Home » Blog » Outside General Counsel

Category: Outside General Counsel

GDPR is Almost Here – Are you Prepared?

On May 25, 2018, the European Union’s new data protection legislation, the General Data Protection Regulation (GDPR), will take effect. This law heralds a new era of rigorous data privacy and security and makes data privacy a fundamental right for EU citizens. Of course, all EU companies and many multinational companies doing business in the EU have to be fully compliant with this legislation on Friday. What is important to note is that some U.S.-based businesses, even those without employees or offices within the EU, may also be required to comply with the GDPR.

Does my U.S.-based business need to comply with this law?

If your business processes and/or holds personal data of individuals residing in the EU (including employees) or you are marketing/selling products to consumers in the EU, then your business must comply with GDPR. In a broad sense, the GDPR requires businesses to understand what data they are collecting, be able to articulate why they are collecting it and which of the six categories of lawful processing its purpose falls into, what the business’s strategy is in the event of a data breach, what the timeline for retention of personal data is, and how such data is destroyed when the purpose for collecting and retaining the data no longer exists. There is a record keeping exception that companies with less than 250 employees may qualify for.

But what is ‘personal data’ and what do you mean by ‘processing’?

Personal data’ is any information related to a person that could be used to identify such a person. This includes the person’s name, identification number, location data or online identifier, email addresses, bank information, social media posts, or other factors specific to the physical, genetic, physiological, economic, mental, cultural, or social identity of that person. The EU is taking a very broad approach to defining ‘personal data’ so it is best to consider almost any information you collect about an EU citizen to be personal data.

Processing‘ means any operation performed on personal data, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction.

Most, if not all of us, have a website and if a German resident stumbles upon our website, the GDPR will likely not apply just because that person found the website. However, if you are actively encouraging EU residents to visit your website, ship your products to the EU, market or translate your webpage in a language of an EU country, or if you engage with EU residents and process their personal data in any other way (for example track and collect information on webpage users from the EU to analyze online behavior), the GDPR may be applicable to your business.

The GDPR requires all businesses to protect the personal data of EU citizens, and specifically prescribes how this should be done.

How do I ensure compliance before May 25?

There is a “quick fix” that you can implement before Friday: add a cookie banner to your website that allows your business to ask permission before processing an EU resident’s data and also allows you to stop collecting data from any IP address from an EU country if they do not consent.

For the permission or consent to be valid in terms of GDPR, be sure not to use legal jargon or to bury the consent in fine print. Consent needs to be specific, in plain language, explain what you will be using the personal data for, and positive (i.e. the person must opt in to allow you to process the data).

Is there more to it?

Yes, the GDPR’s requirements are far-reaching and ensuring full compliance may take a bit more time.

One of the biggest and most important tasks is to map your data, i.e. figure out what personal data you store and collect in your databases (online, on computers, tablets and phones, and on paper), how that data is being used, and how long the data is being stored.

Once you have an idea of your data collection and retention practices, you need to determine what data relates to EU residents.

All EU residents need to consent (i.e. opt in) to your processing of their data, so the business will have to reach out to these residents to obtain consent or, alternatively, destroy the data.

Another key step is to update your data privacy policy and ensure that your business puts the necessary controls in place to adequately process personal data going forward. This policy should be in writing and become part of your existing and future service contracts with third parties.

What if my business doesn’t comply?

The penalties for non-compliance are quite steep: 4% of your company’s worldwide annual turnover of the preceding financial year or € 20 million, whichever is greater, for serious infringements of the GDPR; 2% or € 20 million, whichever is greater, for less serious infringements.

 

Contact us to schedule a consultation.

Tonya Price (tonya@jrwiener.com)

Francisca Pretorius (francisca@jrwiener.com

Giving Employees the Right Vacation Time

Are you following Colorado law when it comes to paying for vacation time when an employee leaves your company? What if you lump together vacation time, sick time and other time off into “Paid Time Off” (PTO)? What follows is a discussion of whether your current employee policies regarding PTO are following Colorado law, especially with regard to the limitation on the amount of time an employee can accrue PTO.

