Protection for founders: how to keep your startup YOUR startup

I get a ton of individuals asking me how to keep control of their startup. So I want to give a checklist on how to do it.

First, you must know these underlying principles. Don’t be lazy about it. At a minimum read the articles and understand these underlying points.

A. Understand the framework and know what stock is

You have to know the bare minimum and know the basics. Know what stock is. Founders get common stock. Investors get preferred stock (that has rights over common).

B. Know the math

You will be outgunned if you don’t understand the mathematics of share price.

C. Offer vanilla terms and be reasonable with investors

People forget that investors and founders are going to be on the same team.

Vanilla terms are sexy. Don’t get too fancy, especially if your startup is in Texas.

D. Have a startup lawyer watch your back

Have your own startup lawyer for your startup.

Check these off and you’re in good shape to keep control of your startup

Since you have the underlying principles down pat, now for the more nitty-gritty.

___ 1. Make sure IP belongs to the startup

If your company doesn’t own its own IP, what does it own?

___ 2. Vest founders’ shares

Founders’ shares need to be subject to a vesting schedule. You don’t want someone to run off with the company.

___ 3a. Realize that you will never have 100% control of your startup

You have to realize that. The startup will never be yours completely. You have to share.

___ 3b. Use proper anti-dilution provisions

Be prepared to be diluted. But control that process. Here’s how.

___ 4. Raise money at the right time

If you raise money too early you’ll have to give a huge amount of your company in return for investor funds. That will result in you losing control. The flip side of that is this— you will have to give equity in exchange for funds in order to help grow your company. In other words—timing is important. Additionally, run a good business with strong fundamentals. People try to get too fancy. The best companies I’ve seen are those with good fundamentals.

___ 5. Pick investors wisely

Too many founders jump at the first investors that show any interest. It’s like over-eager dating.

___ 6. Get the right valuation for your startup

Know the math really well. I’ve already linked to this article, but if you didn’t read it before, read it now.

___ 7. Choose board seats wisely & don’t let shares get passed around

Share and board control is important. Don’t let these things slip from your fingers.

___ 8. Don’t allow a high liquidation preference and don’t allow for participating preferred stock

While these don’t totally affect control at first, it definitely has an effect on the control of money later.

___ 9. Limit legal troubles and lawsuits. Follow GDPR and other regulations.

A huge legal dispute has the potential to make you lose control of your startup. Here’s how to limit that from happening.


Regulations like GDPR are coming down the pipes with heavy penalties and consequences for tech companies. If you get hit by these, then problems may spin out of control.

Do those things and you’ll be fine. Don’t overthink it. Keep focused on making your startup a better startup. Remember: you need to share control of your startup if you want to grow it. Just do it intelligently. Contact me and let’s get some coffee if you want to talk about it.

How do startups transfer data under GDPR? (Hint: join the Privacy Shield)

Let’s talk about this because this is an area that people get confused about.

1. If you are a startup in Texas GDPR can apply to you

GDPR is a European regulation that gives directives and guidelines on data protection and privacy for “controllers” and “processors” of personal data. The EU found a need to deal with privacy issues in the wild west of data handling so they did something about it.

If you are a startup in Texas, GDPR can be applicable to your startup if you are handling data of EU individuals, or targeting them, or taking a similar action. If you are unsure whether GDPR applies to your Texas startup, read this article.

If you need a refresher on GDPR in general, then read this article.

2. Data transferring to/from Europe is restricted and you can only do it in three circumstances

GDPR restricts transfers of personal data outside of the European Economic Area (EEA) unless there are assurances that proper data protection is in place.

You can only transfer data outside of the EEA if one of the following applies: there’s been an adequacy decision by the EU Commission, there’s an appropriate safeguard, or there is a proper exception. I’ll tell you what that means below.

i. The transfer is covered by an adequacy decision

One of the three ways you can transfer data outside of the EEA is if the transfer is covered by an adequacy decision.

This means that the EU Commission said that these countries have an appropriate legal framework that protects individuals’ rights and freedoms (in other words—the data and privacy protections in that country are ‘adequate’). The Commission has given an adequacy decision for a few countries. Under European rules you can only transfer data to/from the the following places:

Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.

You’ll note that the United States is not on that list. You might be surprised. We can go into why, but maybe we can have that discussion some other time. However, the EU Commission was nice enough to have partial findings of adequacy for Canada, Japan and the U.S. (see down below for transferring data between the EEA and U.S.)

ii. There’s an appropriate safeguard

You can transfer data outside of the EEA if there is an appropriate safeguard.

