Templates Compliance Regulatory Data Protection Impact Assessment (DPIA) (MD)
Maryland Compliance Regulatory
Blank Document PRO
From Template
Upload Document Word (.docx) & Markdown files
PRO
Data Protection Impact Assessment (DPIA) (MD)
Ready to Edit
Data Protection Impact Assessment (DPIA) (MD) - Free Editor

DATA PROTECTION IMPACT ASSESSMENT (DPIA)

(State overlay: MD)

1. Project Overview

  • Project name/ID: [name]; owner: [business owner]; sponsor: [executive].
  • Purpose and objectives: [describe].
  • Timeline and launch date: [dates].

2. Scope of Processing

  • Data subjects: [customers/employees/vendors/end users].
  • Personal data categories: [contact, IDs, financial, location, biometric, health, minors].
  • Sensitive data (MODPA): ☐ Racial/ethnic origin; ☐ Religious beliefs; ☐ Mental/physical health diagnosis; ☐ Sex life; ☐ Sexual orientation; ☐ Citizenship/immigration; ☐ Genetic/biometric; ☐ Child (under 13); ☐ Precise geolocation. Strictly necessary standard required (higher than opt-in).
  • Volume and retention: [records/year], [retention schedule and deletion triggers].
  • Processing activities: [collection, storage, analysis, sale status]. "Sale" = exchange for monetary/other consideration; "Targeted advertising" = ads based on cross-site activities; "Profiling" = automated processing for decisions.

3. Legal Basis, Notices, and Rights

  • Primary law: Maryland Online Data Privacy Act (MODPA), effective October 1, 2025; enforcement begins April 1, 2026.
  • LOWEST THRESHOLDS: 35,000+ MD consumers (excl. payment-only) OR 10,000+ + >20% revenue from sale. NO revenue minimum. Applies to nonprofits (narrow exceptions: first responders, fraud investigations).
  • Exemptions: GLBA, HIPAA (data-level), government.
  • Rights: Confirm/access, correct, delete, portability, opt-out of sale/targeted ads/profiling. Response: 45 days + 45-day extension.
  • Data minimization: Limit collection to "reasonably necessary and proportionate." Sensitive data "strictly necessary" (most restrictive standard).
  • 2026-2027: Enforcement begins April 1, 2026. Cure period sunsets April 1, 2027.
  • DPA: Required for heightened risk (targeted ads, sales, profiling, sensitive data). Must assess "each algorithm used" (unique requirement).
  • Universal opt-out: Must honor preference signals.

4. Data Flow and Transfers

  • Source systems: [list]; storage/hosting locations: [cloud region/data centers].
  • Cross-border transfers: [EU/UK/other]; transfer tool: [SCCs/IDTA/CBPR if applicable].
  • Recipients/vendors: [processors/subprocessors/controllers]; due diligence status and DPAs in place.
  • Access controls: RBAC groups, least privilege, joiner/mover/leaver process.

5. Security and Controls

  • Technical controls: encryption in transit/at rest [specify], key management, network segmentation, endpoint protections, logging/monitoring, DLP, backups, vulnerability management.
  • Organizational controls: policies, training cadence, vendor due diligence, incident response playbook, change management.
  • Authentication/authorization: [MFA/SAML/SSO]; session timeouts; privileged access reviews cadence.

6. Risks and Impact Assessment

  • Risks/threats: [unauthorized access, data minimization failure, purpose creep, profiling risk, transfer risk, children/minors risk].
  • Likelihood: [low/medium/high]; Impact: [low/medium/high]; Risk rating matrix: [insert].
  • POWR/State-specific equal employment or anti-discrimination considerations (if applicable): [insert].

7. Mitigations and Residual Risk

  • Planned mitigations: [controls, timelines, owners].
  • Testing/validation: [pen test, DPIA/ROPA updates, privacy-by-design checklist].
  • Residual risk after mitigations: [rating]; decision: [accept/mitigate further/block].

