DATA PROTECTION IMPACT ASSESSMENT (DPIA)

State of South Dakota

Prepared By: [________________________________]
Title: [________________________________]
Organization: [________________________________]
Date of Assessment: [__/__/____]
Assessment Version: [____]
Classification: ☐ Confidential ☐ Internal Use Only ☐ Restricted

1. Project Overview

1.1 Project Identification

1.2 Project Description

Purpose and Objectives:
[________________________________]

Business Justification:
[________________________________]

Anticipated Duration: ☐ One-time project ☐ Ongoing operation ☐ Defined period: [____]

1.3 South Dakota Nexus Analysis

☐ Organization is an "information holder" that conducts business in South Dakota
☐ Organization owns or licenses computerized personal or protected information of South Dakota residents
☐ Organization maintains computerized personal or protected information on behalf of another information holder

PRACTITIONER NOTE: South Dakota was the 49th state to enact a data breach notification law (signed March 21, 2018; effective July 1, 2018). The state does not have a comprehensive consumer privacy law, and its primary data protection obligation is breach notification under SDCL 22-40-19 through 22-40-26. However, South Dakota's law has several notable features: a strict 60-day notification deadline, a relatively low AG notification threshold of 250 residents, substantial daily penalties of up to $10,000 per day per violation, and a unique "risk of harm" exception that allows organizations to avoid consumer notification (but still requires AG notification of the exception determination).

2. Scope of Processing

2.1 Data Subjects

Identify all categories of individuals whose data is processed:

☐ South Dakota resident customers/consumers
☐ Employees located in South Dakota
☐ Independent contractors
☐ Job applicants
☐ Website visitors
☐ Vendors/suppliers
☐ Minors (under 18)
☐ Other: [________________________________]

Estimated number of South Dakota residents affected: [________________________________]

2.2 Categories of Personal and Protected Information

Personal Information under SDCL 22-40-19:

"Personal information" means a person's first name or first initial and last name in combination with any one or more of the following data elements that relate to the person, if the data elements are not encrypted, redacted, or secured by other means rendering the name or element unreadable or unusable:

☐ Social Security number
☐ Driver's license number or other unique identification number created or collected by a government body
☐ Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial account

Protected Information under SDCL 22-40-19:

"Protected information" means a person's:
☐ Health information as defined in 45 CFR 160.103 (HIPAA definition)
☐ An identification number assigned to a person by the person's employer in combination with any required security code, access code, or password

NOTE: South Dakota uses the term "protected information" in addition to "personal information," creating two parallel categories of data that trigger breach notification. The inclusion of employer-assigned ID numbers is a relatively unusual provision.

2.3 Sensitive Data Considerations

☐ Social Security numbers
☐ Financial account credentials
☐ Health information (HIPAA definition incorporated by reference)
☐ Driver's license / government-issued ID numbers
☐ Employer-assigned identification numbers + security codes
☐ Minor's data (COPPA obligations)
☐ Biometric data (not specifically covered but may trigger other obligations)

2.4 Data Volume and Retention

2.5 Processing Activities

☐ Collection (direct from consumer)
☐ Collection (from third parties)
☐ Storage/hosting
☐ Analysis/profiling
☐ Sharing with affiliates
☐ Sharing with third-party service providers
☐ Transfer to other jurisdictions
☐ Automated decision-making
☐ De-identification/anonymization
☐ Destruction/disposal
☐ Other: [________________________________]

3. Legal Basis and South Dakota Law Overlay

3.1 Applicable South Dakota Statutes

A. SDCL 22-40-19 through 22-40-26: Notification of Breach of Data Security

• Enacted: Signed March 21, 2018; effective July 1, 2018
• Key Feature: South Dakota was the 49th state to enact a breach notification law (only Alabama was later)
• Applicability: Any "information holder" -- a person or business that conducts business in South Dakota and owns or licenses computerized personal or protected information concerning a South Dakota resident. Also applies to any entity maintaining such information on behalf of another information holder (SDCL 22-40-20).

