DATA PROTECTION IMPACT ASSESSMENT (DPIA)

(State overlay: IA)

1. Project Overview

• Project name/ID: [name]; owner: [business owner]; sponsor: [executive].
• Purpose and objectives: [describe].
• Timeline and launch date: [dates].

2. Scope of Processing

• Data subjects: [customers/employees/vendors/end users].
• Personal data categories: [contact, IDs, financial, location, biometric, health, minors].
• Sensitive data (ICDPA definition): ☐ Personal data revealing racial/ethnic origin; ☐ Religious beliefs; ☐ Mental/physical health diagnosis; ☐ Sexual orientation; ☐ Citizenship/immigration status; ☐ Genetic or biometric data for unique identification; ☐ Personal data of known child; ☐ Precise geolocation. Opt-in consent required for processing sensitive data.
• Volume and retention: [records/year], [retention schedule per business purpose].
• Processing activities: [collection, storage, analysis, sharing/sale status]. Definitions: "Sale" = exchange for monetary/other valuable consideration; "Targeted advertising" = ads based on consumer's cross-site activities; "Profiling" = automated processing to evaluate/predict personal aspects.

3. Legal Basis, Notices, and Rights

• Primary state privacy law(s): Iowa Consumer Data Protection Act (ICDPA), effective January 1, 2025.
• Applicability thresholds: 100,000+ Iowa consumers annually OR 25,000+ consumers + >50% revenue from sale. No revenue minimum. Exemptions: Government, nonprofits, HIPAA entities (PHI), GLBA institutions, higher education (FERPA data).
• Consumer rights: Confirm/access, correct, delete, portability, opt-out of sale/targeted ads/profiling. Response: 45 days + 45-day extension (with notice).
• Consent/opt-out: Opt-in consent for sensitive data. Opt-out for sale/targeted ads/profiling.
• Notice requirements: Privacy notice with PI categories, purposes, consumer rights, opt-out method.
• Processor contracts: Must include processing instructions, data type, duration, obligations, deletion/return provisions.

4. Data Flow and Transfers

• Source systems: [list]; storage: [cloud region/data centers].
• Cross-border transfers: [EU/UK/other]; tool: [SCCs/IDTA/CBPR].
• Recipients/vendors: [processors/subprocessors]; DPAs status.
• Access controls: RBAC, least privilege, joiner/mover/leaver process.

5. Security and Controls

• Technical: Encryption [specify], key management, network segmentation, EDR/AV, SIEM, DLP, backups, vulnerability management.
• Organizational: Policies, training, vendor diligence, IR playbook, change management.
• Authentication: [MFA method]; [SSO]; session timeouts; access reviews [cadence].
• Processors must implement appropriate technical/operational security measures.

6. Risks and Impact Assessment

• Risks: [unauthorized access, minimization failure, purpose creep, profiling, transfer, children/minors].
• Likelihood/Impact: [low/medium/high]; Risk matrix: [insert].

7. Mitigations and Residual Risk

• Mitigations: [controls, timelines, owners].
• Testing: [pen test, privacy-by-design].
• Residual risk: [rating]; Decision: [accept/mitigate/block].

8. Incident Response and Breach Notification

• Breach statute: Iowa Code Chapter 715C; effective July 1, 2008; amended 2014, 2018.
• Timeline: Notify Iowa AG within 5 business days after notifying consumers (if 500+ residents affected). Concurrent notification required. No specific consumer notification timeline specified (must be reasonable).
• Triggers: Unauthorized acquisition compromising security/confidentiality/integrity. PI = name + (SSN, DL, financial account, unique biometric data).
• Harm exception: No notice if no reasonable likelihood of financial harm after investigation; document in writing; retain 5 years.
• Content: Breach description, date, PI types, credit agency contacts.
• Law enforcement delay permitted.
• Coordination with other states/GLBA/HIPAA: [plan].

9. State Overlay Checklist (IA)

• Applicability: 100,000+ consumers OR 25,000+ + >50% sale revenue. No revenue minimum (unlike CCPA's $25M). Exemptions: Nonprofits, HIPAA/GLBA, higher ed (FERPA), government.
• Sensitive data: 8 categories requiring opt-in consent: racial/ethnic origin, religious beliefs, health diagnosis, sexual orientation, citizenship/immigration, genetic/biometric, child data, precise geolocation.
• Consumer rights: Confirm/access, correct, delete, portability, opt-out. Response: 45 days + 45-day extension. Appeals process required.
• Opt-out: Sale, targeted ads, profiling (solely automated decisions with legal/significant effects).
• Processor contracts: Instructions, data type, duration, obligations, deletion/return, consumer rights assistance.
• DPA triggers: Not explicitly required (unlike CA/CO/CT/VA).
• Security: Processors must implement appropriate technical/operational measures.
• Breach notice: 5 business days to AG after consumer notice (if 500+). No fixed consumer timeline. Harm exception with 5-year documentation.
• Children: Known child data is sensitive requiring consent. COPPA compliance.
• Non-discrimination: Cannot deny services, charge different prices, or provide different quality for exercising rights.
• Recordkeeping: 30-day cure period (permanent, no sunset). AG has exclusive enforcement. Penalties under Iowa Code § 714.16. No private right of action.

10. Approvals and Accountability

• Privacy lead/DPO review: [name/date].
• Security review: [name/date].
• Legal review: [name/date].
• Business owner: [name/date].
• Executive approver: [name/title/date].

11. Attachments

• Data flow diagrams.
• Records of processing activities.
• Vendor list and processor agreements.
• Security documentation.
• Breach templates (note: 5-day AG notice requirement if 500+ residents).