Following the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA), Colorado is the third US State to adopt extensive Data Protection legislation. On 7 July 2021, Governor Polis signed the Colorado Privacy Act which becomes effective in July 2023. The Act grants a set of rights to consumers and imposes obligations on businesses.
Under the GDPR each supervisory authority has to prepare and submit to the European Data Protection Board (EDPB) a list of processing operations that require organisations to conduct Data Privacy Impact Assessments (DPIA).
If you're in any doubt about whether the processing of personal data you do is within the parameters of the General Data Protection Regulation (GDPR) then you should carry out a DPIA because the penalty for not doing so – when it’s appropriate to – is a €10-million fine, or 2% of annual global turnover, whichever is greater.
A Data Protection Impact Assessment is a process for building and demonstrating compliance with the GDPR.
It’s a process that an organisation can use to systematically describe its data processing purpose and operation, assess whether its processing is likely to result in risk for the data subjects concerned, and determine measures for addressing these risks.