Category: founders



February 12, 2018
By: Angela Bandich, Esq.

The European Union’s (“EU”) new data privacy rules, called the General Data Protection Regulation (“GDPR”), will become effective on May 25, 2018 and will impact how U.S. businesses collect and use personal data.

1. Geographical Scope of the GDPR

Despite being a European regulation, the scope of the GDPR reaches far beyond just the EU.  In fact, any company that (i) offers goods and/or services to individuals (called “Data Subjects”) who are located in the EU (even if there’s no payment involved) or (ii) monitors the behavior of Data Subjects in the EU will be subject to the GDPR if the company collects and processes their Personal Data. This means the GDPR rules will apply to companies even if the companies are not located in the EU.

Personal Data” is defined in the GDPR as any information relating to an identified or identifiable natural person (someone who can be identified, directly or indirectly, by reference to data such as name, an identification number, location, an online identifier, or other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person).

The GDPR will therefore likely apply to most companies, particularly those in e-commerce, travel, software or media industries that are global in their reach. For example, in response to the GDPR, Facebook recently notified its users that it will be updating its data policies and procedures (

2. Obligations of Companies

As a result of the GDPR, companies now need to ensure that Personal Data of Data Subjects is (i) collected for specified, explicit, and legitimate purposes, (ii) limited to what is necessary in relation to those purposes, (iii) accurate and up to date, (iv) kept no longer than necessary for the purposes, and (v) processed in a secure manner.

Furthermore, the collection and processing of Personal Data is only lawful under the GDPR if the company satisfies one or more of the following:

  • The Data Subject has given consent to the processing of his personal data for the specific purpose(s); or
  • Processing is necessary:
    • for the performance of a contract for which the Data Subject is a party;
    • for compliance with a legal obligation;
    • to protect the vital interests of a Data Subject or other natural person;
    • for the performance of a task carried out in the public interest or under official authority; or
    • for purposes of legitimate interests, except where such interests overridden by the fundamental rights and freedoms of a Data Subject that requires protection of his or her Personal Data.

Consent. If a company claims that the Personal Data was collected and processed based on consent from the Data Subject, the company must be able to prove it. If a request for consent is included in a written document with other matters, the request must be clearly distinguishable from the other matters and presented intelligibly and in clear and plain language. The Data Subject also has the right to withdraw his or her consent at any time and the Data Subject must be informed of such right prior to giving consent. Finally, the GDPR states that consent must be freely given, particularly in situations where the performance of a contract, including providing services, is conditional on the Data Subject giving consent to the collection and processing his or her Personal Data which is not necessary for the performance of the contract.

There are also specific rules in the GDPR related to the collection and processing of data of children (Article 8) and special categories of Personal Data (Articles 9 and 10).

Article 30 also requires that each company and any third party representatives that assist with the processing of Personal Data maintain records of processing activities, unless the company qualifies for exemption. Designating a Data Protection Officer may also be required under Articles 37-39 if the company’s processing activities require regular and systematic monitoring of Data Subjects on a large scale or of special categories of Personal Data.

Security Measures and Breaches. Companies must implement technical and organizational measures to “ensure a level of security appropriate to the risk” associated with the likelihood and severity of impact to the rights and freedoms of Data Subjects upon a breach (Article 32).

If there is a breach of Personal Data, a company is required to notify an appropriate EU supervisory authority within seventy-two (72) hours after becoming aware of the breach, unless the Personal Data involved in the breach is unlikely to result in a “risk to the rights and freedoms” of the Data Subject or other natural persons. If the security breach is likely to result in a high risk to the rights and freedoms of the Data Subject, the company must notify also the Data Subject of the breach without “undue delay” (Articles 33 and 34). This means that companies and their IT teams must be able to evaluate every breach to determine which level of notice is required, if any.

3. Rights of Data Subjects

Data Subjects have specific rights under the GDPR, including but not limited to:

  • Access to Data (Articles 12 – 15): the right to obtain information about their Personal Data, free of charge (with exceptions), if requested. Companies should also be aware that some information should also be provided to the Data Subject at the time when the Personal Data is collected, such as: the identity and the contact details of the controller of the Personal Data, contact details of the data protection officer, if applicable, the purposes of the Personal Data processing; the recipients of the Personal Data, if any, and whether the Personal Data is to be transferred to another country.
  • Right to rectify (Article 16): the right to have companies rectify any inaccurate Personal Data that is collected without undue delay.
  • Right to be Forgotten (Article 17): the right to request that Personal Data be erased, without undue delay.
  • Right to Restrict (Article 18): the right to restrict the processing of their Personal Data in the future.
  • Data Portability (Article 20): the right to receive the Personal Data collected about the Data Subject in a commonly used, machine readable format to transmit the Personal Data elsewhere.
  • Right to Object (Article 21): the right to object to the processing of Personal Data, particularly if profiling is based on the automatic processing of the Personal Data under Article 6(1)(e) or (f).

