Is Your Business Prepared for the GDPR Compliance Deadline?

On May 25, 2018, a new European privacy regulation called The General Data Protection
Regulation (GDPR) will come into effect. The goal of the GDPR is to provide citizens of the EU
and EEA with greater control over their personal data and assurances that their information is
being securely protected. The GDPR will be implemented in all privacy laws across the entire EU
and European Economic Area (EEA) region. It will apply to all companies controlling, processing
or storing personal information about individuals in Europe.

So how does the GDPR impact your U.S.-based business? If you think the GDPR does not apply
to you, think again. The GDPR applies to any business that does one or both of the following:

·       Offers products or services to citizens of the EU.
·       Collects personal information from citizens of the EU.

If your business meets either of these criteria, it doesn’t matter where your business is located.
This means that a U.S.-based business that simply collects email addresses from EU citizens will
be required to comply with the GDPR.

The GDPR signifies a radical reform to the current data protection regime and is going to
dramatically change the game when it comes to privacy and data.  Your business may need to
make major and systematic changes to the ways in which you handle data in order to achieve
compliance. Under the GDPR, individuals have expanded rights, including:

1. The right to access (GDPR Art. 12, 15) – Individuals have the right to demand access to
their personal data and inquire how their data is used by the company after it has been
gathered.

2. The right to be forgotten (GDPR Art. 12, 17) – If an individual withdraws their consent
from a company to use their personal data, they have the right to have their data
permanently deleted.

3. The right to data portability (GDPR Art. 12, 20) – Individuals have a right to transfer
their data from one service provider to another.

4. The right to be informed (GDPR Art. 12, 13, 14) – Consumers must “opt in” for their
data to be gathered, and consent must be explicitly.

5. The right to correction (GDPR Art. 12, 16) – Individuals have the right to have their data
updated.

6. The right to restrict processing (GDPR Art. 12, 18) – Individuals can request that their
data is not used for processing.

7. The right to object (GDPR Art. 12, 21) – this includes the right of individuals to stop the
processing of their data for direct marketing. There are no exemptions to this rule, and
any processing must stop as soon as the request is received. In addition, this right must
be made clear to individuals at the very start of any communication.

8. The right to not be subject to automated decision making (GDPR Art. 12, 22) –
Individuals have the right to demand human intervention, rather than having important
decisions made solely by algorithm.

Penalties for non-compliance are astronomic: €20 million or 4% of annual revenue, whichever is
greater. Do you have questions or concerns about GDPR compliance? Reach out to us at
hello@archetypelegal.com to learn more about what your business needs to do to comply.

 

Disclaimer: This post discusses general legal issues and developments and intended to serve as informational only and may not reflect the most current law in your jurisdiction. These informational materials are not intended, and should not be taken, as legal advice on any particular set of facts or circumstances. No reader should act or refrain from acting on the basis of any information presented herein without seeking the advice of counsel in the relevant jurisdiction.  Archetype Legal PC expressly disclaims all liability in respect of any actions taken or not taken based on any contents of this article.

Drafting An Equity Incentive Plan

To keep on talent, it’s frequently imperative that a startup and small business offer
significant equity packages to offset below market salaries.

When designing an equity incentive plan for your company, consider the following: (i)
which individuals you would like to reward, (ii) the specific types of awards that provide
the most fitting incentives for those who participate in the plan (e.g. stock options, stock
appreciation rights, phantom stock), and whether or not the plan meshes well with the
existing compensation program.

Once a general outline of equity awards has been established, the startup must consider
how much of the cap table will be comprised of the equity incentive plan. Because an
equity plan will likely be used for several years, the startup should estimate the number of
shares that will be needed to cover future grants for the coming years. Private companies
typically have only a handful of controlling shareholders and therefore can obtain the
necessary shareholder approval to amend the plan to increase the share reserve at any
time. Nevertheless, it’s typically advisable to reserve enough shares for three year's worth
of grants for administrative convenience.

After you are finished with figuring out the plan’s share reserve, you must determine the
actual individuals who are eligible. This generally includes employees, consultants, non-
employee directors and advisors. This may seem like an obvious step, but an important
one nonetheless to think about ahead of time.

Have your plan eligibility sorted out? Great. Now it is imperative that you determine how
(and by whom) the plan will be administered. In other words, will the board of directors,
the compensation committee, or another committee entirely be in charge of governing the
plan? And out of those options, what would be the scope of the administrator’s authority,
and whether they would be secured against expenses incurred related to any action they
become involved in? For most startups the easiest path forward is to have the startup’s
board of directors act as the administrator as the company’s framework is not built to
include numerous committees.

Vesting is also an important detail to address as you begin to put the equity incentive plan
together, including how much freedom the administrator will have to determine vesting
when grants are made. A few options are: a general provision that contemplates vesting,
but provides flexibility to set vesting schedules in award agreements, a minimum vesting
schedule, or a provision that either establishes the circumstances under which vesting will
accelerate, or gives the administrator this power.

Now you should figure out the acceptable ways that participants in the plan can pay the
exercise price (the price per share at which the owner of a traded option is entitled to buy
or sell the underlying security) for stock options. This could include providing a cash
payment, delivering previously owned shared to the company, or net exercise (the cost of
the exercise is paid with a portion of the shares being exercised).

Next, is it important to consider some smaller, but equally important details, such as the
circumstances under which awards may be transferred, whether or not to include a
“clawback” provision (money that has already been paid must be paid back under certain
conditions), and if you should include a forfeiture provision that causes a participant to
forfeit equity rewards if he/she is terminated or engages in inappropriate activity.
 
We’re on the home stretch! Finally, think about whether awards should be subject to
things such as confidentiality provisions or solicitation restrictions. After you are done
with this, you’ll have a solid framework for an equity incentive plan.
Certainly fair from an all encompassing discussion, and a well crafted equity incentive
plan for a private company can involve a host of other issues that should be addressed
with counsel. Have questions or comments? We’d love to hear from you.
You can reach us at (415)949-0795 or hello@archetypelegal.com.

Disclaimer: This post discusses general legal issues and developments and intended to
serve as informational only and may not reflect the most current law in your jurisdiction.
These informational materials are not intended, and should not be taken, as legal advice
on any particular set of facts or circumstances. No reader should act or refrain from
acting on the basis of any information presented herein without seeking the advice of
counsel in the relevant jurisdiction.  Archetype Legal PC expressly disclaims all liability
in respect of any actions taken or not taken based on any contents of this article