(a) In this section, "processing activities that present a heightened risk of harm to a consumer" means: (1) The processing of personal data for the purposes of targeted advertising; (2) The sale of personal data; (3) The processing of sensitive data; and (4) The processing of personal data for the purposes of profiling, in which the profiling presents a reasonably foreseeable risk of: (i) Unfair, abusive, or deceptive treatment of a consumer; (ii) Having an unlawful disparate impact on a consumer; (iii) Financial, physical, or reputational injury to a consumer; (iv) A physical or other intrusion on the solitude or seclusion or the private affairs or concerns of a consumer in which the intrusion would be offensive to a reasonable person; or (v) Other substantial injury to a consumer. (b) A controller shall conduct and document, on a regular basis, a data protection assessment for each of the controller's processing activities that present a heightened risk of harm to a consumer, including an assessment for each algorithm that is used. (c) (1) A data protection assessment conducted in accordance with this section shall identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, the consumer, other interested parties, and the public against: (i) The potential risks to the rights of the consumer associated with the processing as mitigated by safeguards that may be employed by the controller to reduce these risks; and (ii) The necessity and proportionality of processing in relation to the stated purpose of the processing. (2) The controller shall factor into a data protection assessment: (i) The use of de-identified data; (ii) The reasonable expectations of consumers; (iii) The context of the processing; and (iv) The relationship between the controller and the consumer whose personal data will be processed. (d) (1) The Division may require that a controller make available to the Division a data protection assessment that is relevant to an investigation conducted by the Division. (2) (i) The Division may evaluate a data protection assessment for compliance with the responsibilities established in this subtitle. (ii) A controller's data protection assessment may be used in an action to enforce this subtitle. (3) A data protection assessment is confidential and is exempt from disclosure under the federal Freedom of Information Act or the Public Information Act. (e) A single data protection assessment may address a comparable set of processing operations that include similar activities. (f) If a controller conducts a data protection assessment for the purpose of complying with another applicable law or regulation, the data protection assessment shall be considered to satisfy the requirements established in this section if the data protection assessment is reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted in accordance with this section. (g) To the extent that any information contained in a data protection assessment disclosed to the Division includes information subject to attorney-client privilege or work product protection, the disclosure may not constitute a waiver of that privilege or protection. (h) A data protection assessment conducted under this section: (1) Shall apply to processing activities that occur on or after October 1, 2025; and (2) Is not required for processing activities that occur before October 1, 2025.
‹ Prev All Maryland sections Next ›
Lexace provides legal information, not legal advice, and no attorney–client relationship is created. Statute text is provided for general information and may not reflect the most recent amendments; verify against the official state code.