A fundamental change under data protection laws, in this case, The GDPR – the new data protection regulation which came into force in May – will have particular relevance for anyone involved in a franchisor/franchisee relationship. Why? Because of the way in which data is handled; a franchisee operates their own business and is, under the existing Data Protection Act 1998 (“DPA”), a controller (i.e. a person that determines the purpose for and manner in which data is processed); franchisors, by contrast, and despite their obvious vested interest in that data (under many franchise agreements, client data can only be used within the franchisor’s system, licensed to the franchisee under their franchise agreement) are not merely associated parties; in fact they also have a vested interest in the information that their franchise network collects and processes. Ultimately, customers or clients are entering into a relationship with the brand, meaning the franchisor.
From a practical standpoint, a franchisor’s relationship with ‘its’ customer data has arguably been that of a data processor – with access to records of this information maintained and used by its franchisees and, in some cases, to provide facilities to capture prospects or those that might be interested in a franchisee’s products or services, through a central website or micro-site or page dedicated to a particular franchisee’s territory. A franchisor that does not undertake specific analysis on this data as a whole, is arguably no more than a data processor under the current DPA; but under GDPR, processors become subject to much enhanced obligations, not dissimilar to those applicable to their network of franchisees.
Taking the relationship from another angle, to some degree the franchise network will rely on the franchisor to guide them in best-practice and compliance; after all, their purchase of a franchise would, to some extent, have been to avoid the need to devise, think about and implement much of the back-office function of the business – the expectation within a franchise, as a ‘business-in-a-box’, is to be able to open and focus on sales and growth, without much of burden applicable to a start-up or owner-operator.
Much has been made of the vast fines that could apply to a data breach; these should not be ignored but our own assessment, as with much of the true approach to The GDPR, is that proportionality will play its part. If it were going to cost a small business with turnover of around £150,000 then spending £30,000 to achieve compliance is disproportionate as this represents 20% of their turnover and possibly a large proportion of the profit of the business.
However, what if you are a franchisor? With a franchisor’s role in directing and guiding their network of franchisees, whilst they may not be directly responsible for the processing of that data now with their increased obligations under The GDPR, even if they are only a data processor, they have an obvious interest in the protection of their brand/reputation which could be seriously damaged following a data breach by a careless franchisee. Franchisors should be taking the lead and communicating not only with their own internal team but also across their franchise network to ensure that plans are in place and assessments are carried out to minimise the potential risks.
What we are seeing is franchisors handing out masses of information with some guidance and leaving it to the franchisee to create their own compliance policies and procedures. Very often, this doesn’t happen and when it does the work is not sufficient to demonstrate compliance. Surely, the franchisor wants the franchisee to be focussed on the business they are in, not spending months creating policies.
An updated privacy notice will also be required to that clients of the franchisee are made aware that their personal data may be shared with and possibly processed by the franchisor. This will relate to a clause in the operations manual and a procedure and policy should be put in place to ensure best practice.
How we help Franchise Businesses
As GDPR consultants we are supporting franchisors and franchisees with:
1) Delivering implementation of GDPR, including data minimisation and analysis, not just guidance;
2) Advice and updates to operations manuals, technical notes and training around secure and effective data management;
3) Updated privacy notices and communications, including on websites and social media;
4) Handling data requests and breach notification plans – a data breach now has to be notified within 72 hours; and
Ensuring marketing is conducted legally, including under PECR Regulations.
We also offer Data Protection Officer as a Service; taking away all the worry of GDPR Compliance.
Contact us today to find out more.