Smith Shapourian Mignano
  • Home
  • Team
    • Teela Crosthwaite Smith
    • Lindsey S. Mignano
    • Kelly Lawton-Abbott
    • Amy Carpio-Bruno
    • Jordan T. Lee
  • Services
  • News
  • Blog
  • DEI Policy
  • Contact
  • Home
  • Team
    • Teela Crosthwaite Smith
    • Lindsey S. Mignano
    • Kelly Lawton-Abbott
    • Amy Carpio-Bruno
    • Jordan T. Lee
  • Services
  • News
  • Blog
  • DEI Policy
  • Contact
Search

blog

GDPR primer: what you need to know, by guest blogger sam bayer

3/14/2019

1 Comment

 
Picture
A Hastings 2010 alum, Teela C. Smith participates in the Hastings Legal Startup Garage program, in which lawyers in the Bay Area community mentor and supervise Hastings law students while providing pro bono legal work for early stage tech startups.  Recently, one of her Hastings students, Sam Bayer, provided our office with an excellent memo regarding the General Data Protection Regulation (“GDPR”).  We were so impressed by the memo that we selected key portions of it here to share with the public.

Sam Bayer is a second-year law student at UC Hastings College of the Law, an editor for the Hastings Law Journal, and a member of the Hastings Startup Legal Garage. Sam aspires to a career as a corporate transactional attorney, and hopes to focus on early-stage technology companies.  Portions of his memo on the GDPR follows below:

***
Introduction

The General Data Protection Regulation (“GDPR”) requires that any company engaging in a “systematic monitoring of data subjects on a large scale” (“Large Scale Data Processor” or “LSDP”) take particular steps (in addition to those typically required by the GDPR) to protect that data.

First, the GDPR requires that each LSDP appoint a Data Protection Officer (“DPO”) to oversee the company’s data protection policies. The DPO may be an employee of the company, so long as the DPO is able to work independently and report directly to the LSDP’s “highest management level.” The DPO’s name and contact information must be made publicly available.

Second, the GDPR requires that a LSDP not established in the European Union and/or the European Economic Area (“EU”) appoint a Data Protection Representative (“Representative”). The Representative must be established in the EU, so that it can act as a main point of contact between the EU and the LSDP.

Third, the GDPR requires that the LSDP and DPO carry out a Data Protection Impact Assessment (“DPIA”). The DPIA must (a) assess the company’s current data processing operations, (b) establish the company’s purpose for data collection, (c) consider the company’s plans for upcoming security measures, and (d) demonstrate the company’s overall GDPR-compliant practices. Companies should perform an updated DPIA whenever there is a “change of the risk represented by processing operations.” The DPIA need not be published, however a publicly available summary is recommended.

Fourth, if the DPIA “indicates that the processing would result in a high risk in the absence of measures taken . . . to mitigate the risk,” the GDPR requires that an LSDP consult their Data Protection Authority (“DPA”) before processing any data. If the DPA finds that the LSDP’s activities would infringe upon the GDPR, the DPA may provide written advice, investigate the risk, and work to correct any issues relating to the LSDP’s processing operations.

If the LSDP fails to comply with any GDPR requirement, the company’s DPA may impose substantial fines.

Practical Recommendations

All companies doing business in the EU or processing data of EU citizens are required to comply full the GDPR. However, the cost to achieve full compliance can understandably be difficult and expensive for emerging startups.

For now, European DPAs are expected to be lenient toward companies that are not yet compliant, so long as those companies act in good faith. In order to show a good faith attempt to comply with the GDPR, startups should prioritize the following actions:

  • designate and publish a DPO;
  • perform a DPIA; and
  • As soon as a startup reasonably believes it processes EU client data, designate a Representative in the EU and contact the DPC.

​In case of breach, a startup should perform the following tasks:

  • Take immediate steps to resolve the breach and mitigate damage;
  • Contact the DPC, describe the nature and extent of the breach, all follow all DPC directions as soon as possible; and
  • Contact your customers and inform them of the breach promptly.

By taking these steps in good faith, a startup will have the best chance to mitigate liability under the GDPR.

***

Sam Bayer and Smith Shapourian Mignano PC is available to answer any questions or concerns you may have regarding your privacy policies and compliance with the GDPR.

This blog does not constitute solicitation or provision of legal advice, and does not establish an attorney-client relationship. This blog should not be used as a substitute for obtaining legal advice from an attorney licensed or authorized to practice in your jurisdiction. You should always consult a suitably qualified attorney regarding any specific legal problem or matter in a timely manner, as statutes of limitations may bar your claim.

1 Comment
Edwin Castro
2/26/2023 10:50:15 am

"As much as I am shocked and ecstatic to have won the Powerball drawing, the real winner is the California public school system". No one would convince me that winning this lottery Powerball or mega millions is not something that changes the way and view of life's prospects. My name is Edwin Castro and I am from California, United States. I won the Powerball Lottery on Nov 7 2022 and I am coming to say a wonderful and big thanks to Dr Anokokudo for helping me with the winning numbers for the Powerball Lottery. I was really overwhelmed the day I contacted Dr Anokokudo to help me win the California Powerball Lottery when he instructed me what to do. The time came to play the lottery and I did and believe me, it was exhilarating. I won the Powerball $2.04 Billion and collected the lump sum of $997.6 Million and the November Powerball drawing raised a record $156.3 million for the California public school system. I am indeed thankful to Dr Anokokudo and others who helped me with his contact. Anyone who reads my comments should also try to contact Dr Anokokudo at ANOKOKUDOTEMPLE@GMAIL.COM

Reply



Leave a Reply.

    Archives

    February 2023
    October 2022
    September 2022
    September 2021
    June 2021
    May 2021
    March 2021
    January 2021
    December 2020
    October 2020
    September 2020
    August 2020
    June 2020
    May 2020
    April 2020
    March 2020
    January 2020
    June 2019
    April 2019
    March 2019
    February 2019
    November 2018
    October 2018
    September 2018
    May 2018
    April 2018
    March 2018
    February 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    January 2017
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016

    Categories

    All
    83(b) Elections
    Arbitration
    Benefit Corporation
    Bootstrapping
    Business Name
    Buy-Sell Agreement
    Cannabis
    CBD
    Cloud
    Commercial Lease
    Contracts
    Conversion
    Coronavirus
    Crowdfunding
    Delaware Flip
    Dissolution
    Early Hires
    Employers
    Employment Law
    Entrepreneurs
    Entrepreneur Spotlight
    Financials
    Funding/Financing
    GDPR
    Guest Blogger
    Health Care
    HR
    Industrial Hemp
    Insurance
    IT Solutions
    Joint Ventures
    Litigation
    LLC
    LOEN
    Logo
    Marketing
    Non Profits
    Non-Profits
    Partnerships
    Patent
    Pitch Deck
    Privacy Policy
    Professional Corporation
    Raising Money
    S Corp
    Securities
    Settlement
    Small Business
    Sole Proprietorship
    Startups
    Stock Options
    Tax
    Trademarks
    Website

    RSS Feed


​© 20223 SSM Law PC.  All Rights Reserved.
Privacy Policy 
Terms of Use
Accessibility Statement

Attorney Advertising 
​Client Reviews & Testimonials

​

  • Home
  • Team
    • Teela Crosthwaite Smith
    • Lindsey S. Mignano
    • Kelly Lawton-Abbott
    • Amy Carpio-Bruno
    • Jordan T. Lee
  • Services
  • News
  • Blog
  • DEI Policy
  • Contact