Home » Blog » general counsel

Tag: general counsel

GDPR is Almost Here – Are you Prepared?

On May 25, 2018, the European Union’s new data protection legislation, the General Data Protection Regulation (GDPR), will take effect. This law heralds a new era of rigorous data privacy and security and makes data privacy a fundamental right for EU citizens. Of course, all EU companies and many multinational companies doing business in the EU have to be fully compliant with this legislation on Friday. What is important to note is that some U.S.-based businesses, even those without employees or offices within the EU, may also be required to comply with the GDPR.

Does my U.S.-based business need to comply with this law?

If your business processes and/or holds personal data of individuals residing in the EU (including employees) or you are marketing/selling products to consumers in the EU, then your business must comply with GDPR. In a broad sense, the GDPR requires businesses to understand what data they are collecting, be able to articulate why they are collecting it and which of the six categories of lawful processing its purpose falls into, what the business’s strategy is in the event of a data breach, what the timeline for retention of personal data is, and how such data is destroyed when the purpose for collecting and retaining the data no longer exists. There is a record keeping exception that companies with less than 250 employees may qualify for.

But what is ‘personal data’ and what do you mean by ‘processing’?

Personal data’ is any information related to a person that could be used to identify such a person. This includes the person’s name, identification number, location data or online identifier, email addresses, bank information, social media posts, or other factors specific to the physical, genetic, physiological, economic, mental, cultural, or social identity of that person. The EU is taking a very broad approach to defining ‘personal data’ so it is best to consider almost any information you collect about an EU citizen to be personal data.

Processing‘ means any operation performed on personal data, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction.

Most, if not all of us, have a website and if a German resident stumbles upon our website, the GDPR will likely not apply just because that person found the website. However, if you are actively encouraging EU residents to visit your website, ship your products to the EU, market or translate your webpage in a language of an EU country, or if you engage with EU residents and process their personal data in any other way (for example track and collect information on webpage users from the EU to analyze online behavior), the GDPR may be applicable to your business.

The GDPR requires all businesses to protect the personal data of EU citizens, and specifically prescribes how this should be done.

How do I ensure compliance before May 25?

There is a “quick fix” that you can implement before Friday: add a cookie banner to your website that allows your business to ask permission before processing an EU resident’s data and also allows you to stop collecting data from any IP address from an EU country if they do not consent.

For the permission or consent to be valid in terms of GDPR, be sure not to use legal jargon or to bury the consent in fine print. Consent needs to be specific, in plain language, explain what you will be using the personal data for, and positive (i.e. the person must opt in to allow you to process the data).

Is there more to it?

Yes, the GDPR’s requirements are far-reaching and ensuring full compliance may take a bit more time.

One of the biggest and most important tasks is to map your data, i.e. figure out what personal data you store and collect in your databases (online, on computers, tablets and phones, and on paper), how that data is being used, and how long the data is being stored.

Once you have an idea of your data collection and retention practices, you need to determine what data relates to EU residents.

All EU residents need to consent (i.e. opt in) to your processing of their data, so the business will have to reach out to these residents to obtain consent or, alternatively, destroy the data.

Another key step is to update your data privacy policy and ensure that your business puts the necessary controls in place to adequately process personal data going forward. This policy should be in writing and become part of your existing and future service contracts with third parties.

What if my business doesn’t comply?

The penalties for non-compliance are quite steep: 4% of your company’s worldwide annual turnover of the preceding financial year or € 20 million, whichever is greater, for serious infringements of the GDPR; 2% or € 20 million, whichever is greater, for less serious infringements.

 

Contact us to schedule a consultation.

