DATA PROTECTION IMPACT ASSESSMENT (DPIA)

(State overlay: KY)

1. Project Overview

• Project name/ID: [name]; owner: [business owner]; sponsor: [executive].
• Purpose and objectives: [describe].
• Timeline and launch date: [dates].

2. Scope of Processing

• Data subjects: [customers/employees/vendors/end users].
• Personal data categories: [contact, IDs, financial, location, biometric, health, minors].
• Sensitive data (KCDPA): ☐ Racial/ethnic origin; ☐ Religious beliefs; ☐ Mental/physical health diagnosis; ☐ Sexual orientation; ☐ Citizenship/immigration; ☐ Genetic/biometric; ☐ Child (under 13); ☐ Precise geolocation. Opt-in consent required.
• Volume and retention: [records/year], [retention schedule and deletion triggers].
• Processing activities: [collection, storage, analysis, sale status]. "Sale" = exchange for monetary/other consideration; "Targeted advertising" = ads based on cross-site activities; "Profiling" = automated processing with reasonably foreseeable risks.

3. Legal Basis, Notices, and Rights

• Primary law: Kentucky Consumer Data Protection Act (KCDPA), effective January 1, 2026. HB 473 amendments (March 15, 2025) for HIPAA exemptions.
• Thresholds: 100,000+ KY consumers OR 25,000+ + >50% revenue from sale. NO revenue minimum.
• Exemptions: GLBA, HIPAA (HB 473 amendment - PHI handled by covered entities), higher ed, nonprofits, government.
• Rights: Confirm/access, correct, delete, portability, opt-out of sale/targeted ads/profiling. Response: 45 days + 45-day extension.
• Opt-in consent required for sensitive data. Opt-out for sale/targeted ads/profiling.
• DPA: Required for targeted ads, sales, profiling (with reasonably foreseeable risks), sensitive data, or heightened risk. DPAs only for activities initiated/generated after June 1, 2026 (5 months grace period).
• Processor contracts: Instructions, data type, duration, obligations, deletion/return.

4. Data Flow and Transfers

• Source systems: [list]; storage/hosting locations: [cloud region/data centers].
• Cross-border transfers: [EU/UK/other]; transfer tool: [SCCs/IDTA/CBPR if applicable].
• Recipients/vendors: [processors/subprocessors/controllers]; due diligence status and DPAs in place.
• Access controls: RBAC groups, least privilege, joiner/mover/leaver process.

5. Security and Controls

• Technical controls: encryption in transit/at rest [specify], key management, network segmentation, endpoint protections, logging/monitoring, DLP, backups, vulnerability management.
• Organizational controls: policies, training cadence, vendor due diligence, incident response playbook, change management.
• Authentication/authorization: [MFA/SAML/SSO]; session timeouts; privileged access reviews cadence.

6. Risks and Impact Assessment

• Risks/threats: [unauthorized access, data minimization failure, purpose creep, profiling risk, transfer risk, children/minors risk].
• Likelihood: [low/medium/high]; Impact: [low/medium/high]; Risk rating matrix: [insert].
• POWR/State-specific equal employment or anti-discrimination considerations (if applicable): [insert].

7. Mitigations and Residual Risk

• Planned mitigations: [controls, timelines, owners].
• Testing/validation: [pen test, DPIA/ROPA updates, privacy-by-design checklist].
• Residual risk after mitigations: [rating]; decision: [accept/mitigate further/block].

8. Incident Response and Breach Notification

• Statute: KRS §§ 61.931 – 61.934 (public agencies and third-party contractors); KRS § 365.732 (general). Effective 2015.
• Timeline: Most expedient time without unreasonable delay. Third-party contractors to state agencies: 72 hours. If 1,000+, notify consumer reporting agencies.
• Triggers: Unauthorized acquisition of unencrypted/unredacted data that actually causes or will cause identity theft/fraud. PI = first name/initial + last name + (SSN, DL, financial account + access codes).
• Exception: Encryption/redaction safe harbor. Good-faith employee acquisition not further disclosed. Law enforcement delay permitted.
• No private right of action.
• Coordination with other states/GLBA/HIPAA requirements if multi-state: [plan].

9. State Overlay Checklist (KY)

• Applicability: 100,000+ consumers OR 25,000+ + >50% sale revenue. NO revenue minimum. Exemptions: GLBA, HIPAA (HB 473 - PHI by covered entities), higher ed, nonprofits, government.
• Sensitive data: 8 categories with opt-in: racial/ethnic origin, religious beliefs, health diagnosis, sexual orientation, citizenship/immigration, genetic/biometric, child (under 13), precise geolocation.
• Consumer rights: Confirm/access, correct, delete, portability, opt-out of sale/targeted ads/profiling. Response: 45 days + extension.
• Opt-out: Sale, targeted advertising, profiling (with reasonably foreseeable risks).
• Processor contracts: Instructions, data type, duration, obligations, deletion/return, consumer rights assistance.
• DPA triggers: Required for targeted ads, sales, profiling (with reasonably foreseeable risks), sensitive data, or heightened risk. DPAs only for processing initiated/generated after June 1, 2026 (5-month grace period after effective date).
• Security: Data minimization. Reasonable security measures.
• Breach notice: Most expedient time. Third-party contractors to state: 72 hours. If 1,000+, notify CRAs. Encryption/redaction safe harbor. No private action.
• Children: Under 13 data is sensitive requiring opt-in. COPPA compliance.
• Non-discrimination: Cannot deny services, charge different prices, or provide different quality for exercising rights.
• Recordkeeping: 30-day cure period (permanent). AG exclusive enforcement. Penalties up to $7,500 per violation. No private right of action.

10. Approvals and Accountability

• Privacy lead/DPO review: [name/date].
• Security review: [name/date].
• Legal review (state law overlay): [name/date].
• Business owner certification: [name/date].
• Executive approver: [name/title/date].

11. Attachments

• Data flow diagrams/architecture.
• Records of processing activities entry.
• Vendor list and DPAs/SCCs.
• Legitimate interests assessment or risk assessment (if applicable).
• Testing summaries and pen test reports (if applicable).
• State-specific notices/links and breach templates.