Templates Compliance Regulatory Data Protection Impact Assessment (DPIA) (IL)
Illinois Compliance Regulatory
Blank Document PRO
From Template
Upload Document Word (.docx) & Markdown files
PRO
Data Protection Impact Assessment (DPIA) (IL)
Ready to Edit
Data Protection Impact Assessment (DPIA) (IL) - Free Editor

DATA PROTECTION IMPACT ASSESSMENT (DPIA)

(State overlay: IL)

1. Project Overview

  • Project name/ID: [name]; owner: [business owner]; sponsor: [executive].
  • Purpose and objectives: [describe].
  • Timeline and launch date: [dates].

2. Scope of Processing

  • Data subjects: [customers/employees/vendors/end users].
  • Personal data categories: [contact, IDs, financial, location, biometric, health, minors].
  • Sensitive data (state definition): [list per state law if applicable]; lawful basis/consent requirements: [insert].
  • Volume and retention: [records/year], [retention schedule and deletion triggers].
  • Processing activities: [collection, storage, analysis, sharing/sale/sharing status].

3. Legal Basis, Notices, and Rights

  • No comprehensive consumer privacy law. Illinois has breach notification statute only.
  • Applicability: Entities conducting business in IL handling nonpublic PI of IL residents.
  • Consumer rights: No mandated access, correction, deletion, or opt-out rights (apply federal laws).
  • Primary compliance obligation: Breach notification under 815 ILCS 530 (Personal Information Protection Act).
  • Security standard: Reasonable security measures to protect PI.

4. Data Flow and Transfers

  • Source systems: [list]; storage/hosting locations: [cloud region/data centers].
  • Cross-border transfers: [EU/UK/other]; transfer tool: [SCCs/IDTA/CBPR if applicable].
  • Recipients/vendors: [processors/subprocessors/controllers]; due diligence status and DPAs in place.
  • Access controls: RBAC groups, least privilege, joiner/mover/leaver process.

5. Security and Controls

  • Technical controls: encryption in transit/at rest [specify], key management, network segmentation, endpoint protections, logging/monitoring, DLP, backups, vulnerability management.
  • Organizational controls: policies, training cadence, vendor due diligence, incident response playbook, change management.
  • Authentication/authorization: [MFA/SAML/SSO]; session timeouts; privileged access reviews cadence.

6. Risks and Impact Assessment

  • Risks/threats: [unauthorized access, data minimization failure, purpose creep, profiling risk, transfer risk, children/minors risk].
  • Likelihood: [low/medium/high]; Impact: [low/medium/high]; Risk rating matrix: [insert].
  • POWR/State-specific equal employment or anti-discrimination considerations (if applicable): [insert].

7. Mitigations and Residual Risk

  • Planned mitigations: [controls, timelines, owners].
  • Testing/validation: [pen test, DPIA/ROPA updates, privacy-by-design checklist].
  • Residual risk after mitigations: [rating]; decision: [accept/mitigate further/block].

8. Incident Response and Breach Notification

  • Statute: 815 ILCS 530 (Personal Information Protection Act); effective June 27, 2006; amended Jan 2012, 2017, 2020.
  • Timeline: Most expedient time without unreasonable delay. State agencies: 45 days to IL AG or when consumer notice provided, whichever sooner (unless good cause for delay). State agencies: 5 business days to General Assembly.
  • AG notice: 250+ IL residents = notify IL AG.
  • Content: Must include toll-free numbers/addresses for CRAs, FTC toll-free/address/website, statement about fraud alerts and security freezes.
  • Triggers: Unauthorized acquisition compromising security/confidentiality/integrity. PI = first name/initial + last name + (SSN, DL, account/credit/debit + security code).
  • Exception: Encryption/redaction safe harbor. Good-faith employee acquisition.
  • Penalties: Unlawful practice under Consumer Fraud Act. Up to $50,000 civil + $50,000/violation for intentional fraud.
  • Coordination with other states/GLBA/HIPAA requirements if multi-state: [plan].

9. State Overlay Checklist (IL) - Breach Notification Only

  • No comprehensive privacy law. Breach notification statute only (815 ILCS 530).
  • Applicability: Entities conducting business in IL handling nonpublic PI of IL residents.
  • Sensitive data/Consumer rights: No mandated rights.
  • Security: Reasonable security measures.
  • Breach notice: Most expedient time. State agencies: 45 days to AG or when consumer notice, whichever first (+ 5 biz days to General Assembly). If 250+, notify IL AG. Must include CRA/FTC info and fraud alert/freeze statement. Penalties up to $50K + $50K/violation for intentional fraud.
  • Children: COPPA compliance.
  • DPA/ROPA: Not required by law.

10. Approvals and Accountability

  • Privacy lead/DPO review: [name/date].
  • Security review: [name/date].
  • Legal review (state law overlay): [name/date].
  • Business owner certification: [name/date].
  • Executive approver: [name/title/date].

11. Attachments

  • Data flow diagrams/architecture.
  • Records of processing activities entry.
  • Vendor list and DPAs/SCCs.
  • Legitimate interests assessment or risk assessment (if applicable).
  • Testing summaries and pen test reports (if applicable).
  • State-specific notices/links and breach templates.
AI Legal Assistant

Welcome to Data Protection Impact Assessment (DPIA) (IL)

You're viewing a professional legal template that you can edit directly in your browser.

What's included:

  • Professional legal document formatting
  • Illinois jurisdiction-specific content
  • Editable text with legal guidance
  • Free DOCX download

Upgrade to AI Editor for:

  • 🤖 Real-time AI legal assistance
  • 🔍 Intelligent document review
  • ⏰ Unlimited editing time
  • 📄 PDF exports
  • 💾 Auto-save & cloud sync