DATA PROTECTION IMPACT ASSESSMENT (DPIA) (State overlay: IN)

1. Project Overview

• Project name/ID: [name]; owner: [business owner]; sponsor: [executive].
• Purpose and objectives: [describe]; Timeline: [dates].

2. Scope of Processing

• Data subjects: [customers/employees/vendors/end users].
• Personal data categories: [contact, IDs, financial, location, biometric, health, minors].
• Sensitive data (INCDPA): ☐ Racial/ethnic origin; ☐ Religious beliefs; ☐ Mental/physical health diagnosis; ☐ Sexual orientation; ☐ Citizenship/immigration; ☐ Genetic/biometric; ☐ Child (under 13); ☐ Precise geolocation. Opt-in consent required.
• Volume/retention: [records/year], [retention per purpose].
• Processing: [collection, storage, analysis, sale]. "Sale" = exchange for monetary/other consideration; "Targeted advertising" = ads based on cross-site activities; "Profiling" = automated processing for decisions.

3. Legal Basis, Notices, and Rights

• Primary law: Indiana Consumer Data Protection Act (INCDPA), effective January 1, 2026. Signed May 1, 2023.
• Thresholds: 100,000+ IN consumers OR 25,000+ + >50% revenue from sale. NO revenue minimum.
• Exemptions: GLBA, HIPAA, FCRA, FERPA, DPPA, FCA (broad federal exemptions), nonprofits, higher ed, utilities, government.
• Rights: Confirm/access, correct, delete, portability, opt-out of sale/targeted ads/profiling. Response: 45 days + 45-day extension.
• Opt-in consent required for sensitive data. Opt-out for sale/targeted ads/profiling.
• 30-day cure period (permanent, no sunset) - most business-friendly cure provision.
• DPA: Required for targeted ads, sales, profiling (with risk), sensitive data, or heightened risk.
• Processor contracts: Instructions, data type, duration, obligations, deletion/return.

4-7. [Data Flow, Security, Risks, Mitigations - Standard sections]

8. Incident Response and Breach Notification

• Statute: Ind. Code § 24-4.9-1 et seq. (private entities); § 4-1-11 et seq. (state agencies). Effective July 1, 2006; amended 2021.
• Timeline: Without unreasonable delay, not more than 45 days after discovery. Must notify Indiana AG within 45 days if any residents notified.
• Triggers: Unauthorized acquisition compromising security/confidentiality/integrity. PI = name + (SSN, DL, state ID, financial account, credit/debit card + security code).
• Exception: Encryption safe harbor. Good-faith employee acquisition not further disclosed. Law enforcement delay permitted. No notice if breach has not and could not result in identity theft/fraud.
• If 1,000+ residents, notify consumer reporting agencies.
• Coordination with other states/GLBA/HIPAA requirements if multi-state: [plan].

9. State Overlay Checklist (IN)

• Applicability: 100,000+ consumers OR 25,000+ + >50% sale revenue. NO revenue minimum. Exemptions: GLBA, HIPAA, FCRA, FERPA, DPPA, FCA (broad federal exemptions), nonprofits, higher ed, utilities, government.
• Sensitive data: 8 categories with opt-in: racial/ethnic origin, religious beliefs, health diagnosis, sexual orientation, citizenship/immigration, genetic/biometric, child (under 13), precise geolocation.
• Consumer rights: Confirm/access, correct, delete, portability, opt-out of sale/targeted ads/profiling. Response: 45 days + extension.
• Opt-out: Sale, targeted advertising, profiling.
• Processor contracts: Instructions, data type, duration, obligations, deletion/return, consumer rights assistance.
• DPA triggers: Required for targeted ads, sales, profiling (with risk), sensitive data, or heightened risk.
• Security: Data minimization. Appropriate administrative, technical, physical safeguards.
• Breach notice: 45 days max. Indiana AG within 45 days. If 1,000+, notify CRAs. Encryption safe harbor. No notice if no identity theft/fraud risk.
• Children: Under 13 data is sensitive requiring opt-in. COPPA compliance.
• Non-discrimination: Cannot deny services, charge different prices, or provide different quality for exercising rights.
• Recordkeeping: 30-day cure period (permanent, no sunset) - most business-friendly. AG exclusive enforcement. Penalties up to $7,500 per violation. No private right of action.

10-11. [Approvals & Attachments]