Key Provisions:

1. Notification Deadline: Not later than 60 days from discovery or notification of the breach (SDCL 22-40-22). This is a hard deadline, not an "as soon as practicable" standard.

2. AG Notification: Required if the breach affects 250 or more South Dakota residents. Notice to AG must be provided simultaneously with or prior to notice to affected residents (SDCL 22-40-22).

3. AG Notification Content (SDCL 22-40-22):
   - Date of the breach or estimated date range
   - Date the breach was determined to have occurred
   - Description of the breach
   - Types of personal or protected information involved
   - Number of South Dakota residents affected

4. Credit Bureau Notification: Required if 1,000 or more South Dakota residents are affected. Must notify all consumer reporting agencies (SDCL 22-40-22).

5. Risk of Harm Exception (SDCL 22-40-21):
   - After an appropriate investigation and notification to the AG, an information holder may determine that the breach will not likely result in harm to the affected person
   - If so, notification to the affected individual is NOT required
   - However, the information holder MUST notify the AG of this determination
   - The AG retains authority to require notification

6. Law Enforcement Delay (SDCL 22-40-23):
   - Notification may be delayed if law enforcement determines it would impede investigation
   - Once law enforcement determines notification will not compromise the investigation, notification must be made within 30 days

7. Penalties (SDCL 22-40-25):
   - AG enforcement (exclusive)
   - Up to $10,000 per day for each violation
   - AG may recover reasonable attorney's fees and costs
   - No private right of action

B. SDCL 22-40-1 through 22-40-18: Computer Crimes

• Criminal penalties for unauthorized computer access (SDCL 22-40-1)
• Computer fraud (SDCL 22-40-8)
• Computer tampering (SDCL 22-40-9)
• Relevant to insider threat and external attack scenarios

C. SDCL 37-24: Deceptive Trade Practices and Consumer Protection

• Prohibits deceptive trade practices
• May apply to privacy misrepresentations
• AG enforcement authority

D. SDCL 1-27-1.5: Government Data Protection

• Governs protection of personal information held by state government entities
• Relevant if the project involves government data or government contracts

3.2 Consumer Rights Assessment (South Dakota)

3.3 Security Standards

South Dakota does not prescribe specific security measures. The state relies on a "reasonable security" standard implied by the breach notification framework and supplemented by industry standards.

Recommended Security Framework Alignment:

☐ NIST Cybersecurity Framework (CSF)
☐ CIS Critical Security Controls
☐ ISO 27001/27002
☐ Industry-specific standards (PCI-DSS, HIPAA Security Rule, etc.)
☐ Other: [________________________________]

4. Data Flow and Transfers

4.1 Data Flow Mapping

4.2 Third-Party Recipients

4.3 Third-Party Breach Obligations

Under SDCL 22-40-20, any person or business that maintains computerized personal or protected information on behalf of an information holder must notify the information holder of a breach of system security immediately following discovery.

4.4 Cross-Border Transfers

☐ Data remains within the United States
☐ Data transferred internationally -- specify jurisdictions: [________________________________]
☐ Transfer mechanisms in place: ☐ Standard Contractual Clauses ☐ Binding Corporate Rules ☐ Other

4.5 Access Controls

☐ Role-based access control (RBAC) implemented
☐ Least privilege principle enforced
☐ Joiner/mover/leaver process documented
☐ Privileged access reviews conducted: ☐ Quarterly ☐ Semi-annually ☐ Annually
☐ Access logging enabled
☐ Separation of duties enforced

5. Security and Technical Controls

5.1 Security Measures

South Dakota does not mandate specific technical controls, but implementing robust security measures reduces breach risk and demonstrates good faith. Document controls to support any AG inquiry following a breach.

