Emerging Markets Law

Demystifying the Rules Surrounding GDPR and Your Business

Demystifying the Rules Surrounding GDPR and Your Business

If you have received a deluge of emails regarding updated privacy policies from services you use, you are not alone. They relate to a new set of data privacy rules that went into effect across the European Union on May 25, known as the General Data Protection Regulation (GDPR). The new rules have sweeping implications for businesses around the world. In fact, Facebook and others have already been sued for non-compliance with the GDPR.

If you do business in the EU (including the UK, which has said it will honor the rules) in any way, it would be a good idea to check with counsel regarding whether your business must comply. Although the rules are designed to cover consumer privacy, the way they are written is very broad; B2B as well as B2C customers are affected.

Common facts that can subject you to the GDPR include having European sales or facilities, using cloud-based storage for your website or portal, performing services in the EU, serving customers located there, having employees there, having vendors there, and having European employees who work in the United States temporarily.

The fact that your company is US-based does not matter: the rules explicitly apply to any company handling the personal information of persons in the EU, regardless of the company’s location. In addition, if you serve customers who pass you EU data, they may ask you to certify your security practices or to sign a “Data Processing Agreement” that makes certain assurances about your practices.

In addition to their operational implications, the rules require notice of a breach of any EU personal data within 72 hours – a huge hurdle unless you have conducted some advance planning. Many companies are reviewing their privacy policies, work flows, employee policies, cyber preparedness planning, vendor agreements, and other matters in connection with the GDPR. Not all companies have to conduct a “scorched earth” approach to privacy, but nearly all companies would do well to consider their business and privacy practices and make adjustments where they can.

The rules as drafted leave a great deal of room for the regulators to maneuver; they are very ambiguous. The very clear part of the GDPR, however, is this: fines for non-compliance can be assessed up to the greater of €20 million or 4% of global revenue.

Taylor English’s Data Security & Privacy Team is assisting the firm’s clients with assessment of the client’s exposure to the rules, policy drafting and review, contractual terms relating to the new rules, and liaison with security and technical resources. Our team has extensive in-house compliance experience, internationally and domestically, as well as broad expertise in the legal aspects of information security planning and incident response.


How New EU Data Privacy Rules May Apply to Your U.S. Business

If you use any online services such as Facebook or Google, you may have seen new tools and products relating to your account privacy settings recently, along with a tweak to privacy policies and terms of use.

Continue reading How New EU Data Privacy Rules May Apply to Your U.S. Business ›

Five Lessons from Equifax

The continuing fall-out from the Equifax breach reported last month makes great headline fodder, and is really good for Congressional representatives eager to show themselves hard at work protecting voters.

Continue reading Five Lessons from Equifax ›

National Cybersecurity Month: Protect Your Assets

It’s National Cybersecurity Month. You’d hardly know this momentous occasion was coming: in September of 2017, we kept waking up to headlines about hacks at major outfits such as Equifax, Deloitte, and the SEC.

Continue reading National Cybersecurity Month: Protect Your Assets ›

GDPR: Good Defense = Prepared + Responsive!

General Data Protection Regulation in the EU

If you have any business dealings outside the U.S., you may have heard about shifting data privacy laws in the European Union.

The General Data Protection Regulation (GDPR), the new EU-wide privacy rule, comes into effect in May 2018. Anyone who does business with residents of the EU will have to be cognizant of the GDPR’s provisions and pitfalls.

Continue reading GDPR: Good Defense = Prepared + Responsive! ›

Reflections on the Equifax Hack

Reflections on Equifax Hack

The Equifax hack announced on September 7, 2017, is very scary, and a reminder to lock up the company jewels. Most companies, however, will never face a catastrophic event involving an outside, malicious attack on the very core of their business.

Continue reading Reflections on the Equifax Hack ›

Cyber Protection for Growth

According to a new survey by insurer Nationwide, almost half of all businesses have been the victim of a cyberattack without knowing it. 

Most of the headlines about cyber exposure and planning focus on the need to avoid exposure to consumer claims. This neglects the real purpose of cyber planning for most companies, however: protecting your revenue and securing your growth. 

Many businesses don’t have a lot of “personally identifiable information” on file, and the penalties associated with losing control over that information are generally not large (outside healthcare, financial services, and similar industries).  With those facts in front of you, it can be hard to justify spending scarce resources on a defensive plan. 

