GDPR is Almost Here – Are you Prepared?

On May 25, 2018, the European Union’s new data protection legislation, the General Data Protection Regulation (GDPR), will take effect. This law heralds a new era of rigorous data privacy and security and makes data privacy a fundamental right for EU citizens. Of course, all EU companies and many multinational companies doing business in the EU have to be fully compliant with this legislation on Friday. What is important to note is that some U.S.-based businesses, even those without employees or offices within the EU, may also be required to comply with the GDPR.

Does my U.S.-based business need to comply with this law?

If your business processes and/or holds personal data of individuals residing in the EU (including employees) or you are marketing/selling products to consumers in the EU, then your business must comply with GDPR. In a broad sense, the GDPR requires businesses to understand what data they are collecting, be able to articulate why they are collecting it and which of the six categories of lawful processing its purpose falls into, what the business’s strategy is in the event of a data breach, what the timeline for retention of personal data is, and how such data is destroyed when the purpose for collecting and retaining the data no longer exists. There is a record keeping exception that companies with less than 250 employees may qualify for.

But what is ‘personal data’ and what do you mean by ‘processing’?

Personal data’ is any information related to a person that could be used to identify such a person. This includes the person’s name, identification number, location data or online identifier, email addresses, bank information, social media posts, or other factors specific to the physical, genetic, physiological, economic, mental, cultural, or social identity of that person. The EU is taking a very broad approach to defining ‘personal data’ so it is best to consider almost any information you collect about an EU citizen to be personal data.

Processing‘ means any operation performed on personal data, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction.

Most, if not all of us, have a website and if a German resident stumbles upon our website, the GDPR will likely not apply just because that person found the website. However, if you are actively encouraging EU residents to visit your website, ship your products to the EU, market or translate your webpage in a language of an EU country, or if you engage with EU residents and process their personal data in any other way (for example track and collect information on webpage users from the EU to analyze online behavior), the GDPR may be applicable to your business.

The GDPR requires all businesses to protect the personal data of EU citizens, and specifically prescribes how this should be done.

How do I ensure compliance before May 25?

There is a “quick fix” that you can implement before Friday: add a cookie banner to your website that allows your business to ask permission before processing an EU resident’s data and also allows you to stop collecting data from any IP address from an EU country if they do not consent.

For the permission or consent to be valid in terms of GDPR, be sure not to use legal jargon or to bury the consent in fine print. Consent needs to be specific, in plain language, explain what you will be using the personal data for, and positive (i.e. the person must opt in to allow you to process the data).

Is there more to it?

Yes, the GDPR’s requirements are far-reaching and ensuring full compliance may take a bit more time.

One of the biggest and most important tasks is to map your data, i.e. figure out what personal data you store and collect in your databases (online, on computers, tablets and phones, and on paper), how that data is being used, and how long the data is being stored.

Once you have an idea of your data collection and retention practices, you need to determine what data relates to EU residents.

All EU residents need to consent (i.e. opt in) to your processing of their data, so the business will have to reach out to these residents to obtain consent or, alternatively, destroy the data.

Another key step is to update your data privacy policy and ensure that your business puts the necessary controls in place to adequately process personal data going forward. This policy should be in writing and become part of your existing and future service contracts with third parties.

What if my business doesn’t comply?

The penalties for non-compliance are quite steep: 4% of your company’s worldwide annual turnover of the preceding financial year or € 20 million, whichever is greater, for serious infringements of the GDPR; 2% or € 20 million, whichever is greater, for less serious infringements.

 

Contact us to schedule a consultation.

Tonya Price (tonya@jrwiener.com)

Francisca Pretorius (francisca@jrwiener.com

Creating the Workplace We Want

Management and operation of a law firm has taken many forms over the years and we are exploring new, innovative ways to run our firm. We are experimenting with the use of democratic principles, Teal, and self-management to develop a style that works for us and our clients. Earlier this week, Jason sent an article around to the team that highlighted The Wellington Community Law Centre (WCLC), a New Zealand law firm that went from a traditional hierarchical management system to fully self-managed in six months. Our firm has been discussing and implementing self-management techniques and it was inspiring and encouraging to read about WCLC’s journey. While reading the article I was tripped up by the reference to “advice process.” I had never heard the term before and we haven’t formally chosen a decision-making process to adhere to, so I did a little research. In a nutshell, advice process is an alternative to top-down and consensus decision making. Instead of executives or leaders making decisions, the employee who notices the problem or opportunity is empowered to act on that knowledge and becomes the decision-maker. The decision maker must seek input and advice from the relevant team members, leaders, and stake holders, but is ultimately responsible for creating a proposal and deciding what action to take. The process resonates with me because even as the least experienced member of our firm, I feel empowered to make decisions and suggestion for improving processes or creating new ones. I’m comfortable approaching the more senior attorneys to discuss my ideas and get their feedback and I’m able to pursue projects that interest me and be an active participant in my career development.

My favorite quote from Geoffrey Roberts, the general manager of WCLC, was, “When you treat people with high levels of trust, then they will live up to that. They will give you much more than you can imagine. Anecdotally, I argue that high levels of trust result in high levels of engagement and flexibility.” Perhaps more than anything else discussed, I feel that building trust is critical. For me, feeling trusted makes me feel like I can make mistakes and that I will get productive feedback that will help me grow as a lawyer. Having trust also means that I’m not afraid to come forward when I have made a mistake or to be held accountable for a decision I made. One way our firm fosters a trusting environment is through quarterly retrospectives. Retrospectives give us the chance to reflect on what is and isn’t working – they also help remove the negative connotations from accountability. Instead of accountability being scary, it simply becomes an opportunity to celebrate a win or learn from a decision that didn’t work out.

As a member of a law firm that is treading an unconventional path, I love seeing what WCLC has been able to accomplish. It gives me hope for the future of the profession and it’s nice to know our firm is in good company.

Giving Employees the Right Vacation Time

Are you following Colorado law when it comes to paying for vacation time when an employee leaves your company? What if you lump together vacation time, sick time and other time off into “Paid Time Off” (PTO)? What follows is a discussion of whether your current employee policies regarding PTO are following Colorado law, especially with regard to the limitation on the amount of time an employee can accrue PTO.

Colorado law states that employers do not have to offer their employees paid time off for vacations or sick leave. If you do offer vacation time or PTO and employee leaves, you are expected to pay the employee for any time that has “accrued”. So what happens if you have great employees who never take vacation? You are allowed to place restrictions on the amount of vacation pay an employee receives. For example, an employee earns 10 days a year of PTO. But the employee only uses 5 days and the other 5 days get forwarded to the next year. You can create a policy that an employee cannot accumulate more than 20 days of PTO. The Courts look at vacation time as a contract issue between a company and its employees. An employee handbook acts as a contract for purposes of this discussion. The Colorado Department of Labor provides: “An employer may establish a vacation policy in writing or by custom and practice. Employees must be made aware of the employer’s policy. Employers and employees must follow established policy unless and until that policy is changed.”

So, as an employer, you can provide in your employee handbook that an employee can accrue no more than 3 years of PTO (or a certain number of days). You have to make sure your employees are aware of the policies and usually employees sign acknowledgements that they have received copies of the handbook.

Here’s another example. Say an employee earns PTO each week. In other words, depending on seniority (some earn more PTO than others), an employee receives at least 3 hours each pay period for PTO. Putting a restriction on the amount of PTO time that can be accumulated is perfectly within the right of your company. A court case from 1998 that has not been overturned or received negative treatment has discussed this issue (City of Lamar v. Koehn, 968 P.2d 164 (Colo.App. 1998)). The case determined whether vacation time was to be included in the definition of “wages” for purposes of workers compensation. The Court state the following:

Both vacation and sick leave were subject to forfeiture if claimant accrued a specified maximum number of leave days. However, claimant did not forfeit any vacation leave under this policy and was paid his full entitlement. [The reason he did not forfeit any vacation was because he had not yet reached the maximum number of leave days.]

In this case, the Court discussed a prior decision where vacation time was looked at as a type of leave that had a reasonable, present-day, cash equivalent value, and that claimant had a reasonable expectation of receiving the benefits under appropriate reasonable circumstances. However, this Court found that because the employer policy had vacation time as capped and subject to forfeiture, it was not proper to be included in the definition of “wages” for determining workers compensation benefits.

Colorado wage law states that vacation pay (which would include PTO for purposes of this discussion), earned in accordance with the terms of any agreement, is classified as wages or compensation. If an employer provides paid vacation (or PTO) for an employee, the employer must pay, upon termination of employment, all vacation pay earned and determinable in accordance with the terms of any agreement between the employer and the employee. So take a look at your vacation and PTO policies. Are they similar to the following?

PTO Yearly Carry Over

Employees may carry up to two full years of accrued PTO leave into the following calendar year. This will allow employees the benefit to carrying up to three (3) years accrued PTO in their PTO banks. Any overage of PTO at the end of the year will be forfeited.

Payment for PTO Overages

If an employee accumulates more than 3 years of PTO and a calendar year is ending within 30 days, PTO for the final two pay periods of the calendar year shall be adjusted such that an employee can only earn 25% of the PTO that has accumulated over the 3-year cap for PTO for that employee. There will be no further accruals of PTO following the end of the calendar year until employee uses some of the accrued PTO. Upon retirement, termination or death during the year, the employee or his or her heirs or estate shall be paid for any accrued, but unused PTO.

The carry-over provisions in the second paragraph above may be a little complicated but they are perfectly within an employer’s rights. The company can cap vacation and PTO time to three years. This prevents a huge buildup of a company liability that will be incurred when an employee leaves the company. If an employee is not taking their earned PTO during the year, then management needs to encourage or force time off for those employees.

This is just one example of how employers can create vacation or paid time off benefits for their employees but everyone should be aware of the responsibilities employers have for properly structuring their vacation policies. Please give us a call if you would like us to review your employee manuals or handbooks about this issue.

Choosing the Right Entity for Your Business

Last week our team held its first legal café at Green Spaces in Denver. We welcomed a group of approximately thirty entrepreneurs and discussed the nuances of entity choice. Our team was excited for the launch of what we hope will become a mainstay for the firm and a valuable resource for our community. We selected entity choice as our first topic because this early decision can often have far-reaching consequences for businesses. The right entity is critical for many aspects of the business, from protecting the social mission to attracting outside capital. Our hope is that we can help early stage entrepreneurs avoid the pitfalls of choosing an entity not well suited to their long term vision. To that end we created this presentation with an overview of entity types and strategies for choosing the right entity. Those who attended the legal cafe also had the opportunity to participate in an hour of small group Q&A with our team.

The event exceeded our expectations and our team is looking forward to hosting future legal cafes that provide useful information to entrepreneurs at all stages of developing their business.

Press Release: Leading Colorado Cooperative Business and Sustainable Economies Law Practices Join Forces

FOR IMMEDIATE RELEASE

Jason Wiener|p.c.                                                                                     

 CONTACT:

Jason R. Wiener

Jason Wiener|p.c., a public benefit corporation                                                   Linda D. Phillips

720.445.6860                                                                                                     303.355.0401

jason@jrwiener.com                                                                                          linda@jrwiener.com

www.jrwiener.com                                                                                              www.jrwiener.com

 

Leading Colorado Cooperative Business and Sustainable Economies Law Practices Join Forces

 

The law practices of Linda D. Phillips and Jason Wiener are merging effective April 1, 2018, to scale client service, capacity, training, and impact for the firms’ collective work with cooperatives, social enterprise start-ups, sustainable growth companies and mission-oriented businesses.  Jason and Linda have been collaborating for close to a decade. In that time, the shared ownership and cooperative movement has expanded significantly.  The two attorneys will merge their practices and continue the process of building a team of dedicated, talented, multi-faceted and purpose-filled attorneys.

The merger of Phillips Law Offices and Jason Wiener|p.c. coincides with the rapid growth in purpose-oriented start-up law work, shared ownership conversions of growing and mature transitional businesses, and alternative and non-extractive financing for small- to medium-sized businesses.  The combined firm will offer higher level resources and services to the growing craft beer and beverage, renewable energy, technology, agriculture and small producer, housing and real estate, and co-working sectors, and to other worker and multi-stakeholder owned businesses.  The firm has attorneys licensed in Colorado, New York, Massachusetts, Connecticut (pending), and South Africa, and serves clients in more than 21 states and 4 countries.

Linda and Jason will collaboratively train and lead a team of junior and mid-level attorneys and staff.  The firm is committed to self-management principles and transparency.  The firm has begun open management and collaboration practices, including regular internal discussions about client service, core values, financials, and business development.

About the merger, Linda says “it’s exciting to become part of a team that shares my passion for advancing cooperative business models and helping businesses realize their visions through proper legal and management structures.”

Jason says “We are tremendously fortunate and honored to leverage Linda’s experience to bridge three generations of Colorado cooperative law and to offer such deep business law expertise to our current, new and prospective clients. Linda’s addition to our team will also help train the next generation of cooperative and sustainable economies lawyers.”

# # #