SMITH SHAPOURIAN MIGNANO PC - SAN FRANCISCO LAW FIRM FOR STARTUPS AND SMALL BUSINESSES
  • Home
  • About Us
    • Teela Crosthwaite Smith
    • Neda Shapourian
    • Lindsey S. Mignano
    • Kelly Lawton-Abbott
    • Jason D. Crain
    • Amy Carpio-Bruno
    • Jordan T. Lee
  • Services
  • News
  • Blog
  • DEI Policy
  • Contact
  • Home
  • About Us
    • Teela Crosthwaite Smith
    • Neda Shapourian
    • Lindsey S. Mignano
    • Kelly Lawton-Abbott
    • Jason D. Crain
    • Amy Carpio-Bruno
    • Jordan T. Lee
  • Services
  • News
  • Blog
  • DEI Policy
  • Contact
Search

blog

GDPR Changes: What Business Owners Need to Know

4/12/2018

0 Comments

 
Picture
While many startups and small businesses already have existing privacy policies in place (read here why its necessary for most businesses with an online presence), they will need to update their privacy policies in accordance with the new changes under the General Data Protection Regulation (“GDPR”), which will be embraced by European Union Privacy law on May 25, 2018. A list of the changes may be found here, and the ladies of Smith Shapourian Mignano PC have summarized these changes for your convenience below.  

First, the GDPR actually applies to all businesses, regardless of their location, as long as those businesses process the "personal data" (FN1) of data subjects residing in the EU.  It does not matter whether the processing itself takes place in the EU. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required), and the monitoring of behavior that takes place within the EU.  Businesses that are not located in the EU, but process the data of EU citizens, will also have to appoint a representative in the EU. So, these changes under the GDPR apply to, for example, a startup located in America that markets and sells services and/or products to customers in the EU.

Second, the tiered fines can be steep, and businesses must take heed.  On the low end, a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach, or not conducting impact assessment. On the higher end, a company can be fined up to 4% of annual global turnover or €20 Million (whichever is greater) for the more serious infringements such as not having sufficient customer consent to process data, or violating the core of Privacy by Design concepts.

Third, the new changes require legalese to be omitted from antiquated website privacy policies, and require that website visitors are able to withdraw consent for use or sharing of their personal information as easily as they give it.  

The below bullet-pointed list summarizes considerations under the new GDPR that businesses must confront in evaluating their current privacy policies:

  • 72-hour data breach notification;
  • Disclosure as to whether or not personal data is being processed, where, and for what purpose;
  • Provision of a copy of the personal data, free of charge, in an electronic format, such that the person has the right and ability to transmit that data to another controller;
  • Ability to, upon request, erase personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data;
  • Inclusion of data protection from the onset of the designing of systems, rather than an afterthought; and
  • Increased internal record keeping requirements, and Data Protection Officer (DPO) appointment as necessary where businesses’ core activities consist of processing operations which require regular and systematic monitoring of EU data subjects on a large scale, or of special categories of data or data relating to criminal convictions and offenses.

How Big Tech companies handle the new promulgated regulations will most likely influence startups and small businesses managing user privacy and data online.  Smith Shapourian Mignano, PC is available to answer any questions or concerns you may have regarding your business’ existing privacy policy and compliance with the new directives under the GDPR.

FN1. Personal data of EU persons is defined broadly in this case to include most types of information that business websites solicit from visitors or customers: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person…”  

This blog does not constitute solicitation or provision of legal advice, and does not establish an attorney-client relationship. This blog should not be used as a substitute for obtaining legal advice from an attorney licensed or authorized to practice in your jurisdiction. You should always consult a suitably qualified attorney regarding any specific legal problem or matter in a timely manner, as statutes of limitations may bar your claim.

0 Comments



Leave a Reply.

    Archives

    October 2022
    September 2022
    September 2021
    June 2021
    May 2021
    March 2021
    January 2021
    December 2020
    October 2020
    September 2020
    August 2020
    June 2020
    May 2020
    April 2020
    March 2020
    January 2020
    June 2019
    April 2019
    March 2019
    February 2019
    November 2018
    October 2018
    September 2018
    May 2018
    April 2018
    March 2018
    February 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    January 2017
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016

    Categories

    All
    83(b) Elections
    Arbitration
    Benefit Corporation
    Bootstrapping
    Business Name
    Buy-Sell Agreement
    Cannabis
    CBD
    Cloud
    Commercial Lease
    Contracts
    Conversion
    Coronavirus
    Crowdfunding
    Delaware Flip
    Dissolution
    Early Hires
    Employers
    Employment Law
    Entrepreneurs
    Entrepreneur Spotlight
    Financials
    Funding/Financing
    GDPR
    Guest Blogger
    Health Care
    HR
    Industrial Hemp
    Insurance
    IT Solutions
    Joint Ventures
    Litigation
    LLC
    LOEN
    Logo
    Marketing
    Non Profits
    Non-Profits
    Partnerships
    Patent
    Pitch Deck
    Privacy Policy
    Professional Corporation
    Raising Money
    S Corp
    Securities
    Settlement
    Small Business
    Sole Proprietorship
    Startups
    Stock Options
    Tax
    Trademarks
    Website

    RSS Feed


​© 2022 Smith Shapourian Mignano PC.  All Rights Reserved.
Privacy Policy 
Terms of Use
Accessibility Statement

Attorney Advertising 
​Client Reviews & Testimonials

​

  • Home
  • About Us
    • Teela Crosthwaite Smith
    • Neda Shapourian
    • Lindsey S. Mignano
    • Kelly Lawton-Abbott
    • Jason D. Crain
    • Amy Carpio-Bruno
    • Jordan T. Lee
  • Services
  • News
  • Blog
  • DEI Policy
  • Contact