Encryption:
☐ Encryption at rest: Algorithm: [________________________________] Key length: [____]
☐ Encryption in transit (TLS 1.2+): [________________________________]
☐ Encryption key management procedures documented
☐ Encrypted data safe harbor: encrypted, redacted, or otherwise unreadable/unusable data excluded from PI definition

Network Security:
☐ Firewalls deployed and rules reviewed regularly
☐ Network segmentation implemented
☐ Intrusion detection/prevention systems (IDS/IPS)
☐ VPN for remote access
☐ DNS security

Endpoint Protection:
☐ Antivirus/anti-malware on all endpoints
☐ Endpoint detection and response (EDR)
☐ Mobile device management (MDM)
☐ Automatic patching/update procedures
☐ Removable media controls

Data Loss Prevention:
☐ DLP tools deployed
☐ Content inspection rules configured for SD PI/protected information categories

Logging and Monitoring:
☐ Centralized log management (SIEM)
☐ Log retention period: [________________________________]
☐ Real-time alerting configured
☐ Regular log review process
☐ Audit trail for access to personal/protected information

Vulnerability Management:
☐ Vulnerability scanning frequency: [________________________________]
☐ Penetration testing frequency: [________________________________]
☐ Patch management timeline: Critical: [____] hours; High: [____] days
☐ Third-party application assessment

5.2 Organizational Controls

☐ Written information security policy documented and approved
☐ Employee security awareness training: frequency [________________________________]
☐ Background checks for employees with PI access
☐ Vendor due diligence and security assessment program
☐ Change management procedures
☐ Business continuity and disaster recovery plans
☐ Clean desk / clear screen policy
☐ Acceptable use policy
☐ Data classification policy
☐ Data retention and destruction policy

5.3 Data Destruction

☐ Paper records: cross-cut shredding or incineration
☐ Electronic records: secure wiping (NIST 800-88 compliant) or physical destruction
☐ Destruction certificates maintained
☐ Destruction schedule aligned with retention policy
☐ Third-party destruction vendor: [________________________________]

5.4 Authentication and Authorization

☐ Multi-factor authentication (MFA) for systems containing PI/protected information
☐ Strong password policies enforced
☐ Single sign-on (SSO) / SAML integration
☐ Session timeout configured: [____] minutes
☐ Account lockout after [____] failed attempts
☐ Privileged access management (PAM) solution deployed

5.5 Health Information Security (if applicable)

If the project involves health information (covered under SD's "protected information" definition incorporating 45 CFR 160.103):

☐ HIPAA Security Rule compliance assessed
☐ HIPAA-compliant business associate agreements (BAAs) in place
☐ PHI encryption at rest and in transit
☐ HIPAA risk assessment completed
☐ Minimum necessary standard applied to data access

6. Risk Assessment

6.1 Threat Identification

6.2 Risk Rating Matrix

6.3 SD-Specific Compliance Risk Assessment

7. Mitigations and Residual Risk

7.1 Planned Mitigations

7.2 Testing and Validation

☐ Penetration test scheduled/completed: Date: [__/__/____]
☐ Privacy-by-design review completed
☐ Breach notification tabletop exercise completed (testing 60-day timeline)
☐ Risk-of-harm assessment procedure tested
☐ AG notification template reviewed by SD-licensed counsel
☐ Vendor "immediate notification" SLAs verified
☐ Vendor security assessments current
☐ Employee training records up to date

7.3 Residual Risk Determination

Overall Residual Risk Rating: ☐ Low ☐ Medium ☐ High ☐ Critical

Decision: ☐ Accept residual risk ☐ Implement additional mitigations ☐ Block/do not proceed

Justification:
[________________________________]

8. Incident Response and Breach Notification

8.1 South Dakota Breach Notification Requirements (SDCL 22-40-19 through 22-40-26)

Triggering Event: Breach of system security -- unauthorized acquisition of unencrypted computerized data or encrypted computerized data together with the encryption key, that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by an information holder (SDCL 22-40-19).