 4. Penalties for non-compliance

Data Subjects have the right to file complaints with supervisory authorities in the EU, as well as right to receive compensation for damages suffered as a result of non-compliance with the GDPR (Article 82).

Administrative fines are also possible, depending on the specific circumstances of each individual case. Depending on the type and severity of the non-compliance, the fine can be as much as 20,000 EUR or four percent (4%) of the company’s total worldwide annual revenue, whichever is higher. How the EU plans to enforce such penalties against non-EU companies, however, is not clear.

As a result of the GDPR, companies should implement changes to their data collection and data privacy policies that allow for enough flexibility to be able to analyze and report security breaches, as well as respond to requests by Data Subjects. Companies should also understand what types of Personal Data is being collected from Data Subjects, where the Personal Data is being stored, what the security measures are in place around the Personal Data and who has access to the Personal Data.

Click here for the full GDPR text:


crowleylogo 640x480


First Time Entrepreneur Workshop with VC Speaker: Rob Vickery

We are pleased to announce that Rob Vickery founder of Stage Venture Partners will be joining us at our FTE Workshop on FEBRUARY 17th, 2018! Click here to sign up

About Stage:

Stage Venture Partners is a seed venture capital fund that invests in emerging technology for B2B markets.

Founded in 2015 by two entrepreneurial partners, Stage is designed to deliver active and thoughtful investment. One of us is a successful international operator who has built global businesses. The other an experienced angel investor and venture capitalist with a strong track record.

Stage invests in Founders building frontier technology for enterprise clients. We offer access, services, and expertise that are unique in our market, leading to remarkable results for our portfolio.

We are not thesis, geographic or sector focused, but instead business model focused. We invest only in software companies that solve problems for companies, monetizing either through SAAS or transaction fees.

Rob Vickery:


Before founding Stage with Alex Rubalcava, Rob created the Entertainment and Technology Division for BNY Mellon and was the North America Director for Lloyds International, one of the world’s leading financial institutions, focusing on major corporate entertainment-related investments. He has also spent a number of years working and advising a range of international music and film talent on embracing with new forms of technology.

Rob is also on the board of the British Academy of Film Television Arts (BAFTA) LA Games, British American Business Council, South Central Scholars and the Chairman of the School of Business & Entrepreneurship at Dorsey High School.

Rob graduated from the University of Gloucestershire, UK, in 2003. In his downtime, Rob is an amateur paleontologist, snowboarder and gaming addict (come and find me on PSN (BeverlyHillsBrit) or Xbox Live (saasfundr)


January 27th, 2018: First Time Entrepreneur Workshop

Calling all first time entrepreneurs!

LAVA’s First Time Entrepreneur workshop is scheduled for  Saturday, January 27th, 2018!

At this workshop you will learn how to:

  • Determine the value of your company
  • Put together a capitalization table
  • Understand how Venture Capitalists screen potential investments
  • Understand the differences between trademarks, copyrights and patents and when you need each of them
  • Choose co-founders
  • Network at startup events — the right way

For more information and to sign up, visit: First Time Entrepreneur Workshop

Jan 27th, 2018: First time Entrepreneur Workshop

Calling all entrepreneurs!

Members are free;  non-members $50.

During our five hour program, you will learn how to:

  • Determine the value of your company
  • Put together a capitaliation table
  • Understand how VCs screen potential investments
  • Understand the differences between trademarks, copyrights and patents and when you need them
  • Choose co-founders
  • Network at startup events — the right way

The program will be taught by LAVA board members and veterans of the venture space. The program is generously sponsored by Crowley Corporate Legal Strategy

Click here to sign up

Last Call! Top Ten Legal Mistakes Made by First Time Entrepreneurs on Thursday Oct. 19th

Last call to RSVP for our event tomorrow, Top Ten Legal Mistakes Made by First Time Entrepreneurs.

The event is FREE, but please register here:


Connect17 - WeWork venue

Thank you to ShuiMu America-China Innovation and Entrepreneurship Forum

On October 1st I attended the ShuiMu America-China Innovation and Entrepreneurship Forum in San Gabriel, California. Thank you for having me as a judge for the pitch competition.

Top Ten Legal Mistakes Made by First Time Entrepreneurs


Join us on October 19th for our Top Ten Legal Mistakes Made by First Time Entrepreneurs event at Innovate Pasadena’s Connect 17.

Date: Thursday October 19, 2017
Time: 6:00pm – 7:00pm
Location: CTRL Collective

The event is FREE to all attendees, but RSVPs are requested: