The Benefits of the GDPR Two Years In

The General Data Protection
Regulation (the “GDPR”), promulgated by the European
Commission, was adopted in April 2016 and became effective in May 2018. Rarely
mentioned with positivity in the past two years, the GDPR standardizes data
protection laws across the European Union and applies to companies located outside
of the EU that offer goods or services or are monitoring the behavior of
persons inside the EU. 

The Benefits of the GDPR
for Companies

Not only does the GDPR call for
the adherence to seven fundamental privacy principals (lawfulness, fairness,
and transparency; purpose limitation; data minimization; accuracy; storage
limitation; integrity and confidentiality; and accountability), but it also
calls for increased technical measures for businesses to update and strengthen
their data protection practices. Instead of mindlessly gathering any and all
data, businesses should gather more purposeful data. Data mapping and inventory
exercises challenge businesses to fully understand the data the business holds
and how it fits into the broader organization. For many businesses, this is the
first time the business will actually take the time to truly know and
understand the data it holds. This data knowledge is useful in particular for
mapping data strategies going forward. By raising awareness of the importance
of well-maintained data, the GDPR has allowed organizations to make more
informed decisions around strategic business partners and future avenues of

Data Processing Inventory: Article 30 requires controllers and processors to create and maintain a formal, written record of its processing activities subject one exception:  when the organization has less than 250 employees and the processing is not likely to result in a risk for the rights and freedoms of data subjects, is not occasional, or is not of special categories of data. The records maintained by the processor must include the personal data processing activities done on behalf of a controller and to provide the controller a copy of the report upon request. While not a granular report of each data element in a business’s repository, it provides a high-level snapshot of how the business processes personal data.

Data Protection Impact Assessments (DPIA): Under Article 35, if processing personal information is likely to result in a high risk to data subjects’ rights and freedoms, the controller should perform a DPIA. Practically speaking, the DPIA is a risk assessment exercise meant to identify and minimize risks relating to the controller’s personal data processing activities.

Privacy Notices: Businesses are also required to publicly post a privacy notice detailing the source of the personal data, the legal basis for processing the personal data, the period for which the personal data will be retained, and the third-party recipients of the data. Further, the privacy notice must be provided in a manner that is concise, transparent, intelligible and easily accessible using clear and plain language.

Data Processing Agreements: Article 28 provides that controllers may only engage with a processor who provides sufficient guarantees of compliance with the obligations of the GDPR. Specifically, Article 28(3) of the GDPR requires a contractual agreement between controllers and processors regarding the parties’ roles and the processor’s obligations to comply with certain provisions in the GDPR. 

While these measures, and the
GDPR in general, certainly increase the costs of doing business, it can be a
competitive advantage for companies that commit to real compliance. Not only can
a business become a preferred vendor by showing its commitment to data
protection, but also it is an opportunity to build customer loyalty by being
transparent about how they use personal data. 

Leveraging GDPR for
Trends in the US

The GDPR kicked off this new
wave of data privacy and data protection laws. Particularly in the US, which
lacks an omnibus federal data protection law, many States have proposed their own data
protection laws. Most recently, this was seen with the passage of the
California Consumer Privacy Act (the “CCPA”) that was heavily
influenced by the GDPR. Despite the COVID-19 pandemic, the California
Attorney General has reiterated that the enforcement date of the CCPA is still
July 1, 2020
. The California Attorney General is currently working on the
third draft of his CCPA regulations before a final draft is due by July 1.

For companies that have never
undergone data protection compliance exercises, it can be daunting but we can
leverage our existing data protection knowledge to quickly get in front of
these issues as they come up in the day to day business operations.

Dated April 8, 2020

Written by Stan Sater and Jeff Bekiares

*    *    *

If you are a business that has questions about data protection laws and how the laws impact your business contracts, contact our Founders Legal team at [email protected]m and [email protected].

Part Two: Managing Equity Incentive Plans in a Volatile Market

blog post is part two of two discussing equity incentives and ways for
employees to liquidate a portion of their shares while the company remains
private. Part One discussed the issuance of equity incentives to employees and
other key personnel. Focusing now on already issued and vested equity
incentives (for illustrative purposes hereof, we will focus on stock options),
this blog post discusses the potential internal transactions that can provide
liquidity to these vested employees and personnel.

The Broader
Trend to Stay Private

the last decade, the pre-IPO marketplace has grown significantly, being
dominated by an increase in venture capital firms and private placement agents,
brokers, and banks. With the increase in private market capital and willing
buyers of private-company securities, the trend for post-2008 financial crisis
startups has been to delay an IPO for as long as possible. High valuation
startups such as Uber, Lyft, Slack, and Zoom all went public in 2019 into an
all-time high in the public markets. When these companies go public, not only
do the founders, venture capitalists, and investment banks make money, but also
the employees who were granted stock options under the company’s equity
incentive plan. While these companies stay private longer, secondary
private-company marketplaces have evolved to purchase private-securities from
employees or early-stage investors. Given the recent market volatility
surrounding COVID-19, we expect valuations of private companies to be revised
downward, companies to remain private, mergers and acquisitions deals to slow,
venture capital deal terms to favor the venture capitalists, and cash strapped
employees looking to sell their illiquid shares to weather personal financial
volatility. The current financial markets signal that now is the time for
liquidity and financial security. Liquidity and financial security are not only
important to companies but also the companies’ employees. Conversely, with a
drawdown in valuations, some existing investors in a private company might want
to acquire more shares and provide liquidity to existing shareholders
while the markets are not encouraging a sufficient liquidity event at a
desirable valuation.

the Tender Offer

tender offer is a transaction that can be utilized to allow an investor to buy a
company’s shares from employees with vested stock options or company common
stock. Tender offers are often structured in one of two ways: (1) share
buybacks by the company or (2) a secondary sale by an existing shareholder(s) to
a third-party purchaser. Under the first option, the company uses either cash
on its balance sheet or cash from a prior equity financing to buy back shares.
However, many states (for example, Delaware and California) have statues that limit
the amount of capital that a company may use to buy back its shares. Meanwhile,
these statutory restrictions do not apply to secondary sales to third-party
purchasers, which makes secondary sales often the preferred route for many
companies. Third parties who are considering initiating a tender offer should
be aware that there are strict tender offer securities rules which must be
adhered to in the conduct of any such offering.

in Secondary Sales

Valuation: Tender offers will
always affect a company’s 409A valuation. The degree to which any transaction
will impact the valuation depends on the terms of the transaction, the parties
involved in the transaction, the size of the transaction, and the methods used
by the valuation firm.

: Restrictions
on the sale or transfer of shares, such as rights of first refusal, or state
corporate law ‘control share acquisition statutes’, are often imposed on shareholders.
Therefore, potential sellers must review the organizational documents they
signed or are otherwise bound by (i.e., the company’s bylaws, certificate
of incorporation, and shareholders agreements, for example) to determine if
there are obstacles to transfer unique to the company.

: Secondary
sales must also comply with federal and state securities laws. Part of
compliance with securities laws is the proper disclosure of information to
potential buyers. When it comes to the disclosure of information, on the one
hand, sellers may have signed a confidentiality agreement with the company to
protect against the disclosure of confidential information to third parties
including prospective buyers. However, this restriction must be balanced with whether
or not the seller has material, non-public information which would impact the

Summary: Compliance with
securities laws, a thorough review of the applicable transfer restrictions, and
the company disclosing material information will all help sellers obtain a
higher price for their otherwise illiquid shares.

wanting to hold off on a liquidity event and get through this financial
volatility while providing employees and other common stock holders an
opportunity to achieve personal liquidity should consider the avenue of a
secondary sale.

Dated April 7, 2020

Written by Stan Sater and
Jeff Bekiares

*      *      *

If you are a business that has
questions about secondary sales of private company common stock or tender
offers, contact our Founders Legal team at [email protected] and [email protected].

