GDPR – top 10 to get your franchise in shape?

Franchise businesses which collect and use data from European citizens – whether established in the EU or not – should already be aware that the legal landscape which applies to handling customer data has changed dramatically with the implementation of the EU General Data Protection Regulation (“GDPR”) which came into force on 25 May 2018.

Why bother?

Increasingly, when a franchise business is asked to identify its most valuable asset, it will point to its customer data.

Compliance with data protection rules – which may have been seen in the past as an obstructive, legalistic requirement – can actually be central to building trust and loyalty with individual customers. An individual who understands how his or her personal data is being used, and who has an element of choice about how it is used, is much more likely to share that data with an organisation. On the other hand, because of greater consumer awareness and concern about the potential abuse of customer data, an organisation that is cagey about its collection and use of personal data or that gives individuals little choice may well lose customers. In a technology-driven age where more people are aware of their privacy rights, a brand that demonstrates that it ‘gets’ privacy will have an advantage over its competitors.

For franchise businesses, the commercial challenge and opportunity requires that teams are structured around the customer and not just the channel, thus guaranteeing more integrated collaboration between the corporate-owned business and franchisee-owned business.

It is paramount for the Franchisor to be crystal clear about GDPR with Franchisees and to ensure they are compliant locally. This requires effective internal communications which also can be supported by internal checklists to secure that all branches are on-board.

What’s GDPR all about?

The GDPR is particularly centred on preserving a data subject’s fundamental right to data protection and to this end the legislation extends their rights. Of course, individuals have a new right of data portability under the GDPR and it will be necessary for businesses, where this is relevant, to have the appropriate procedures in place to enable individuals to port their data to a new controller.  Under the right to erasure, more popularly known as the “Right to be Forgotten”, individuals can request that their data is deleted. Where a data breach results in a high risk to individuals they need to be made aware as soon as possible about the data breach.

Businesses therefore need to be familiar with data subject rights and be able to comply with them easily, especially as they must be exercised free of charge and within strict time limits. Equally, this compliance will take place under the pressure of knowing that if anything goes wrong data subjects, or a representative body on their behalf, can bring a complaint to the individual’s local data protection authority and/or a claim for compensation.  An individual’s ability to make a claim for compensation will also be much easier under the GDPR so while regulatory fines of up to €20 million or 4% of annual worldwide turnover can be imposed, the price tag for non-compliance with the GDPR could be much higher if there are also claims from data subjects.

Beyond ensuring that you are able to effectively respond to and manage data subject rights there are a number of other important considerations which may assist you in determining how you best plan your resources and budget over the forthcoming months.

GDPR top 10 checklist

In no particular order of priority you may want to consider (or even tick off your to do list):

1. Privacy Notice: Have you reviewed yours recently?

Privacy Notices need to be in a clear and easy to read form and include certain mandatory information specified by the GDPR.

2. Consent: Are your existing practices compliant under the GDPR?

Consent must be “unambiguous” and, if relying on consent to process data, you must be able to demonstrate that the data subject has given valid consent. Under the GDPR it must be as easy to withdraw consent as it is to give it.  Do your systems provide a suitable solution for this?

3. Outside the EU? The GDPR may still apply to you – yes, that includes US franchisors.

The GDPR applies to non-EU businesses that (i) provide goods and services into the EU (regardless of whether there is a charge) or (ii), monitor the behaviour of EU residents.  If the GDPR does apply to you, have you considered whether you need to appoint an EU data protection representative?

4. Data Protection Officer: Do you need to appoint one? Have you identified who will be your DPO?

A DPO can be in-house or external but they must have expert knowledge in data protection law and a reporting line to the Board. It may be possible to have a group DPO for a franchise network.

5. Breach Notification: How prepared are you for a data breach?

The GDPR introduces mandatory data breach reporting, which generally will need to happen within 72 hours. Do you know how quickly 72 hours can tick by when time is of the essence?  Data protection authorities need to be notified and as mentioned above individuals as well.  Do you have a tried and tested incident response plan in place?  No?  It is an essential must have.

6. Privacy by design and by default

Data protection is no longer a side issue. It is firmly centre stage and a core element of any design process.  Data protection principles must be implemented and data minimisation is a key requirement.  How are you ensuring this happens as you develop your business technology?

7. Accountability: Can you demonstrate your compliance regime?

Can you evidence that you are GDPR compliant? Under the GDPR a data protection authority has the power to enter your organisation and ask you to evidence your compliance.  It goes well beyond the record keeping provisions that the GDPR also demands.

8. Processor contracts

The GDPR specifies mandatory terms that must exist in all contracts with your external data processors. All processor contracts, both new and legacy contracts, must be brought into line. Have you started to prepare new contract templates and to (re)negotiate?  Do not leave it too late!

9. Fines: Up to 2% or 4% of annual turnover, and damage to brand reputation

Although the level of regulatory fines that companies are exposed to and an individual’s right to bring a civil action have already be mentioned, given the potential consequences it is worthy of repetition. It is also worth considering that the cost of becoming GDPR compliant to any business is a fraction in proportion to what fines, costs, brand damage a business might easily be exposed to if an appropriate GDPR readiness strategy is not implemented before this time next year.

10. Update your franchise agreements and data protection policies

Now is a good time to revisit your standard agreements and policies to ensure that they are aligned with your strategy for customer engagement. This needs to be looked at holistically, including how marketing campaigns and customer touch points, such as apps and e-commerce platforms, are operated and the underlying need for sharing data and obtaining consent. It is important to ensure that the liability provisions are reviewed and termination and post termination provisions are up to scratch for the purposes of business continuity.

Does Brexit make this all go away for UK businesses?

No. On 21 December 2016 the UK Government released a report confirming its intention to apply the GDPR despite Brexit. The process of exiting from the EU is likely to be a protracted affair and, during the interim period at least, the UK will remain fully subject to EU laws – including EU data protection laws.

GDPR will apply to every business – whether in the EU or not – that offers goods and services to EU citizens or that monitors EU citizens’ behaviour.  UK businesses selling into the EU will therefore still be subject to GDPR requirements, as will wider international businesses operating across the UK and the EU.  The UK’s leaving the EU won’t change this.

This article was initially published by Gordon Drakes at Fieldfisher