New Year’s Resolution: Get TDPSA-Compliance
On October 25, 2023, Gray Reed Advisory Services published its first blog in a series entitled Texas Data Privacy and Security Act (TDPSA) Compliance Countdown: Part 1 – Enabling Consumer Rights Requests. The newly enacted Texas privacy law becomes effective July 1, 2024, with the universal opt-out mechanisms becoming effective six months later, on January 1, 2025, and is packed with a number of mandates that are broadly applicable to a company or individual that meets any of the following criteria stated in the law 88(R) HB 4:
- Conducts business in Texas or produces a product or service consumed by residents of Texas;
- Processes or engages in the sale of personal data (this includes maintaining personal information of consumers, clients and business partners); and
- Is not a small business, as defined by the United States Small Business Administration (SBA), except where Section 541.107 prohibits a person from engaging in the sale of sensitive personal data without receiving prior consent from the consumer.
Six Months Left to Prepare
With TDPSA taking effect in just six months, organizations across the state must prioritize preparations to comply. By shoring up vulnerabilities, reassessing data management policies, improving transparency and responsive plans – companies can avoid penalties and build trust.
Building on our previous blog, the TDPSA is a critical piece of legislation focused on ensuring that Texan’s personal and sensitive data is handled with the utmost care and security. It establishes what the expectations are for organizations and provides a framework for how organizations collect, store, access, process and share personal data. The passage of the law also dictates how organizations shall communicate their privacy practices, respond to data subject access requests, manage data breach incidents and ensure adequate safeguards and security measures are in place.
TDPSA is a countermeasure against the increasing threats of data breaches, identity theft and other cybercrimes that can severely impact individuals and businesses. By implementing strict data protection safeguards, the TDPSA seeks to uphold confidence in online transactions and to improve the competitive edge of Texas-based companies in the international marketplace.
Data Protection Assessments (DPAs) Requirements
As highlighted in our previous blog, the TDPSA Compliance Countdown blog series covers the critical how-to activities to comply with the central tenets of the TDPSA:
- Enabling Consumer Rights Requests
- Conducting Data Protection Assessments
- Contractual Requirements Between Controllers and Processors
- Universal Opt-Out Mechanisms
- Opportunity to Cure Violations
- Disclosure Transparency and Privacy Notice Updates
We shared to whom the law applies and, therefore must also perform the data protection assessments (DPAs) noted above. This article provides leading practices for conducting DPAs including when, where, why (purpose) and how to complete them.
Like Virginia, California and Colorado, the TDPSA also requires organizations (aka “controllers”) to conduct and document DPAs for certain “processing” activities, meaning an operation or set of operations performed, either manually or automated, on personal data, such as the collection, use, storage, disclosure, analysis, deletion or modification.
Below are various scenarios of when DPAs are required:
1) the processing for targeted advertising;
2) the sale of personal data;
3) the processing for purposes of profiling;
4) the processing of any sensitive data; and
5) any processing activities that might present a heightened risk of harm to consumers.
The above criteria for when assessments are necessary suggest several areas of an organization where a collaborative effort is critical for completing and documenting DPAs. More specifically, organizations should consider performing a DPA when one or more of the following scenarios are applicable:
- Process involving the use of innovative technologies;
- Any decision made about an individual’s access to a product, service, opportunity or benefit is based to any extent on automated decision-making or involves the processing of sensitive personal data;
- Any profiling of individuals on a large scale;
- Any processing of biometric data;
- Any processing of genetic data other than that processed by a general practitioner or health professional for the provision of health care directly provided to the individual;
- Combining, comparing or matching personal data obtained from multiple sources;
- Processing of personal data that has not been obtained directly from the individual in circumstances where the controller considers that compliance would prove impossible or involve disproportionate effort;
- Processing, which involves tracking an individual’s geo-location or behavior, including but not limited to the online environment;
- Use of the personal data of children or other vulnerable individuals for marketing purposes, or to offer online services directly to children; or
- When the action of processing data is such that if a data breach occurred, it could jeopardize the physical health or safety of individuals.
Leading Practices for Conducting DPAs
The office performing DPAs works with stakeholders across departments, typically Legal, IT, Contracts, Internal Audit, and Finance and Accounting in the normal course of managing privacy operations. Performing DPAs, however, generally extends collaboration across an enterprise to include Human Resources, Marketing, Sales and Strategic Initiative Teams that plan and manage activities such as mergers and acquisitions and lines of businesses rolling out new products and services.
The purpose of conducting DPAs is to evaluate the potential for any significant physical, material or non-material harm to individuals. DPAs should obtain a clear understanding of a specific processing activity and its potential impact on individuals (e.g., consumers, customers and business partners) about whom personal data is being processed, the possible impact on other processing activities, any risk at the IT systems, program, and enterprise levels, and of course, risk to complying with an organization’s privacy principles, internal policies, and applicable privacy laws and regulations.
Benefits vs. Potential Risks
TDPSA stipulates how DPAs must be conducted, starting with the identification (and weighing) of any direct or indirect benefits that may result from the processing (either to the controller, the consumer, other stakeholders or the public) against the potential risks to the rights of the individual associated with that processing. It should include a risk mitigation strategy of safeguards and technical measures that the controller can deploy to reduce such risks.
Criteria for Analysis
The law prescribes key elements that must be included as part of an organization’s analysis, such as:
- Use of de-identified data
- Reasonable expectations of consumers
- Context in which processing activities occur, and
- Relationship between the controller and the consumer whose personal data will be processed.
Once the analysis has been performed and documented, organizations are required to make their DPAs available when requested to Texas’s attorney general under a civil investigative demand mandated in Section 541.153 of the law. Noteworthy is that a DPA is considered confidential and exempt from public inspection and copying under Chapter 552 of the Government Code. Therefore, any disclosure of DPA in compliance with a request from the attorney general does not constitute a waiver of attorney-client privilege or work product protection concerning the assessment and any information contained within it.
Finally, a DPA completed by a controller to comply with other privacy laws or regulations may constitute compliance with the TDPSA if the assessment has a reasonably comparable scope and effect. Stated another way, if an organization has recently completed a DPA to comply with a different state law whereby that same process also triggers the need to complete a DPA for the TDPSA, the existing DPA will satisfy the TDPSA requirement. Even better, DPAs will only apply to processing activities created or generated after January 1, 2023, and are not retroactive.
Creating A DPA Template
There are multiple approaches that an organization may take to define, organize and document a DPA Template it uses to perform assessments. Gray Reed Advisory Services’ DPA Template guidance is three-fold:
- Think more broadly: When creating the DPA template, don’t take too narrow of an approach, as you may inadvertently exclude critical details during an opportunity to glean pertinent information that may have a direct, indirect or tangential impact on the process assessed or information depended upon by other organizational goals, initiatives and future business needs. For that reason, ensure your DPA template enables capturing the appropriate type of insights needed while avoiding the trap of over-engineering it.
- Socialize the template: Often, organizations distribute templates or questionnaires for assessments and audits without confirming a user’s understanding of the template, questions posed, and how to respond to them, creating additional legwork or misunderstandings. For this reason, organizations should consider performing a ‘pilot test’ of their DPA template on a small, select group of users or hold an online webinar to step through an illustrative example including user “Do’s and Don’ts” to solicit feedback and update the template and its instructions accordingly.
- Stakeholder Reviews: If a member from the organization’s Office of Privacy is completing the DPA, an excellent leading practice is to send stakeholders, in advance of a meeting, the questions to be asked – or if the template is already completed, answers that need to be validated. Demystifying the meeting topics and questions ahead of time significantly increases stakeholder participation, accuracy of the information, and timely completion of DPAs. Once a DPA is completed, consider reverting back to the primary contributor(s) – especially if it’s a more complicated business process captured in the DPA – for a final review. If the contributor completed the DPA themselves, there is an even more reason to review the completed DPA together to ensure your understanding of their answers.
Contact Gray Reed Advisory Services to get started on assessing how your data privacy posture complies with the newly enacted TDPSA. Our team offers specialized consulting services to help clients audit their data practices, identify gaps in compliance, and establish or update operational processes to meet legal obligations. Our unique advantage is that our advisory team can easily collaborate with Gray Reed attorneys to incorporate authoritative privacy law guidance and review of new processes, enabling us to provide fully integrated legal and operational support to manage data privacy in today’s complex regulatory landscape.