Tonya Price (tonya@jrwiener.com)

Francisca Pretorius (francisca@jrwiener.com

A View from an Outside General Counsel’s Perch

I was an in-house general counsel for more than 5 years at Namaste Solar. While in the role, I learned that rendering traditional legal advice was, as they say, necessary but totally insufficient to being successful or adding value. My colleagues consistently pushed me to add value by offering what I now call “legally informed strategic advice,” by which I gave actionable advice to make a decision in light of real world constraints and risk. No path was totally free of risk and no decision could be completely optimized for one variable at the expense of all others.  Law school, for better or worse, teaches lawyers to analyze a case with 20-20 hindsight and to evaluate the facts in light of black letter law. I was rarely pushed, or even inspired to go further and analyze what should have been the decision in light of broader circumstances.

So, when I became an in house counsel, I had to play a critical team role and advise a $20+M company through volatile and risky waters. We navigated a recapitalization, a turbulent and unpredictable policy landscape, layoffs, litigation, growth, scaling production capacity and massive industry consolidation. We had to act with poise, a watchful eye, but always with the clarity of knowing that unknowns lay just around the corner.

This experience has informed how we now offer general outside counsel to our clients today. We do this for more than 25 clients each year, and the number continues to grow. Increasing demand for our outside general counsel services tells us that (a) values and vision aligned legal counsel is rare and hard to find, (b) counsel willing to advise at the intersection of legal and business risk/opportunity is even rarer and harder to find, (c) adding value in multiple practice areas and legal topics involves constant adaptation and knowledge sharpening, and (d) offering “legally informed strategic advice” leads to better decisions.

Below are a few questions we ask ourselves and our clients to tune us for the task at hand:

  1. What is the context surrounding the issue we’re discussing?  Risk and opportunity do not present in a vacuum. Broader issues are at play. Are you facing a business cliff, or massive strategic opportunity? Is your back against a wall and you need this deal to go through? Are key relationships at stake and worth compromising to preserve? How is the business doing, overall?
  2. From what position are we starting?  Are we being asked to create a template that will scale up with a new offering? Are comparable transactional templates available? Are we able to red-line a draft from the counter-party? Different starting points present different cost structures and timelines.
  3. What are your high level concerns and objectives? This may seem obvious, however, I’m still surprised how seldom counsel checks in with the client to understand key concerns. Clients are most knowledgeable of the broader context, their own business and the dynamics of the negotiation. Without this information, the attorney is flying without instruments.
  4. Where are we in the negotiation timeline?  I like to ask this question as follows: “Are you asking me for an 11th hour review?” In other words, are we pulling up to the closing table and just looking out for major deal-breakers or red flags? Are we trying to raise awareness but we understand we’ll have little opportunity to request changes…at least not without jeopardizing the deal? This question fundamentally helps the attorney understand what, if any, bargaining leverage we have in requesting changes in a red-line. It’s a pet peeve of mine when an attorney red-lines each and every section of an agreement as if on a quest for technical and substantive perfection…one-party optimization.  This just does not reflect a balanced or real-world understanding of business negotiation. Parties interested in consummating a deal both give and take. It is the balance of compromise between the parties that determines how healthy a deal is and how likely both sides are to remain committed to it. I’ve seen time and again when a document replete with red-line edits grinds a negotiation to a halt, often over details that are esoteric and even academic to the parties business interests.
  5. Similar to the last question, are we “papering” an agreement already reached, or are we carving a statue from raw stone? In other words, have all material terms been discussed and negotiated by the parties or are we proposing terms for the negotiation that follows? The answer to this question fundamentally and significantly impacts how the attorney approaches her task and her perspective. Attempting to propose new terms in a negotiation that simply needs to be documented can lead to the breakdown of a negotiation. I’ve seen parties allege bad faith when the attorney for one party unwittingly raised new concerns and terms when the parties thought they had negotiated the 4 corners of the deal.

As always, clear documents support productive relationships. Good documents require clear, consistent and engaged communication between client and attorney. Clear strategic advice requires consistent communication even more so . Both sides need to develop trust between one another.  It’s neither an efficient use of client dollars, nor a good use of an attorney’s time to fly blind in supporting a client transaction. Offering value-add legal services requires that the attorney be kept in the loop and privy to the direct and indirect factors that influence negotiations.