8. Incident Response and Breach Notification

  • Statute: Md. Code Ann. Comm. Law §§ 14-3501 – 14-3508 (Personal Information Protection Act - PIPA); effective 2007; amended 2022 (HB 962).
  • Timeline: 45 days after discovery if own/license data; 10 days if maintain data. Must notify MD AG before consumer notice. Law enforcement delay: 7 days after clearance or end of 45-day period.
  • Triggers: Unauthorized acquisition compromising security/confidentiality/integrity. PI = first + last name (or initials) + (SSN, passport, DL, tax ID, financial account, genetic info).
  • Exception: Encryption/redaction safe harbor. Document determination for 3 years if no notice needed.
  • Reasonable security requirement (Oct 1, 2022): Safeguards appropriate to nature of data and size/operations of business. Private right of action under Consumer Protection Act.
  • Coordination with other states/GLBA/HIPAA requirements if multi-state: [plan].

9. State Overlay Checklist (MD)

  • Applicability: LOWEST thresholds: 35,000+ consumers (excl. payment-only) OR 10,000+ + >20% sale revenue. NO revenue minimum. Applies to nonprofits (narrow exceptions: first responders, fraud investigations). Exemptions: GLBA/HIPAA data-level, government.
  • Sensitive data: 9 categories with "strictly necessary" standard (most restrictive): racial/ethnic origin, religious beliefs, health diagnosis, sex life, sexual orientation, citizenship/immigration, genetic/biometric, child (under 13), precise geolocation.
  • Data minimization: Limit collection to "reasonably necessary and proportionate." Most restrictive framework to date.
  • Consumer rights: Confirm/access, correct, delete, portability, opt-out of sale/targeted ads/profiling. Response: 45 days + extension.
  • Universal opt-out: Must honor preference signals.
  • Processor contracts: Instructions, data type, duration, obligations, deletion/return, consumer rights assistance.
  • DPA triggers: Required for targeted ads, sales, profiling, sensitive data, heightened risk. Must assess "each algorithm used" (unique requirement).
  • Security: Reasonable safeguards appropriate to data nature and business size/operations (Oct 1, 2022 requirement).
  • Breach notice: 45 days (own/license) or 10 days (maintain). MD AG before consumers. Law enforcement delay: 7 days or end of 45-day period. Document for 3 years if no notice. Private right of action under Consumer Protection Act.
  • Children: Under 13 data is sensitive (strictly necessary). COPPA compliance.
  • Non-discrimination: Cannot deny services, charge different prices, or provide different quality for exercising rights.
  • Recordkeeping: Enforcement begins April 1, 2026. Cure sunsets April 1, 2027. AG exclusive enforcement under MODPA. Penalties up to $10,000 first violation; $25,000 subsequent. No private action under MODPA (but private action for breach/security under PIPA).

10. Approvals and Accountability

  • Privacy lead/DPO review: [name/date].
  • Security review: [name/date].
  • Legal review (state law overlay): [name/date].
  • Business owner certification: [name/date].
  • Executive approver: [name/title/date].

11. Attachments

  • Data flow diagrams/architecture.
  • Records of processing activities entry.
  • Vendor list and DPAs/SCCs.
  • Legitimate interests assessment or risk assessment (if applicable).
  • Testing summaries and pen test reports (if applicable).
  • State-specific notices/links and breach templates.
AI Legal Assistant

Welcome to Data Protection Impact Assessment (DPIA) (MD)

You're viewing a professional legal template that you can edit directly in your browser.

What's included:

  • Professional legal document formatting
  • Maryland jurisdiction-specific content
  • Editable text with legal guidance
  • Free DOCX download

Upgrade to AI Editor for:

  • 🤖 Real-time AI legal assistance
  • 🔍 Intelligent document review
  • ⏰ Unlimited editing time
  • 📄 PDF exports
  • 💾 Auto-save & cloud sync