GDPR primer: what you need to know, by guest blogger sam bayer

A Hastings 2010 alum, Teela C. Smith participates in the Hastings Legal Startup Garage program, in which lawyers in the Bay Area community mentor and supervise Hastings law students while providing pro bono legal work for early stage tech startups.  Recently, one of her Hastings students, Sam Bayer, provided our office with an excellent memo regarding the General Data Protection Regulation (“GDPR”).  We were so impressed by the memo that we selected key portions of it here to share with the public.

Sam Bayer is a second-year law student at UC Hastings College of the Law, an editor for the Hastings Law Journal, and a member of the Hastings Startup Legal Garage. Sam aspires to a career as a corporate transactional attorney, and hopes to focus on early-stage technology companies.  Portions of his memo on the GDPR follows below:

***
Introduction

The General Data Protection Regulation (“GDPR”) requires that any company engaging in a “systematic monitoring of data subjects on a large scale” (“Large Scale Data Processor” or “LSDP”) take particular steps (in addition to those typically required by the GDPR) to protect that data.

First, the GDPR requires that each LSDP appoint a Data Protection Officer (“DPO”) to oversee the company’s data protection policies. The DPO may be an employee of the company, so long as the DPO is able to work independently and report directly to the LSDP’s “highest management level.” The DPO’s name and contact information must be made publicly available.

Second, the GDPR requires that a LSDP not established in the European Union and/or the European Economic Area (“EU”) appoint a Data Protection Representative (“Representative”). The Representative must be established in the EU, so that it can act as a main point of contact between the EU and the LSDP.

Third, the GDPR requires that the LSDP and DPO carry out a Data Protection Impact Assessment (“DPIA”). The DPIA must (a) assess the company’s current data processing operations, (b) establish the company’s purpose for data collection, (c) consider the company’s plans for upcoming security measures, and (d) demonstrate the company’s overall GDPR-compliant practices. Companies should perform an updated DPIA whenever there is a “change of the risk represented by processing operations.” The DPIA need not be published, however a publicly available summary is recommended.

Fourth, if the DPIA “indicates that the processing would result in a high risk in the absence of measures taken . . . to mitigate the risk,” the GDPR requires that an LSDP consult their Data Protection Authority (“DPA”) before processing any data. If the DPA finds that the LSDP’s activities would infringe upon the GDPR, the DPA may provide written advice, investigate the risk, and work to correct any issues relating to the LSDP’s processing operations.

If the LSDP fails to comply with any GDPR requirement, the company’s DPA may impose substantial fines.

Practical Recommendations

All companies doing business in the EU or processing data of EU citizens are required to comply full the GDPR. However, the cost to achieve full compliance can understandably be difficult and expensive for emerging startups.

For now, European DPAs are expected to be lenient toward companies that are not yet compliant, so long as those companies act in good faith. In order to show a good faith attempt to comply with the GDPR, startups should prioritize the following actions:

• designate and publish a DPO;
• perform a DPIA; and
• As soon as a startup reasonably believes it processes EU client data, designate a Representative in the EU and contact the DPC.

​In case of breach, a startup should perform the following tasks:

• Take immediate steps to resolve the breach and mitigate damage;
• Contact the DPC, describe the nature and extent of the breach, all follow all DPC directions as soon as possible; and
• Contact your customers and inform them of the breach promptly.

By taking these steps in good faith, a startup will have the best chance to mitigate liability under the GDPR.

***

Sam Bayer and Smith Shapourian Mignano PC is available to answer any questions or concerns you may have regarding your privacy policies and compliance with the GDPR.

This blog does not constitute solicitation or provision of legal advice, and does not establish an attorney-client relationship. This blog should not be used as a substitute for obtaining legal advice from an attorney licensed or authorized to practice in your jurisdiction. You should always consult a suitably qualified attorney regarding any specific legal problem or matter in a timely manner, as statutes of limitations may bar your claim.