One month from today, on 25 May 2018, the European Union (EU) General Data Protection Regulation (GDPR) will go into effect. In light of this, we have been recommending companies review their data privacy policies and practices in the context of equity plan participation and update their share plan documents. In the final month, we want to highlight these items again and encourage you to make sure your company’s equity programs are ready for the GDPR.
As under the existing EU data privacy regime, a valid basis is required for processing and transferring personal data under the GDPR and there are a few bases that may be used in the context of share plan administration, including:
- Necessary for Performance of Contract
- Legitimate Interest
There may also be a need to separately ensure that the company has adequate safeguards in place for the transfer of data from the EU to the US and other countries that are not considered to have equivalent data protections in place. Such safeguards include having standard contractual clauses or binding corporate rules in place between all relevant entities involved in the data flow (including outside vendors) or, in the case of some US companies, joining the US - EU Privacy Shield.
In the equity plan context, the general requirements are not completely new but there are important reasons for focusing on these requirements now:
- Some new obligations are being introduced, including more robust disclosure requirements.
- Enforcement activity is expected to increase.
- Penalties for non-compliance are significant (up to EUR 20 million or 4% of total annual worldwide turnover).
1. Review equity award agreements, including employee share purchase plan (ESPP) forms/authorizations, to ensure the documents include or reference a GDPR-compliant data privacy provision.
- If relying on consent, update consent language and acceptance procedures (pro-active and specific consent is required under GDPR).
- If relying on a different basis, revise language to reflect new basis.
2. Consider how to cover participants with outstanding awards / ongoing ESPP participation because previously-provided consents or notices may not comply with GDPR requirements and therefore will not be valid after May 25th. Bear in mind that individuals will be provided with numerous new notices and requests for consents around this time so it will not seem unusual to be asked for a new consent or to receive a new notice related to the equity plan.
- If relying on consent, obtain updated consent from participants.
- If relying on a different basis, provide new / updated notice to participants.
3. Review contracts with outside vendors to ensure that any necessary updates have been made.