Definitions:

Personal Information (SDCL 22-40-19):
First name or first initial + last name in combination with:
- Social Security number
- Driver's license number or other unique government-issued identification number
- Account number, credit/debit card number + required security code/access code/password

Protected Information (SDCL 22-40-19):
- Health information as defined in 45 CFR 160.103
- Employer-assigned identification number + required security code/access code/password

Notification Timeline and Requirements:

AG Notification Content (SDCL 22-40-22):
- Date of the breach or estimated date range
- Date the breach was determined to have occurred
- Description of the breach
- Types of personal or protected information involved
- Number of South Dakota residents affected

Notification Methods:
- Written notice to the mailing address of the individual in the records of the information holder
- Electronic notice (if consistent with E-SIGN Act, 15 U.S.C. Section 7001)
- Telephonic notice (if directly reaches the affected individual)

Substitute Notice (SDCL 22-40-22):
Available if the cost of providing notice would exceed $250,000 OR more than 500,000 persons affected OR insufficient contact information. Substitute notice consists of: (1) conspicuous posting on information holder's website (if maintained); (2) notification to major statewide media; and (3) email notice (if email address available).

8.2 Risk of Harm Exception (SDCL 22-40-21)

IMPORTANT: South Dakota has a unique risk-of-harm exception. After an appropriate investigation and notification to the AG, an information holder may determine that the breach will not likely result in harm to the affected person. If so, individual notification is not required. However, the AG must be notified of this determination and may override it.

Risk-of-Harm Assessment Procedure:

☐ Step 1: Conduct an appropriate investigation of the breach
☐ Step 2: Evaluate whether the breach will likely result in harm to affected persons
Consider:
☐ Nature and sensitivity of the compromised data
☐ Whether data was actually acquired by unauthorized person (vs. merely accessed)
☐ Whether data has been or is likely to be misused
☐ Whether affected individuals face increased risk of identity theft or fraud
☐ Whether credit monitoring or other protective measures were already in place
☐ Step 3: Document the risk-of-harm assessment and conclusion
☐ Step 4: Notify the South Dakota AG of the determination (MANDATORY even if individual notice is deemed unnecessary)
☐ Step 5: Obtain legal counsel review of the determination
☐ Step 6: Be prepared for AG to override the determination and require individual notification

Risk-of-Harm Determination:
☐ Harm likely -- individual notification required within 60 days
☐ Harm unlikely -- AG notified of exception determination on [__/__/____]
☐ AG has affirmed/overridden determination: [________________________________]

8.3 Incident Response Plan

Phase 1: Detection and Initial Assessment (0-24 hours)
☐ Incident identified and logged
☐ Incident response team activated
☐ Initial scope assessed: Is PI or protected information of SD residents involved?
☐ Evidence preservation initiated
☐ Legal counsel engaged (SD-licensed attorney)
☐ Determination: Is this a "breach of system security" under SDCL 22-40-19?
☐ 60-DAY CLOCK STARTS UPON DISCOVERY -- document discovery date precisely

Phase 2: Investigation and Containment (Days 1-14)
☐ Full scope of breach determined
☐ Number of South Dakota residents affected identified
☐ Categories of personal information and/or protected information compromised
☐ Determine if health information (protected info) involved -- HIPAA overlay assessment
☐ Determine if employer-assigned IDs (protected info) involved
☐ Breach contained and systems secured
☐ Law enforcement notification considered
☐ Encryption status verified (safe harbor analysis -- encrypted/redacted/unreadable data excluded)

Phase 3: Risk-of-Harm Assessment (Days 7-21)
☐ Formal risk-of-harm assessment conducted per SDCL 22-40-21
☐ Assessment documented in writing
☐ Legal counsel review of assessment
☐ If harm unlikely: prepare AG notification of exception determination
☐ If harm likely: proceed to notification preparation

Phase 4: Notification Preparation (Days 14-45)
☐ Determine applicable notification thresholds:
- 250+ SD residents: AG notification required (simultaneously with or prior to individual notice)
- 1,000+ SD residents: Credit bureau notification required
☐ Draft individual notification letter (reviewed by SD-licensed counsel)
☐ Draft AG notification with all required content elements
☐ Draft credit bureau notification (if applicable)
☐ Substitute notice evaluated if applicable (cost > $250K or 500K+ persons or insufficient contact info)
☐ Credit monitoring services arranged (not required by SD law but recommended as best practice)

