Impact: [low/medium/high]; Risk rating matrix: [insert].
• Profiling-specific risks: Unfair or deceptive treatment, unlawful disparate impact, financial/physical/reputational injury, intrusion on solitude/seclusion offensive to reasonable person, other substantial injury.

7. Mitigations and Residual Risk

• Planned mitigations: [controls, timelines, owners].
• Testing/validation: [pen test, DPIA/ROPA updates, privacy-by-design checklist].
• Residual risk after mitigations: [rating]; decision: [accept/mitigate further/block].

8. Incident Response and Breach Notification

• Breach notification statute: 6 Del. C. § 12B-101 et seq. (Computer Security Breaches).
• Timeline: Notice to affected Delaware residents required without unreasonable delay but NOT LATER THAN 60 DAYS after determination of breach, unless shorter time required under federal law. "Determination of breach" = point at which person has sufficient evidence to conclude breach occurred.
• Extended timeline provision: If person could not through reasonable diligence identify within 60 days that personal information of certain Delaware residents was included, must provide notice as soon as practicable after determination, unless substitute notice provided.
• Notification triggers: Breach of security = unauthorized acquisition of computerized data that compromises security, confidentiality, or integrity of personal information. Personal information = Delaware resident's first name or first initial and last name in combination with one or more of: (a) SSN; (b) Driver's license/state ID number; (c) Financial account/credit/debit card number with security code/access code/password; (d) Passport number; (e) Username/email address with password/security question answer permitting account access; (f) Medical history, treatment, diagnosis, or deoxyribonucleic acid profile; (g) Health insurance policy number; (h) Unique biometric data.
• Encryption safe harbor: Notice not required if personal information was encrypted, redacted, or otherwise altered in a manner rendering information unreadable and key/process needed to decrypt was not and could not reasonably have been accessed.
• Regulator/AG notice: If affected number of Delaware residents exceeds 500, person required to provide notice shall, not later than time when notice provided to residents, also notify Delaware Attorney General.
• CRITICAL: Credit monitoring requirement - If personal information breached includes SSN, business/organization must provide FREE CREDIT MONITORING SERVICES to all affected residents for AT LEAST 1 YEAR.
• Content requirements: Notice to consumers must include: description of breach; approximate date of breach; type of personal information subject to breach; steps taken by person to investigate breach; contact information for consumer reporting agencies (if applicable); steps consumer can take to protect from harm.
• Law enforcement delay: Notice may be delayed if law enforcement agency determines notice will compromise criminal investigation; notice required after law enforcement determines notice will not compromise investigation.
• Third-party service providers: Third party maintaining data on behalf of another must notify owner/licensee immediately after discovering breach.
• Coordination with other states/GLBA/HIPAA requirements if multi-state: [Coordinate breach notification obligations; GLBA and HIPAA have separate timelines and requirements].

9. State Overlay Checklist (DE)

• Applicability thresholds and exemptions: LOWEST ENACTED THRESHOLD: 35,000+ Delaware residents (excluding payment-only data) OR 10,000+ residents + >20% revenue from sale. No revenue minimum. Accounts for Delaware's smaller population. Applies to most nonprofits and higher education (like CO/OR). Exemptions: GLBA institutions (for GLBA activities), HIPAA covered entities (for PHI), state/tribal entities, air carriers under 49 U.S.C.
• Sensitive data definition and consent/opt-out requirements: 11 categories of sensitive data (see Section 2 above): race/ethnicity, religion, health (including pregnancy), sex life, sexual orientation, transgender/non-binary status (unique provision like OR), citizenship/immigration, genetic data (separately defined), biometric data, child data, precise geolocation. Consent required for processing. Genetic data separately defined from biometric data (unique provision).
• Consumer rights and response timelines/appeals: Confirm/access, correct, delete, portability, opt-out of sale/targeted ads/profiling. Response: 45 days + one 45-day extension (with notice). Appeals: Consumer may appeal denial; controller must respond to appeal within 45 days; must inform consumer of right to contact Delaware Department of Justice.
• Opt-out of sale/targeted advertising/profiling requirements: Must provide clear and conspicuous method for opting out. CRITICAL: Must recognize universal opt-out mechanisms effective January 1, 2026. Profiling opt-out required for decisions with legal/similarly significant effects.
• Processor/service provider contract requirements (flow-downs, audit rights, deletion/return): Contract required. Must include: processing instructions, nature/purpose, data type, duration, parties' rights/obligations, processor assistance with DPDPA obligations, deletion/return upon completion.
• Data Protection Assessment / Risk Assessment triggers: Required for processing activities presenting heightened risk of harm: (1) Targeted advertising; (2) Sale of personal data; (3) Profiling if reasonably foreseeable risk of unfair/deceptive treatment, unlawful disparate impact, financial/physical/reputational injury, intrusion on solitude/seclusion, or other substantial injury; (4) Processing sensitive data. Delaware Department of Justice may request DPAs to evaluate compliance.
• Security measures expectations (reasonable security; specific mandates if any): Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices. Document security controls in DPAs.
• Breach notice timeline and content requirements: 60 days max from determination to notify residents (unless shorter federal timeline); notify AG concurrently if 500+ residents. Content: breach description, date, PI types, investigation steps, credit agency contacts, consumer protective steps. CRITICAL: Must provide FREE CREDIT MONITORING for AT LEAST 1 YEAR if SSN involved. Penalties can reach $10,000 per violation.
• Children/minors rules (e.g., COPPA; state-specific if any): Personal data of known children is sensitive data requiring consent. Comply with COPPA for children under 13.
• Non-discrimination/retaliation prohibitions under state law: Controller may not discriminate against consumer for exercising DPDPA rights, including denying goods/services, charging different prices/rates, or providing different level/quality. Financial incentives permitted with reasonable relationship to value of consumer's data.
• Recordkeeping: ROPA/DPIA retention and appeal tracking: Maintain DPAs and make available to Delaware Department of Justice upon request. Maintain documentation of consumer request responses and appeal determinations. CRITICAL: 60-day cure period SUNSETS December 31, 2025; effective January 1, 2026, Department of Justice may choose (but not required) to provide cure opportunity. Department of Justice has exclusive enforcement authority; fines up to $10,000 per violation. No private right of action.

10. Approvals and Accountability

• Privacy lead/DPO review: [name/date].
• Security review: [name/date].
• Legal review (state law overlay): [name/date].
• Business owner certification: [name/date].
• Executive approver: [name/title/date].

11. Attachments

• Data flow diagrams/architecture.
• Records of processing activities entry.
• Vendor list and processor agreements.
• Data protection assessments (required for targeted advertising, sales, profiling, sensitive data processing).
• Security practices documentation (administrative, technical, physical).
• Sensitive data consent mechanisms.
• Universal opt-out mechanism implementation (required January 1, 2026).
• Credit monitoring vendor agreement (for SSN breach response; must provide 1+ year free service).
• State-specific notices/links and breach templates.