Colorado law states that employers do not have to offer their employees paid time off for vacations or sick leave. If you do offer vacation time or PTO and employee leaves, you are expected to pay the employee for any time that has “accrued”. So what happens if you have great employees who never take vacation? You are allowed to place restrictions on the amount of vacation pay an employee receives. For example, an employee earns 10 days a year of PTO. But the employee only uses 5 days and the other 5 days get forwarded to the next year. You can create a policy that an employee cannot accumulate more than 20 days of PTO. The Courts look at vacation time as a contract issue between a company and its employees. An employee handbook acts as a contract for purposes of this discussion. The Colorado Department of Labor provides: “An employer may establish a vacation policy in writing or by custom and practice. Employees must be made aware of the employer’s policy. Employers and employees must follow established policy unless and until that policy is changed.”

So, as an employer, you can provide in your employee handbook that an employee can accrue no more than 3 years of PTO (or a certain number of days). You have to make sure your employees are aware of the policies and usually employees sign acknowledgements that they have received copies of the handbook.

Here’s another example. Say an employee earns PTO each week. In other words, depending on seniority (some earn more PTO than others), an employee receives at least 3 hours each pay period for PTO. Putting a restriction on the amount of PTO time that can be accumulated is perfectly within the right of your company. A court case from 1998 that has not been overturned or received negative treatment has discussed this issue (City of Lamar v. Koehn, 968 P.2d 164 (Colo.App. 1998)). The case determined whether vacation time was to be included in the definition of “wages” for purposes of workers compensation. The Court state the following:

Both vacation and sick leave were subject to forfeiture if claimant accrued a specified maximum number of leave days. However, claimant did not forfeit any vacation leave under this policy and was paid his full entitlement. [The reason he did not forfeit any vacation was because he had not yet reached the maximum number of leave days.]

In this case, the Court discussed a prior decision where vacation time was looked at as a type of leave that had a reasonable, present-day, cash equivalent value, and that claimant had a reasonable expectation of receiving the benefits under appropriate reasonable circumstances. However, this Court found that because the employer policy had vacation time as capped and subject to forfeiture, it was not proper to be included in the definition of “wages” for determining workers compensation benefits.

Colorado wage law states that vacation pay (which would include PTO for purposes of this discussion), earned in accordance with the terms of any agreement, is classified as wages or compensation. If an employer provides paid vacation (or PTO) for an employee, the employer must pay, upon termination of employment, all vacation pay earned and determinable in accordance with the terms of any agreement between the employer and the employee. So take a look at your vacation and PTO policies. Are they similar to the following?

PTO Yearly Carry Over

Employees may carry up to two full years of accrued PTO leave into the following calendar year. This will allow employees the benefit to carrying up to three (3) years accrued PTO in their PTO banks. Any overage of PTO at the end of the year will be forfeited.

Payment for PTO Overages

If an employee accumulates more than 3 years of PTO and a calendar year is ending within 30 days, PTO for the final two pay periods of the calendar year shall be adjusted such that an employee can only earn 25% of the PTO that has accumulated over the 3-year cap for PTO for that employee. There will be no further accruals of PTO following the end of the calendar year until employee uses some of the accrued PTO. Upon retirement, termination or death during the year, the employee or his or her heirs or estate shall be paid for any accrued, but unused PTO.

The carry-over provisions in the second paragraph above may be a little complicated but they are perfectly within an employer’s rights. The company can cap vacation and PTO time to three years. This prevents a huge buildup of a company liability that will be incurred when an employee leaves the company. If an employee is not taking their earned PTO during the year, then management needs to encourage or force time off for those employees.

This is just one example of how employers can create vacation or paid time off benefits for their employees but everyone should be aware of the responsibilities employers have for properly structuring their vacation policies. Please give us a call if you would like us to review your employee manuals or handbooks about this issue.

