Two state privacy laws – the Colorado Privacy Act (CPA) and the Connecticut Personal Data Privacy and Online Monitoring Act (also known as the Connecticut Data Privacy Act or the CTDPA) – went into effect on July 1st, 2023 joining the amended California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA) data privacy laws enacted on January 1st, 2023.
Although the specific requirements vary slightly under each law, the CPA, VCDPA, and CTDPA require data controllers to conduct data impact protection assessments in certain circumstances where there may be elevated harm to the data subject associated with collecting and processing certain types of their data.
These data protection assessments are systematic assessments conducted to identify and minimize privacy risks associated with data processing activities. Privacy Edge software by LOKKER can be a helpful tool to assist in the assessment process by streamlining the identification of data collection happening on an organization’s website, the risks they present and potential mitigation measures.
To start, let’s quickly review the typical requirements of a data protection assessment.
Although there are slight nuances between the state’s laws, they were all modeled closely after the GDPR requirements and, therefore, generally include the following steps:
- Identify the data processing activities. First, identify the organization’s data processing activities, including what the organization is collecting, storing, using, sharing, and deleting personal data.
- Identify the risks to privacy. Next, determine the potential privacy risks these activities pose. Hazards include unauthorized access, disclosure, or destruction of personal data, the loss of control over personal data, and the discrimination of individuals based on their data.
- Evaluate the likelihood and severity of the risks. Once the privacy risks have been identified, evaluate the probability and severity of these risks. Consider the nature of the personal data being processed, the sensitivity of the data, and the likelihood that a privacy breach could occur.
- Identify and implement mitigation measures. Finally, identify and implement mitigation measures to reduce the privacy risks, which may involve pseudonymization of personal data, encrypting personal data, enforcing access control measures, or putting in controls to block data sharing.
How to Use Privacy Edge to Streamline Assessment Requirements
LOKKER’s Privacy Edge platform can be an excellent tool for gathering information about data processed on an organization’s website. Here are a couple of ways that Privacy Edge can help streamline assessment creation:
- Risk identification and evaluation: Privacy Edge identifies and evaluates privacy risks associated with data processing activities on an organization’s website. The software identifies factors such as how sensitive the data is, if that data is being shared, and with whom, which ensures that potential risks are adequately assessed and documented.
- Collaboration and stakeholder involvement: Privacy Edge facilitates collaboration among stakeholders in Marketing, IT, and Privacy involved in the assessment process by making web privacy risks easy to identify and understand without much technical expertise.
- Documentation and reporting: Privacy Edge automates the documentation generation, including the assessment findings, identified risks, and recommendations on how to mitigate risks which ensures that the process is well-documented, supports accountability and transparency, and helps lawyers and privacy professionals follow a consistent and thorough methodology.
- Monitoring and review: Privacy Edge helps privacy professionals monitor and review the assessment results and reassess risks over time. It allows users to track the progress of mitigating measures, reassess risks, and update the documentation as necessary. With Privacy Edge, continuously evaluate and address privacy threats as data processing activities evolve.
- Mitigation measures: Privacy Edge can help mitigate the risks by blocking the collection and sharing of unauthorized data on the client’s website.
By utilizing Privacy Edge software for data protection assessments, privacy professionals can streamline the assessment process, ensure consistency in risk evaluation, and generate comprehensive reports. The software’s features support collaboration, compliance with legal requirements, and ongoing monitoring, ultimately enhancing the efficiency and effectiveness of assessments in identifying and mitigating privacy risks.