Data Protection Impact Assessment (DPIA) (WI)
Ready to Edit
DATA PROTECTION IMPACT ASSESSMENT (DPIA)
(State overlay: WI)
1. Project Overview
- Project name/ID: [name]; owner: [business owner]; sponsor: [executive].
- Purpose and objectives: [describe].
- Timeline and launch date: [dates].
2. Scope of Processing
- Data subjects: [customers/employees/vendors/end users].
- Personal data categories: [contact, IDs, financial, location, biometric, health, minors].
- Sensitive data (state definition): [list per state law if applicable]; lawful basis/consent requirements: [insert].
- Volume and retention: [records/year], [retention schedule and deletion triggers].
- Processing activities: [collection, storage, analysis, sharing/sale/sharing status].
3. Legal Basis, Notices, and Rights
- No comprehensive consumer privacy law. Wisconsin has breach notification statute only.
- Applicability: Businesses maintaining/owning/licensing PI of WI residents.
- Consumer rights: No mandated access, correction, deletion, or opt-out rights (apply federal laws).
- Primary compliance obligation: Breach notification under Wis. Stat. § 134.98.
- Insurance licensees: Must also notify WI Office of the Commissioner of Insurance within 3 business days (Insurance Data Security Law).
- Security standard: Reasonable security measures to protect PI.
4. Data Flow and Transfers
- Source systems: [list]; storage/hosting locations: [cloud region/data centers].
- Cross-border transfers: [EU/UK/other]; transfer tool: [SCCs/IDTA/CBPR if applicable].
- Recipients/vendors: [processors/subprocessors/controllers]; due diligence status and DPAs in place.
- Access controls: RBAC groups, least privilege, joiner/mover/leaver process.
5. Security and Controls
- Technical controls: encryption in transit/at rest [specify], key management, network segmentation, endpoint protections, logging/monitoring, DLP, backups, vulnerability management.
- Organizational controls: policies, training cadence, vendor due diligence, incident response playbook, change management.
- Authentication/authorization: [MFA/SAML/SSO]; session timeouts; privileged access reviews cadence.
6. Risks and Impact Assessment
- Risks/threats: [unauthorized access, data minimization failure, purpose creep, profiling risk, transfer risk, children/minors risk].
- Likelihood: [low/medium/high]; Impact: [low/medium/high]; Risk rating matrix: [insert].
- POWR/State-specific equal employment or anti-discrimination considerations (if applicable): [insert].
7. Mitigations and Residual Risk
- Planned mitigations: [controls, timelines, owners].
- Testing/validation: [pen test, DPIA/ROPA updates, privacy-by-design checklist].
- Residual risk after mitigations: [rating]; decision: [accept/mitigate further/block].
8. Incident Response and Breach Notification
- Statute: Wis. Stat. § 134.98; updated through 2025 Wis. Act 47.
- Timeline: Within reasonable time, not to exceed 45 days after entity learns of acquisition of PI.
- No AG notification required.
- CRAs notification: If 1,000+ individuals affected, without unreasonable delay.
- Insurance licensees: Notify WI Office of the Commissioner of Insurance within 3 business days (Insurance Data Security Law).
- Third-party data handlers: Notify owner/licensee as soon as practicable following determination of breach.
- Triggers: Breach = unauthorized acquisition of unencrypted/unsecured PI. PI = first name/initial + last name + (SSN, DL/state ID, financial account + security/access code, medical, biometric).
- Exception: Good-faith employee acquisition. Law enforcement delay permitted. Encryption safe harbor.
- Coordination with other states/GLBA/HIPAA requirements if multi-state: [plan].
9. State Overlay Checklist (WI) - Breach Notification Only
- No comprehensive privacy law. Breach notification statute only (Wis. Stat. § 134.98).
- Applicability: Businesses maintaining/owning/licensing PI of WI residents.
- Sensitive data/Consumer rights: No mandated rights.
- Security: Reasonable security measures.
- Breach notice: 45 days max. No AG notification required. CRAs if 1,000+. Insurance licensees: 3 business days to WI Insurance Commissioner.
- Children: COPPA compliance.
- DPA/ROPA: Not required by law.
10. Approvals and Accountability
- Privacy lead/DPO review: [name/date].
- Security review: [name/date].
- Legal review (state law overlay): [name/date].
- Business owner certification: [name/date].
- Executive approver: [name/title/date].
11. Attachments
- Data flow diagrams/architecture.
- Records of processing activities entry.
- Vendor list and DPAs/SCCs.
- Legitimate interests assessment or risk assessment (if applicable).
- Testing summaries and pen test reports (if applicable).
- State-specific notices/links and breach templates.
Ezel AI
Hi! Need help customizing this document? I can tailor every section to your specific case in minutes.
AI Legal Assistant
About This Template
Compliance documents are what regulated businesses use to prove they follow the rules that apply to their industry, whether that is privacy, anti-money-laundering, consumer protection, or sector-specific requirements. Regulators look for consistent policies, up-to-date records, and clear evidence of employee training. The cost of getting compliance paperwork right is almost always smaller than the cost of an enforcement action, fine, or public disclosure.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: February 2026