Latvia: abundance of data – always a treasure?

The General Data Protection GDPR, which establishes a uniform framework for the processing and protection of personal data across Europe, has already been in force for three and a half months. It directly affects any business company that stores and processes data about individuals. Moreover, the more data is at an company’s disposal, the higher the risks of data processing. By ensuring that the operations of a company are in line with the GDPR, these risks are in fact being identified, and preventive action towards eliminating them has been taken. Although it may seem that such process significantly increases the concerns a business owner already has, it may bring a lot of benefits in the long run. Efficient trade on new European markets, smarter staff and structured databases are just a few to mention. Another is avoiding penalties that may apply for breaches of the GDPR. Most domestic companies are still in the process of identifying and preventing these risks because they realise that abundance of data is not always a treasure – sometimes it can be a burden.

Large companies are most prepared for the GDPR.

Overall, out of all companies in Latvia, large companies or those with a EUR 1 Mio turnover have taken the GDPR seriously and addressed it. Meanwhile, a significant number of small and medium-sized businesses are still in the process of identifying and preventing the risks related to data processing. This trend is not surprising –  the large companies have larger databases, which means that the risks of data processing are higher and that they need to seriously consider ways to prevent them. Consequently, almost all of the large companies have carried out audits that have allowed them to identify the next steps that should be taken and plan their activities to ensure data protection. As soon as we understand what personal data we store and process, and how the data are governed by the GDPR, we can start the preparatory work – the specifics of the business operations of a company will determine how much time and money this process will require. When assessing the risks of data processing in a company, I would recommend using the risk classification tool by the tech company SIA "Datakom" and VILGERTS law firm. It can be found at Answer the nine questions and understand your company’s risk level.

Hoping that you will not be caught will not make GDPR disappear.

Every business owner has the right to hope that he/she won’t face any data processing risks, that customers will not complain to the local data processing supervising body and that the business will not be fined. Until recently, a large number of companies stored all the data they had without reviewing which information has never been used and only occupied space on their hard drives. The fact that the information companies accumulate over the years is not collected in accessible databases is another observation. First, it may turn out that the current way of storing information is in breach of the GDPR, and second, it is highly unlikely that such approach contributes to the effective functioning of a company. Moreover, not only personal data, but also business secrets are stored on computers without passwords or the encryption function. That shows careless attitude towards valuable information and its storage, and it should only be in the interests of the business owners that the GDPR might prevent it.. Therefore, I would recommend business owners and managers to prepare for the GDPR for safeguarding their know-how and not because GDPR has suddenly entered into force. In the Nordics,  business owners ask "what should be done?" instead of  asking "why should we do it?" to ensure that their clients' privacy is not adversely affected. The GDPR is already in force, there is no need to question its efficiency – it would be best to invest the energy in improving the efficiency of the business processes.

Take the opportunity to get rid of an unnecessary burden.

Data generate added value. However, the data add value only if they are necessary for attaining business purposes.  For example, there is a specific category of data that hospitals store – detailed medical history of patients, etc. –  that is necessary for the treatment of these patients. However, even in this case, a lot of unnecessary information can stored. For example, by storing information about vaccination, it is unlikely that the name of the nurse administering the injection will be of any importance ten years later. The name/surname of the nurse falls under a category of personal data that must be protected, and there is no need to store such data without a purpose. Abundance of data is not always a good thing, and the GDPR allows us to get rid of information that has been a burden for years but was never been disposed of due to laziness or precautions. It is definitely worth reviewing such information now that it can result in unpleasant penalties.


by Katrīne Pļaviņa, Attorney-at-law, Latvia

Related Lawyers

Related Experience

Provided legal advice on the possible effect to the commercial activities of the client’s group companies in relation to OFAC sanctions imposed to Aivars Lembergs.

Assisted various legal service providing companies throughout year 2019 by developing their internal AML/KYC procedures.

Audited consumer financing service provider Creamfinance and developed its internal AML/KYC procedure.

Assisted East Capital Baltic Property Fund III in acquiring Logistic Park near Riga International Airport for nearly 19 million euros. VILGERTS provided 100% legal support in the process including financing arrangements.