However, your own business assets and your own growth/succession are at risk no matter what kinds of records you hold in your company.  The time and money you spend on developing and practicing good cyber habits is priceless when you think about your IP, your trade secrets, your pricing, your “secret sauce” getting out via a hacker. Bad guys troll for valuable information all the time, and often sell batches of information via online black markets. This has nothing to do with the headline grabbing consumer suits that garner all the attention. 

How would you value your business in a sale if you knew you’d been the victim of a cyberattack and couldn’t demonstrate that your core assets remained secure?  How would you talk to your investors or your board following an attack?  What would you want to know about a target’s cyber habits before buying its business? 

These are the questions that should be driving our discussion of cybersecurity planning.  #cyberforgrowth – not cybersecurity as a means to fend off rare (and rarely successful) consumer claims.  

Applying Georgia's Angel Investor Tax Credits to Convertible Promissory Notes

A friend recently asked if the Georgia Angel Investor Tax Credit program would cover an angel investor’s investment in a start-up’s convertible promissory note. It was a good question because start-ups often raise funds through convertible notes. The short answer to his question was, “it depends.”

The Georgia Angel Investor Tax Credit program gives angel investors who are Georgia residents a tax credit for making qualified investments in Georgia start-ups. The program was amended in 2015 to cover qualified investments made in 2016, 2017 and 2018. (See Georgia Angel Investment Tax Credit (May 24, 2016))  

The program allows the angel a tax credit of up to 35% for a qualified investment, capped at a credit of not more than $50,000 in any tax year, with the tax credit to be issued in the second year after the investment is made. (For example, a qualified investment made in 2015 would result in a tax credit for the 2017 tax year.) The state permits not more than $5 million in tax credits each year and start-ups need to apply for allocations of the tax credits if they have investors who want to take advantage of the program. 

The Georgia Department of Revenue has issued rules to guide tax payers through the requirements of the program. (See Georgia Rule 560-7-8-.52)  

To obtain a tax credit a “qualified investor” must make a “qualified investment” in a “qualified business” (tracking the definitions from the Georgia Rule). Answering the question originally posed, therefore, requires the taxpayer to walk through each of these definitions. An investment in a convertible promissory note, can be a “qualified investment” (assuming all of the other definitions are met) if the convertible promissory note satisfies the requirements of “qualified subordinated debt” (the only debt category within the definition of “qualified investment”). Qualified subordinated debt is “indebtedness that is not secured, that may or may not be convertible into common or preferred stock or other equity interest, and that is subordinated in payment to all other indebtedness of the qualified business issued or to be issued for money borrowed and no party of which has a maturity date less than five years after the date such indebtedness was purchased.”

It is this last requirement for “qualified subordinated debt” that most start-up convertible note deals may have difficulty satisfying. Most convertible notes issued by start-ups are not subordinated, but rather represent senior indebtedness that may not be subordinated. So, if a start-up wants to ensure that its convertible note offering will be eligible for the Georgia Angel Investment Tax Credit program, counsel for the start-up should carefully draft the subordination provisions of the note with a view towards the requirements of Georgia Rule 560-7-8-.52(2)(g). 

Financial Choice Act

Posted In Government

This week, the House of Representatives will consider and vote on the Financial Choice Act (“FCA”), sponsored by Rep. Jeb Hensarling of Texas – chairman of the House Financial Services Committee. The FCA is a response to the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”), and not a nice one. It essentially guts that bill which was itself a response to the financial crisis that began in 2007. After his election, President Obama called for a "sweeping overhaul of the United States financial regulatory system, a transformation on a scale not seen since the reforms that followed the Great Depression" and Dodd-Frank was basically the result.

Continue reading Financial Choice Act ›

Apple's Secret Team Working on Diabetes Solution Through Wearables

Yesterday's news about Apple's secret effort to find the 'holy grail' for treating diabetes is just the tip of the iceberg.  

The data-mining and communications solutions that are made possible by the Internet will make it possible for future entrepreneurs to launch solutions that we find hard to imagine today.

Wearable devices, once configured with the right technology to enable the monitoring of blood sugar levels, blood oxygen levels and other health data in combination with data-mining and simultaneous communication to health care providers hold great potential for guiding patients to make healthy choices and to seek medical help when appropriate.

There are obvious data privacy and cyber-security implications, of course, but even these challenges are opportunities in disguise for the entrepreneurs who can develop market-friendly solutions. 

Stay Connected

Subscribe to blog updates via email