Home » Blog » Archives for Francisca Pretorius

Author: Francisca Pretorius

GDPR is Almost Here – Are you Prepared?

On May 25, 2018, the European Union’s new data protection legislation, the General Data Protection Regulation (GDPR), will take effect. This law heralds a new era of rigorous data privacy and security and makes data privacy a fundamental right for EU citizens. Of course, all EU companies and many multinational companies doing business in the EU have to be fully compliant with this legislation on Friday. What is important to note is that some U.S.-based businesses, even those without employees or offices within the EU, may also be required to comply with the GDPR.

Does my U.S.-based business need to comply with this law?

If your business processes and/or holds personal data of individuals residing in the EU (including employees) or you are marketing/selling products to consumers in the EU, then your business must comply with GDPR. In a broad sense, the GDPR requires businesses to understand what data they are collecting, be able to articulate why they are collecting it and which of the six categories of lawful processing its purpose falls into, what the business’s strategy is in the event of a data breach, what the timeline for retention of personal data is, and how such data is destroyed when the purpose for collecting and retaining the data no longer exists. There is a record keeping exception that companies with less than 250 employees may qualify for.

But what is ‘personal data’ and what do you mean by ‘processing’?

Personal data’ is any information related to a person that could be used to identify such a person. This includes the person’s name, identification number, location data or online identifier, email addresses, bank information, social media posts, or other factors specific to the physical, genetic, physiological, economic, mental, cultural, or social identity of that person. The EU is taking a very broad approach to defining ‘personal data’ so it is best to consider almost any information you collect about an EU citizen to be personal data.

Processing‘ means any operation performed on personal data, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction.

Most, if not all of us, have a website and if a German resident stumbles upon our website, the GDPR will likely not apply just because that person found the website. However, if you are actively encouraging EU residents to visit your website, ship your products to the EU, market or translate your webpage in a language of an EU country, or if you engage with EU residents and process their personal data in any other way (for example track and collect information on webpage users from the EU to analyze online behavior), the GDPR may be applicable to your business.

The GDPR requires all businesses to protect the personal data of EU citizens, and specifically prescribes how this should be done.

How do I ensure compliance before May 25?

There is a “quick fix” that you can implement before Friday: add a cookie banner to your website that allows your business to ask permission before processing an EU resident’s data and also allows you to stop collecting data from any IP address from an EU country if they do not consent.

For the permission or consent to be valid in terms of GDPR, be sure not to use legal jargon or to bury the consent in fine print. Consent needs to be specific, in plain language, explain what you will be using the personal data for, and positive (i.e. the person must opt in to allow you to process the data).

Is there more to it?

Yes, the GDPR’s requirements are far-reaching and ensuring full compliance may take a bit more time.

One of the biggest and most important tasks is to map your data, i.e. figure out what personal data you store and collect in your databases (online, on computers, tablets and phones, and on paper), how that data is being used, and how long the data is being stored.

Once you have an idea of your data collection and retention practices, you need to determine what data relates to EU residents.

All EU residents need to consent (i.e. opt in) to your processing of their data, so the business will have to reach out to these residents to obtain consent or, alternatively, destroy the data.

Another key step is to update your data privacy policy and ensure that your business puts the necessary controls in place to adequately process personal data going forward. This policy should be in writing and become part of your existing and future service contracts with third parties.

What if my business doesn’t comply?

The penalties for non-compliance are quite steep: 4% of your company’s worldwide annual turnover of the preceding financial year or € 20 million, whichever is greater, for serious infringements of the GDPR; 2% or € 20 million, whichever is greater, for less serious infringements.

 

Contact us to schedule a consultation.

Tonya Price (tonya@jrwiener.com)

Francisca Pretorius (francisca@jrwiener.com

Building Our Community Through Legal Cafés

A strong and supportive community can enable and catapult any entrepreneur to success. This is even more true for social entrepreneurs, those who find solutions to the most pressing social and environmental problems of our time. As an aspiring social entrepreneur, I can attest to the fact that my community became my champions, confidants, partners, teachers, and emotional support, without whom starting a business would have been a whole lot harder.  

Jason Wiener | p.c., a mission-driven company, believes in supporting our community by designing legal and business solutions that empower social entrepreneurs to find solutions for the most pressing social and environmental issues of our time. However, to get these innovative businesses off the ground, social entrepreneurs need to navigate a maze of options and regulations – a daunting and sometimes expensive task.  

Colorado is one of the most beautiful and exciting states to live in, which is simultaneously experiencing unprecedented, often inequitable and unsustainable growth. We need social entrepreneurs that come up with equitable and empowering solutions for our communities. As a social enterprise, we understand this need and supports social entrepreneurs. We have the expertise, willingness, passion, knowledge, and ability to support social entrepreneurs to form their business, navigate the regulatory environment, and provide business solutions tailored to each venture’s needs. To expand access to this information and high quality legal services, we have launched a pro bono initiative tentatively called the “Community Wealth Building Legal Café” in Denver, which will provide basic legal guidance on the elements of starting up an impactful social enterprise.  

During our first legal café, we will discuss one of the first challenges that entrepreneurs face when starting a business: choosing a business entity that truly fits the entrepreneur, as well as the business’s, needs. Figuring this out can be time-consuming, confusing, and often costly. At this legal café, we will give a thirty-minute presentation on the diverse types of legal entities that entrepreneurs can consider, the pros and cons of each, and how to set these up. We will specifically focus on inclusive and engaging business models that have shared ownership at its core. Employee ownership more equitably distributes power and capital by allowing employees to have a purposeful stake in the businesses. 

This legal café will be held at Green Spaces, a co-working space in Denver. After the thirty-minute presentation we will open the floor to questions. A team of attorneys from Jason Wiener | p.c. will be there to answer all questions about legal entities, social enterprise, and shared ownership. A free light lunch will also be served. Registration is also free. Register on Eventbrite on or before Tuesday, March 27.