This means that even though there’s not an adequacy decision for the country regarding your data transfer, there are “appropriate safeguards” that individuals’ rights and freedoms will be protected. Here are the appropriate safeguards:

a. a legally binding and enforceable instrument between public authorities or bodies;

Don’t worry about this if you’re not dealing with a public authority.

b. binding corporate rules;

Binding corporate rules (BCR) is a set of rules within international (multinational) companies that sets out the procedure for data protection. BCR must be approved by an EEA supervisory authority.

c. standard data protection clauses (or model clauses) adopted by the Commission;

The Commission provides clauses for data protection that can be incorporated into a contract. If you and the receiver have these, the data transfer can take place even outside of the EEA.

d. an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights;

If there’s a code of conduct approved by a supervisory authority and that code has signed by the receiver, then the transfer can take place.

e. or an approved certification mechanism together with other binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

A transfer can be made if the receiver has a proper certification. This has not been fully set-up yet.

iii. there’s an exception

Even if there is no adequacy decision and there is no appropriate safeguard you may still be able to transfer data outside of the EEA if there is an appropriate safeguard. Here are the exceptions.

a. the data subject has explicitly consented to the proposed transfer;

Remember—don’t play games with consent. You must actually get consent from an individual, not some bullshit form of consent.

b. the transfer is necessary for the performance of a contract between the data subject;

This exception can only be used for the occasional data transfer.

c. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;

This exception can only be used for the occasional data transfer.

d. transfer is necessary for important reasons of public interest;

e. the transfer is necessary for the establishment, exercise of defense of legal claims;

This exception can only be used for the occasional transfer.

f. transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is incapable of giving consent;

g. transfer is made from a public register;

h. or there are compelling legitimate interests

This is for unique and special circumstances. Use this as a last resort. For a broader discussion on compelling legitimate interests as a concept under GDPR see this article.

3. You can transfer data to the U.S. under the EU-US Privacy Shield framework

I mentioned above that the EU Commission made an adequacy determination about data transfers and certain countries. Only certain nations had adequate protections. The U.S. is partially adequate; the adequacy finding for the U.S. is only for transfers covered by the EU-US Privacy Shield framework.

What is the Privacy Shield?

The EU-US Privacy Shield is a self-certification procedure that is overseen by the Department of Commerce.

A startup in Texas (or the U.S.) must join the Privacy Shield in order to comply with the adequacy determination in regards to transferring data as according to GDPR. The organization can’t simply be in the U.S. and do data transfers. That’s not good enough. If the startup is in the U.S. it needs to be part of the Privacy Shield to be adequate for data transfers.

4. How a startup can join the Privacy Shield Framework and how the Privacy Shield works

i. You have to apply to be certified

Joining the EU-US Privacy Shield is a self-certification process. There are certain requirements of the Privacy Shield and you must abide by the principles. Additionally, your startup must publicly disclose privacy policies and actually implement the principles. The company will be subject to investigatory and enforcement powers of the Federal Trade Commission (FTC) or other bodies to ensure compliance with the principles.

ii. Publicly state commitment to comply with the principles

The Privacy Shield gives a number of data protection principles that a startup must abide by in order to be properly comply. Here are the principles:

a. Notice - must inform individual about participation in the Privacy Shield, contact information, etc.

b. Choice - must offer individuals the opportunity to choose whether their personal information is to be disclosed to a third party or used for a materially different purpose

c. Accountability for onward transfer- startups must comply with notice and choice principles to transfer personal information to a third party; startups must enter into a contract with the third party controller that respects proper data protection principles

d. Security - startups handling personal information must take steps to protect the data

e. Data integrity and purpose limitation - personal information must be limited to the information that is relevant for the purposes of processing.

f. Access - individuals must access to information about them that the startup holds and be bale to amend for accessory reasons.

g. Recourse, enforcement, and liability - privacy protection must include mechanics for assuring compliance with the principles.

Supplemental principles

There are also 16 supplemental principles. You can see them starting from here and they concern:

i. Sensitive data

ii. Journalistic exceptions

iii. Secondary liability

iv. Performing due diligence and conducting audits

v. The Role fo Data Protection Authorities

vi. Access

vii. Self-certificatin

viii. Verification

ix. Human resources data

x. Obligatory contracts for onward transfers

xi. Dispute resolution and enforcement

xii. Choice - Timing of opt-out

xiii. Travel Information

xiv. Pharmaceutical and medical products

xv. Public record and publicly available information

xvi. Access requests by public authorities.

iii. Pay the appropriate fees

Fees are done by size of the organization. Here are the fees.

Organization’s Annual Revenue:               Single Framework

$0 to $5 million                                              $250

Over $5 million to $25 million                        $650

Over $25 million to $500 million                    $1,000

Over $500 million to $5 billion                       $2,500

Over $5 billion $3,250

5. Conclusion

In short, join the Privacy Shield framework if you are a startup in the U.S. and you want to transfer data out of Europe. For more information on the Privacy Shield see this site: Email me or let’s get some coffee if you have any questions.