Phase 5: Notification Delivery (by Day 60 from discovery)
☐ AG notification submitted: [__/__/____] (must be simultaneously with or prior to individual notice)
☐ Individual notices mailed/sent: [__/__/____]
☐ Credit bureau notification sent (if 1,000+ threshold met): [__/__/____]
☐ Substitute notice deployed (if applicable)
☐ Confirm all notifications completed within 60-day deadline

Phase 6: Law Enforcement Delay Protocol (if applicable)
☐ Law enforcement requested delay: [__/__/____]
☐ Law enforcement determined notification will not compromise investigation: [__/__/____]
☐ Notification must be made within 30 days of law enforcement clearance (SDCL 22-40-23)
☐ Notification completed: [__/__/____]

Phase 7: Post-Incident Review
☐ Root cause analysis completed
☐ Security controls updated
☐ Incident response plan revised based on lessons learned
☐ Documentation archived for potential AG inquiry
☐ Vendor contracts reviewed (if third-party breach)

8.4 Penalties and Enforcement

PENALTY CALCULATION NOTE: The $10,000/day penalty structure means that delays in notification can become extremely costly. For example, a 30-day delay beyond the 60-day deadline could theoretically result in a $300,000 penalty. This makes strict adherence to the timeline critical.

8.5 Multi-Jurisdictional Coordination

☐ Identify all states where affected individuals reside
☐ SD's 60-day deadline is a hard deadline -- map against all other applicable state timelines
☐ Federal law overlay analysis (GLBA, HIPAA, FERPA) completed
☐ Note: SD law does not provide exemptions for entities complying with federal breach notification regimes
☐ International notification requirements assessed (if applicable)

9. South Dakota-Specific Compliance Checklist

9.1 Key South Dakota Distinctions

9.2 Notification Timeline Tracker

Use this tracker to manage the 60-day notification deadline:

10. Approvals and Accountability

10.1 DPIA Review and Sign-Off

10.2 Review Schedule

☐ Annual review required: Next review date: [__/__/____]
☐ Triggered review upon material change to processing
☐ Triggered review upon change to South Dakota law
☐ Triggered review upon security incident involving South Dakota resident data
☐ Triggered review upon new vendor engagement involving SD PI/protected information

10.3 Decision

☐ APPROVED -- Processing may proceed subject to identified mitigations
☐ CONDITIONALLY APPROVED -- Processing may proceed only after completion of: [________________________________]
☐ NOT APPROVED -- Processing may not proceed. Reason: [________________________________]

Decision Authority:

Name: [________________________________]
Title: [________________________________]
Date: [__/__/____]
Signature: [________________________________]

11. Attachments

☐ Data flow diagrams / system architecture
☐ Records of processing activities (ROPA) entry
☐ Vendor list and data processing agreements
☐ Risk-of-harm assessment template
☐ Breach notification templates (individual, AG, credit bureau)
☐ AG notification content checklist
☐ 60-day notification timeline tracker
☐ Penetration test / vulnerability assessment reports
☐ Employee training records
☐ Data destruction certificates / procedures
☐ HIPAA overlay documentation (if health information processed)
☐ Law enforcement delay protocol documentation

Sources and References

• SDCL Chapter 22-40 (Computer Crimes and Breach Notification): https://sdlegislature.gov/Statutes/Codified_Laws/22-40
• South Dakota Attorney General -- Consumer Protection: https://consumer.sd.gov/
• SB 62 (2018 Session -- Breach Notification): https://sdlegislature.gov/Session/Bill/9006
• SDCL 37-24 (Deceptive Trade Practices): https://sdlegislature.gov/Statutes/Codified_Laws/37-24
• 45 CFR 160.103 (HIPAA Definition of Health Information): https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-A/section-160.103
• NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
• CIS Critical Security Controls: https://www.cisecurity.org/controls