A View from an Outside General Counsel’s Perch

I was an in-house general counsel for more than 5 years at Namaste Solar. While in the role, I learned that rendering traditional legal advice was, as they say, necessary but totally insufficient to being successful or adding value. My colleagues consistently pushed me to add value by offering what I now call “legally informed strategic advice,” by which I gave actionable advice to make a decision in light of real world constraints and risk. No path was totally free of risk and no decision could be completely optimized for one variable at the expense of all others.  Law school, for better or worse, teaches lawyers to analyze a case with 20-20 hindsight and to evaluate the facts in light of black letter law. I was rarely pushed, or even inspired to go further and analyze what should have been the decision in light of broader circumstances.

So, when I became an in house counsel, I had to play a critical team role and advise a $20+M company through volatile and risky waters. We navigated a recapitalization, a turbulent and unpredictable policy landscape, layoffs, litigation, growth, scaling production capacity and massive industry consolidation. We had to act with poise, a watchful eye, but always with the clarity of knowing that unknowns lay just around the corner.

This experience has informed how we now offer general outside counsel to our clients today. We do this for more than 25 clients each year, and the number continues to grow. Increasing demand for our outside general counsel services tells us that (a) values and vision aligned legal counsel is rare and hard to find, (b) counsel willing to advise at the intersection of legal and business risk/opportunity is even rarer and harder to find, (c) adding value in multiple practice areas and legal topics involves constant adaptation and knowledge sharpening, and (d) offering “legally informed strategic advice” leads to better decisions.

Below are a few questions we ask ourselves and our clients to tune us for the task at hand:

  1. What is the context surrounding the issue we’re discussing?  Risk and opportunity do not present in a vacuum. Broader issues are at play. Are you facing a business cliff, or massive strategic opportunity? Is your back against a wall and you need this deal to go through? Are key relationships at stake and worth compromising to preserve? How is the business doing, overall?
  2. From what position are we starting?  Are we being asked to create a template that will scale up with a new offering? Are comparable transactional templates available? Are we able to red-line a draft from the counter-party? Different starting points present different cost structures and timelines.
  3. What are your high level concerns and objectives? This may seem obvious, however, I’m still surprised how seldom counsel checks in with the client to understand key concerns. Clients are most knowledgeable of the broader context, their own business and the dynamics of the negotiation. Without this information, the attorney is flying without instruments.
  4. Where are we in the negotiation timeline?  I like to ask this question as follows: “Are you asking me for an 11th hour review?” In other words, are we pulling up to the closing table and just looking out for major deal-breakers or red flags? Are we trying to raise awareness but we understand we’ll have little opportunity to request changes…at least not without jeopardizing the deal? This question fundamentally helps the attorney understand what, if any, bargaining leverage we have in requesting changes in a red-line. It’s a pet peeve of mine when an attorney red-lines each and every section of an agreement as if on a quest for technical and substantive perfection…one-party optimization.  This just does not reflect a balanced or real-world understanding of business negotiation. Parties interested in consummating a deal both give and take. It is the balance of compromise between the parties that determines how healthy a deal is and how likely both sides are to remain committed to it. I’ve seen time and again when a document replete with red-line edits grinds a negotiation to a halt, often over details that are esoteric and even academic to the parties business interests.
  5. Similar to the last question, are we “papering” an agreement already reached, or are we carving a statue from raw stone? In other words, have all material terms been discussed and negotiated by the parties or are we proposing terms for the negotiation that follows? The answer to this question fundamentally and significantly impacts how the attorney approaches her task and her perspective. Attempting to propose new terms in a negotiation that simply needs to be documented can lead to the breakdown of a negotiation. I’ve seen parties allege bad faith when the attorney for one party unwittingly raised new concerns and terms when the parties thought they had negotiated the 4 corners of the deal.

As always, clear documents support productive relationships. Good documents require clear, consistent and engaged communication between client and attorney. Clear strategic advice requires consistent communication even more so . Both sides need to develop trust between one another.  It’s neither an efficient use of client dollars, nor a good use of an attorney’s time to fly blind in supporting a client transaction. Offering value-add legal services requires that the attorney be kept in the loop and privy to the direct and indirect factors that influence negotiations.