CTDPA has a general requirement for data controllers to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to its volume and nature”. These requirements are largely met by adherence to industry security frameworks such as NIST Cyber Security Framework, ISO 27000 and CIS Benchmarks. Frameworks like these, describe an Information Security Management System (ISMS) which is really an extensive list of security controls such as establishing a security function (administrative control), implement encryption for stored personal data (technical control) and installing keycode entry doors (physical control).
Encryption is a key control in that CTDPA dictates that encrypted data which ensures that personal data which is de-identified by encryption techniques is not in scope of CTDPA.
Privacy impact assessments are also a requirement under the act when any of the following conditions are met; processing of sensitive data or when data represents a heightened risk of harm or if data is for sale or targeted advertising. See the diagram below for a full list of expected controls under CTDPA.