Part One: Managing Equity Incentive Plans in a Volatile Market

This blog post is part one of two
discussing equity incentives and ways for employees to liquidate a portion of
their shares while the company remains private. Most companies are in the middle
of granting 2020 annual equity awards. This granting of equity awards is
happening simultaneously with the COVID-19 outbreak and the larger volatility
on business operations and financial markets. The purpose of this blog is to
highlight some considerations when granting equity awards in light of recent


threshold consideration is the overall value of the company, which then flows
through to the value of any equity incentives being granted, impacting such
matters as the strike price and the number of incentives being issued to eligible
recipients (such as, e.g., employees, contractors, advisors, and directors).
Although it is not required by law to do so, typically, a company will conduct
a 409A valuation to derive the fair market value of the company and its common
stock, to provide a base for determination of the value of any equity
incentives to be issued (although other factors may be taken into account as
well). A 409A valuation is often (but not always) different from a company’s
post-money valuation following a financing round because investors typically
receive preferred stock. Nonetheless, it is generally good practice to
commission a new 409A valuation every 12 months, before the company issues its
first common stock options, after raising a round of venture financing, and/or
when there is a material event that may impact the value of the company.


incentive plans are standard features of startups granting an equity interest
in the company to employees and other personnel allowing them to share in the
upside potential of the company. A well-crafted omnibus equity incentive plan
is going to give the company the optionality to issue (a) Incentive Stock
Options (ISO), (b) Non-qualified Stock Options (NQSO), (c) Restricted Stock and
(d) Restricted Stock Units. Within the equity incentive plan, the committee
appointed by the board of directors to administer the plan should have the
authority, among other matters, to determine when the awards are to be granted
under the plan and the applicable grant date; to determine the number of shares
of common stock subject to each award; to determine the instrument to grant the
employee or personnel; and to amend the awards including the time of

So, if
the 409A valuation returns a lower than expected valuation (especially given
the current market) requiring the company to use more shares from the equity
incentive pool than anticipated, the company could consider certain
alternatives, such as, for example:

  • grant restricted stock units (RSUs), which command a higher
    value based on how the RSUs are structured, thereby requiring fewer shares to grant
    to come to an equivalent value;
  • make the equity awards contingent on shareholders approving an
    increase in the size of the equity incentive pool at the annual meeting;
  • delay the grant until the after the annual meeting of
    shareholders, if an increase in the size of the equity incentive pool is
    approved; or
  • provide the option to have the awards cash-settled (which itself
    does come with some tax and accounting downsides).

might also be an option to reprice the options if the equity incentive plan
permits or pending shareholder approval. If the repricing involves any change
in the award other than a reduction in the exercise price, such as exchanging
options for RSUs, the company must comply with securities laws and the
corresponding tender offer requirements. If a repricing is not an option, the
company could also consider granting supplemental awards. However, the granting
of supplemental awards does come with accounting difficulties and would adversely
affect the company’s dilution levels.

It is
also worth mentioning that there could be ‘upside’ to a lower than expected
409A valuation, in light of recent events, as it relates to equity incentive
base pricing. With lower base pricing, there is an opportunity for companies to
issue equity incentives that are credibly (and, more importantly, tax
) less valuable than they were even one month ago. If one
believes that the price of equities and company valuations are, currently,
artificially low as a result of the COVID-19 scare, then, by the time they
return to normality, the previously issued equity incentives will be more
valuable in the hands of key employees and other recipients. Explanation the
company’s theory of the same could be a useful recruiting tool for key employees
in these uncertain times.

Our View

Boards and management teams should consult
with their legal, tax, and accounting advisors before changing their equity
incentive plans as changes can force the company down different paths. As well,
the boards and management teams should make decisions based on potential
reactions from all stakeholders who are dependent on the future of the company.
The next few months are shaping up to be volatile economic times but that also
means time for introspection and internal brand strengthening to come out
stronger on the other side.

Looking past the issuance of equity and
incentive compensation, Part 2 of this blog post is going to cover companies
conducting internal tender offers for those seeking to sell a portion of their
vested options while the company remains private and weathers this financial

Dated April 6, 2020

Written by Stan Sater and
Jeff Bekiares

*      *      *

If you are a business that has
questions about equity incentive plans, contact our Founders Legal team at [email protected] and [email protected].