GDPR: What do franchisors need to do?

Managing your franchise data

At Data HQ we work with leading franchise organisations helping them with their varying data marketing needs.

The structure of many franchised operations creates unique challenges for preserving consumer privacy and protecting personal information. The introduction of the new General Data Protection Regulation (GDPR) in May 2018 will bring significant change to the privacy landscape and new challenges for franchisors.

The new GDPR law - with the potential to impose fines set at 4% of world-wide turnover - will apply to any entity, anywhere in the world, that processes personal information about European residents, or monitors their behaviour. This means that any franchise serving European countries needs to pay attention to the GDPR and prioritise compliance.

Why bother?

A good question!

Like most successful businesses, when a franchise business is asked to identify its most valuable asset, it will point to its customer data. Therefore how this is collated, stored and used is paramount to ensure it is compliant and can be used lawfully in marketing communications.

What's GDPR all about?

The GDPR is centered around a data subject's fundamental right to data protection. In addition, individuals have a new right of data portability under the GDPR and it will be necessary for businesses, where this is relevant, to have the appropriate procedures in place to enable individuals to port their data to a new controller. Under the right to erasure, known as the "Right to be Forgotten", individuals can request that their data is deleted. Where a data breach results in a high risk to individuals they need to be made aware as soon as possible about the data breach.

Businesses therefore need to be familiar with data subject rights and be able to comply with them easily, especially as they must be exercised free of charge and within strict time limits. Equally, this compliance will take place under the pressure of knowing that if anything goes wrong data subjects, or a representative body on their behalf, can bring a complaint to the individual's local data protection authority and/or a claim for compensation. An individual's ability to make a claim for compensation will also be much easier under the GDPR so while regulatory fines of up to €20 million or 4% of annual worldwide turnover can be imposed, the price tag for non-compliance with the GDPR could be much higher if there are also claims from data subjects.

Does Brexit make this all go away for UK Franchise businesses?

Unfortunately not!

GDPR will apply to every business - whether in the EU or not - that offers goods and services to EU citizens or that monitors EU citizens’ behaviour. UK businesses selling into the EU will therefore still be subject to GDPR requirements, as will wider international businesses operating across the UK and the EU. The UK’s leaving the EU won’t change this.

10 Step Essential GDPR Guide

Here is our published guide to aid preparations:

Understanding: what personal data do you hold? Organise a data audit which will help document what you have, where it came from and who you share it with.

Awareness: ensure all key decision makers within the organisation are aware the law is changing to the GDPR.

Communication: review privacy policy notices to understand what changes are required.

Regulation: review procedures to ensure all the rights individuals have are covered e.g. how you provide data electronically (and in common format), and how you would delete personal data if requested.

Requests: plan for how the organisation will handle requests within the new timescales and provide any additional information that customers may demand.

Processing: review various types of data processing your organisation carries out, identify the legal basis for carrying it out, and ensure this is documented.

Consent: review how the organisation is seeking, obtaining and recording consent and whether any changes are required.

Breaches: ensure the correct procedures are in place to detect, report and investigate a personal data breach.

Officers: ensure there is a nominated Data Protection Officer or someone to take responsibility for data protection compliance.

International: understand which markets your organisation operates within. If this is international you should determine which data protection supervisory authority you fall under.

In addition, and advice we have been sharing with our franchise clients:

Update your franchise agreements and data protection policies

Now is a good time to revisit your standard agreements and policies to ensure that they are aligned with your strategy for customer engagement. This needs to be looked at holistically, including how marketing campaigns and customer touch points, such as apps and e-commerce platforms, are operated and the underlying need for sharing data and obtaining consent. It is important to ensure that the liability provisions are reviewed and termination and post termination provisions are up to scratch for the purposes of business continuity.

Summary

As a franchise business the above is not an exhaustive list of what you must consider and action before the GDPR becomes applicable. It is, however, a good starting point.

For franchise businesses, we believe the structure would benefit if organised around the customer and not just the channel, thus guaranteeing more integrated collaboration between the corporate-owned business and franchisee-owned business. Ultimately, GDPR cannot be ignored and businesses, however they are structured, need to be compliant.

Here at Data HQ we have a team of data experts who are waiting to answer your questions. We’re available by phone, email, or via our webform – just contact us for a free consultation.

Further reading: Data HQ's complete guide to the GDPR