Data Protection Impact Assessment (DPIA) (WV)
Ready to Edit
DATA PROTECTION IMPACT ASSESSMENT (DPIA)
(State overlay: WV)
1. Project Overview
- Project name/ID: [name]; owner: [business owner]; sponsor: [executive].
- Purpose and objectives: [describe].
- Timeline and launch date: [dates].
2. Scope of Processing
- Data subjects: [customers/employees/vendors/end users].
- Personal data categories: [contact, IDs, financial, location, biometric, health, minors].
- Sensitive data (state definition): [list per state law if applicable]; lawful basis/consent requirements: [insert].
- Volume and retention: [records/year], [retention schedule and deletion triggers].
- Processing activities: [collection, storage, analysis, sharing/sale/sharing status].
3. Legal Basis, Notices, and Rights
- No comprehensive consumer privacy law. West Virginia has breach notification statute only.
- Applicability: Individuals/entities owning/licensing computerized data with PI of WV residents.
- Consumer rights: No mandated access, correction, deletion, or opt-out rights (apply federal laws).
- Primary compliance obligation: Breach notification under W.V. Code § 46A-2A-101 et seq.
- Security standard: Reasonable security measures to protect PI.
4. Data Flow and Transfers
- Source systems: [list]; storage/hosting locations: [cloud region/data centers].
- Cross-border transfers: [EU/UK/other]; transfer tool: [SCCs/IDTA/CBPR if applicable].
- Recipients/vendors: [processors/subprocessors/controllers]; due diligence status and DPAs in place.
- Access controls: RBAC groups, least privilege, joiner/mover/leaver process.
5. Security and Controls
- Technical controls: encryption in transit/at rest [specify], key management, network segmentation, endpoint protections, logging/monitoring, DLP, backups, vulnerability management.
- Organizational controls: policies, training cadence, vendor due diligence, incident response playbook, change management.
- Authentication/authorization: [MFA/SAML/SSO]; session timeouts; privileged access reviews cadence.
6. Risks and Impact Assessment
- Risks/threats: [unauthorized access, data minimization failure, purpose creep, profiling risk, transfer risk, children/minors risk].
- Likelihood: [low/medium/high]; Impact: [low/medium/high]; Risk rating matrix: [insert].
- POWR/State-specific equal employment or anti-discrimination considerations (if applicable): [insert].
7. Mitigations and Residual Risk
- Planned mitigations: [controls, timelines, owners].
- Testing/validation: [pen test, DPIA/ROPA updates, privacy-by-design checklist].
- Residual risk after mitigations: [rating]; decision: [accept/mitigate further/block].
8. Incident Response and Breach Notification
- Statute: W.V. Code § 46A-2A-101 et seq.; enacted 2008.
- Timeline: Without unreasonable delay, consistent with measures to determine scope + restore reasonable integrity of system.
- No AG notification required. AG enforces compliance.
- CRAs notification: If 1,000+ persons notified, without unreasonable delay. Timing, distribution, content of notices.
- Third-party data handlers: Notify owner/licensee as soon as practicable following discovery.
- Penalties: Up to $150,000 for repeated violations. Failure to comply = unfair or deceptive act/practice, enforceable by AG.
- Triggers: Breach of security = unauthorized access + acquisition of unencrypted/unredacted PI compromising security/confidentiality/integrity. PI = first name/initial + last name + (SSN, DL/state ID, financial account + access code).
- Exception: Good-faith employee acquisition. Law enforcement delay permitted. Encryption safe harbor.
- Coordination with other states/GLBA/HIPAA requirements if multi-state: [plan].
9. State Overlay Checklist (WV) - Breach Notification Only
- No comprehensive privacy law. Breach notification statute only (W.V. Code § 46A-2A-101).
- Applicability: Individuals/entities owning/licensing computerized data with PI of WV residents.
- Sensitive data/Consumer rights: No mandated rights.
- Security: Reasonable security measures.
- Breach notice: Without unreasonable delay. No AG notification required (but AG enforces). CRAs if 1,000+. Penalties up to $150K for repeated violations.
- Children: COPPA compliance.
- DPA/ROPA: Not required by law.
10. Approvals and Accountability
- Privacy lead/DPO review: [name/date].
- Security review: [name/date].
- Legal review (state law overlay): [name/date].
- Business owner certification: [name/date].
- Executive approver: [name/title/date].
11. Attachments
- Data flow diagrams/architecture.
- Records of processing activities entry.
- Vendor list and DPAs/SCCs.
- Legitimate interests assessment or risk assessment (if applicable).
- Testing summaries and pen test reports (if applicable).
- State-specific notices/links and breach templates.
Ezel AI
Hi! Need help customizing this document? I can tailor every section to your specific case in minutes.
AI Legal Assistant
About This Template
Compliance documents are what regulated businesses use to prove they follow the rules that apply to their industry, whether that is privacy, anti-money-laundering, consumer protection, or sector-specific requirements. Regulators look for consistent policies, up-to-date records, and clear evidence of employee training. The cost of getting compliance paperwork right is almost always smaller than the cost of an enforcement action, fine, or public disclosure.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: February 2026