Nebraska Compliance Regulatory

Ready to Edit

Data Protection Impact Assessment (DPIA) (NE) - Free Editor

DATA PROTECTION IMPACT ASSESSMENT (DPIA)

(State overlay: NE)

1. Project Overview

Project name/ID: [name]; owner: [business owner]; sponsor: [executive].
Purpose and objectives: [describe].
Timeline and launch date: [dates].

2. Scope of Processing

Data subjects: [customers/employees/vendors/end users].
Personal data categories: [contact, IDs, financial, location, biometric, health, minors].
Sensitive data (NDPA definition): ☐ Racial/ethnic origin; ☐ Religious beliefs; ☐ Mental/physical health diagnosis; ☐ Sexual orientation; ☐ Citizenship/immigration status; ☐ Genetic/biometric data for unique ID; ☐ Precise geolocation. Opt-in consent required.
Volume and retention: [records/year], [retention per business purpose].
Processing: [collection, storage, analysis, sale status]. "Sale" = exchange for monetary/other consideration; "Targeted advertising" = ads based on cross-site activities; "Profiling" = automated processing for decisions with legal/significant effects.

3. Legal Basis, Notices, and Rights

Primary law: Nebraska Data Privacy Act (NDPA), effective January 1, 2025.
UNIQUE THRESHOLD: NO revenue/consumer minimums. Applies if: (1) Conducting business in NE or offering products/services to NE residents; (2) Processing or selling personal data; (3) NOT "small business" under Federal Small Business Act. Small businesses still liable if selling sensitive data without consent.
Exemptions: GLBA, HIPAA (PHI), higher ed, nonprofits, government.
Consumer rights: Confirm/access, correct, delete, portability, opt-out of sale/targeted ads/profiling. Response: 45 days + 45-day extension. Appeals: 60 days.
Consent/opt-out: Opt-in for sensitive data and child data. Opt-out for sale/targeted ads/profiling.
Processor contracts: Instructions, data type, duration, obligations, deletion/return, consumer rights assistance.

4. Data Flow and Transfers

Source systems: [list]; storage/hosting locations: [cloud region/data centers].
Cross-border transfers: [EU/UK/other]; transfer tool: [SCCs/IDTA/CBPR if applicable].
Recipients/vendors: [processors/subprocessors/controllers]; due diligence status and DPAs in place.
Access controls: RBAC groups, least privilege, joiner/mover/leaver process.

5. Security and Controls

Technical controls: encryption in transit/at rest [specify], key management, network segmentation, endpoint protections, logging/monitoring, DLP, backups, vulnerability management.
Organizational controls: policies, training cadence, vendor due diligence, incident response playbook, change management.
Authentication/authorization: [MFA/SAML/SSO]; session timeouts; privileged access reviews cadence.

6. Risks and Impact Assessment

Risks/threats: [unauthorized access, data minimization failure, purpose creep, profiling risk, transfer risk, children/minors risk].
Likelihood: [low/medium/high]; Impact: [low/medium/high]; Risk rating matrix: [insert].
POWR/State-specific equal employment or anti-discrimination considerations (if applicable): [insert].

7. Mitigations and Residual Risk

Planned mitigations: [controls, timelines, owners].
Testing/validation: [pen test, DPIA/ROPA updates, privacy-by-design checklist].
Residual risk after mitigations: [rating]; decision: [accept/mitigate further/block].

8. Incident Response and Breach Notification

Statute: Neb. Rev. Stat. § 87-801 et seq. (Financial Data Protection Act of 2006); amended 2016.
Timeline: As soon as possible without unreasonable delay after investigation determines misuse occurred/likely. Concurrent AG notice required.
Triggers: Breach compromising security/confidentiality/integrity. PI = name + (SSN, DL, financial account, health info).
Law enforcement delay permitted.
Coordination with other states/GLBA/HIPAA: [plan].

9. State Overlay Checklist (NE)

Applicability: UNIQUE - NO minimums. Applies to non-small businesses (SBA definition) processing/selling NE personal data. Small businesses liable if selling sensitive data.
Sensitive data: 7 categories requiring opt-in: racial/ethnic origin, religious beliefs, health diagnosis, sexual orientation, citizenship/immigration, genetic/biometric, precise geolocation.
Rights/Response: Confirm/access, correct, delete, portability, opt-out. 45 days + 45-day extension. Appeals: 60 days.
Processor contracts: Instructions, data type, duration, obligations, deletion/return, consumer rights assistance.
DPA triggers: Not explicitly required.
Security: Reasonable administrative, technical, physical practices.
Breach: Concurrent AG notice; "as soon as possible" without unreasonable delay.
Children: Child data is sensitive requiring opt-in. COPPA compliance.
Non-discrimination: Cannot deny services, charge different prices, or provide different quality.
Recordkeeping: 30-day cure period (permanent, no sunset). AG exclusive enforcement. Penalties up to $7,500 per violation. No private right of action.

10. Approvals and Accountability

Privacy lead/DPO review: [name/date].
Security review: [name/date].
Legal review (state law overlay): [name/date].
Business owner certification: [name/date].
Executive approver: [name/title/date].

11. Attachments

Data flow diagrams/architecture.
Records of processing activities entry.
Vendor list and DPAs/SCCs.
Legitimate interests assessment or risk assessment (if applicable).
Testing summaries and pen test reports (if applicable).
State-specific notices/links and breach templates.

AI Legal Assistant

$49 one-time

Need help customizing this document?

Get 3 days of intelligent editing. Tailor every section to your specific case.

Need to customize this document?

Do more with Ezel

This free template is just the beginning. See how Ezel helps legal teams draft, research, and collaborate faster.

AI Document Editor

AI that drafts while you watch

Tell the AI what you need and watch your document transform in real-time. No more copy-pasting between tools or manually formatting changes.

Natural language commands: "Add a force majeure clause"
Context-aware suggestions based on document type
Real-time streaming shows edits as they happen
Milestone tracking and version comparison

Learn more about the Editor

AI Chat Workspace

Research and draft in one conversation

Ask questions, attach documents, and get answers grounded in case law. Link chats to matters so the AI remembers your context.

Pull statutes, case law, and secondary sources
Attach and analyze contracts mid-conversation
Link chats to matters for automatic context
Your data never trains AI models

Learn more about AI Chat

Case Law Search

Search like you think

Describe your legal question in plain English. Filter by jurisdiction, date, and court level. Read full opinions without leaving Ezel.

All 50 states plus federal courts
Natural language queries - no boolean syntax
Citation analysis and network exploration
Copy quotes with automatic citation generation

Learn more about Case Law Search

Ready to transform your legal workflow?

Join legal teams using Ezel to draft documents, research case law, and organize matters — all in one workspace.

Customize This Document — $49 Full Platform — $249/mo

Request a Demo