Latvia: Data State Inspectorate published Guidance on Data Protection Impact Assessment (NIDA)

On 25 February, the Latvian Data State Inspectorate published guidelines on conducting Data Protection Impact Assessments (NIDA). The guidelines delineate the process for identifying and managing risks associated with personal data processing, emphasising the importance of compliance with data protection principles and regulations. The document provides detailed instructions on assessing the legality and necessity of data processing activities, identifying potential risks, and implementing measures to mitigate these risks. The document states that a preliminary assessment determines whether a full NIDA is necessary by evaluating potential risks, such as systematic monitoring or processing sensitive data. The NIDA is mandatory for high-risk activities involving new technologies or significant impacts on individuals' rights. Risk assessments involve evaluating factors such as data sensitivity, processing methods, and potential impacts on individuals' rights and freedoms. This includes assessing how data is collected, stored and used, as well as the potential for data breaches or misuse. The implementation of technical and organisational measures is required to mitigate the risks. Furthermore, the impact on data subjects' rights and freedoms must be assessed, including the right to information, access, rectification, and erasure of data. Data subjects should be involved to understand their expectations and concerns regarding data processing.