The introduction of the General Data Protection Regulation (GDPR) was agreed by the European Union (EU) in response to increasingly progressive technologies and corporate usage of sensitive data. It’s designed to ensure such material remains protected, putting the owner in control of their private information and as of Friday May 25 2018 it’ll officially be implemented in the UK by law as a new and improved version of the Data Protection Act, which came into play back in 1998.
But chatter around GDPR has swirled around for years and, like Brexit, has never been too far away from cropping up in business discussions. Now it’s crunch time and the legislation is hovering above companies like a grey rain cloud threatening to burst on a summer’s day. Having been approved in April 2016 after four years of discussions, apparently with the idea that firms would have long enough to get their affairs in order, it appears to have had the opposite effect.
Indeed, a study of 1,500 UK businesses published by the government’s department for digital, culture, media and sport revealed in January 2018 that only 38% of businesses have heard of GDPR. And for those aware of it, just 27% had made moves to become compliant, the report found. Having two years to play with apparently seemed like a hell of a long time for many leaders with more immediate concerns to tackle, so it should come as no surprise to learn plenty have put GDPR on the back-burner.
With so much technical and legal jargon for companies to swallow to be compliant, it throws up a series of questions for the franchising space. Just how complex is the GDPR process going to be for franchises with a network of businesses to manage and who is responsible for compliance? We know the nature of the franchising model means franchisors have a duty of care to franchisees but where does GDPR fit into that? And if either the franchisor or franchisee fails to adhere to the legislation, which party is responsible – and what impact could this have on the network overall?”
“Franchisees clearly store and process individuals’ data so they certainly need to be compliant as a ‘controller’,” says Nigel Davies, founder of Claromentis, the franchise network communications service. “And, ultimately, the end customers are entering into a relationship with the brand – making the franchisor with access to that data a ‘processor’.” Effectively, this means franchisors must factor franchisee compliance into their own GDPR due diligence, as opposed to just simply focusing on what happens inside their own four walls. After all, those burying their heads in the sand are at major risk. Failure to comply could result in them paying hefty fines – whichever is highest between 4% of business turnover or €20m.
Although it may seem like a logistical minefield they’ll have to tiptoe across with caution, franchisors will theoretically not be in any more of a difficult position than large firms with a series of locations, according to Davies, depending on the data processes they have in place. However, Suzanne Dibble, a seasoned small-business and data protection lawyer, believes they will have a tougher time than a standalone company. “There’s a greater possibility of brand damage for franchisors because of the broader spread and reduced control over the entirety of their franchise network’s operations,” she says.
Building on that, Dibble adds that while franchisors are unlikely to be legally liable for franchisees, mistakes could cause problems for finances alongside the brand. “Each franchisee bears its own responsibility for compliance; it is unlikely that the franchisor can be held legally liable for non-compliance,” she explains. “There is potential, however, that a franchisor can be held responsible – if they are controlling certain functions of the franchisee’s business.”
It goes without saying that franchises will be shaken by the GDPR introduction to the point that they’ll need to adapt how their businesses are run altogether, so change is unavoidable. “New policies have to be supported by new processes such as incident reporting or data protection impact assessments (DPIA) which form a key part of GDPR,” says Davies. For example, with DPIA, the process is designed to help companies reduce the chances of data protection risks impacting projects. “Simple-to-use form builders can allow for these processes – such as how a franchisee collects, manages and deletes data – to easily be created and followed by all members of the team.”
And with the team in mind, GDPR calls upon companies to appoint a data protection officer to work alongside the senior management and determine whether processes for the business are all up to speed. For the purpose of franchising though, with franchisors traditionally providing franchisees in their network with aftercare, they should make GDPR a component of that support system. While time and resources can understandably inhibit the franchisor from peering over the shoulders of its franchisees to ensure compliance personally, they can still help the implementation. “I recommend that franchisors provide GDPR training to their franchisees,” says Dibble. “For instance, if there’s a data breach, loss or disclosure of personal data, there should be procedures in place for reporting to the Information Commissioner’s Office within 72 hours. There’s a lot to absorb and franchisees can get their operations in order with training and resources provided by the franchisor. It’s also important to provide them with suggestions for cost-effective legal services. Waiting for each one to take initiative and self-learn isn’t a tactic that’s likely to work.”
Gary Brooks, operations director at The Data Support Agency, a business launched in 2017 in direct response to the arrival of GDPR, agrees that franchisors should be leading from the top when it comes to education around the new data protection protocols. “The franchisor can provide access to the tools and the agreed standard way of ensuring compliance with the regulations and people’s rights,” Brooks says. “The franchisor would need input into standard policies and processes from the franchisees, as well as their time and resource in following the project plan and implementing the policies and procedures agreed in a uniform and timely way.”
It’s interesting to acknowledge that while franchisees are independently-owned businesses, there’s a level of connectivity that binds the network as a whole. And if data is shared across it, that will only complicate issues further. Brooks explains: “The franchisor and franchisees are separate legal entities and, therefore, the responsibility and liability lie with these independent organisations. If the franchisor is acting as a processor or joint controller for some of the personal data held by the franchisee, then there can be joint liability.””
He hastens to add that working together is the best way to tackle GDPR, especially in the event of a breach or complaint. “A coordinated and best practise approach would make sense,” he says. “It could be detrimental to have widely different knowledge and standards of compliance across the franchise portfolio. Ultimately, all the franchisees will have the same business model, systems and processes as well as similar types of personal data, so it would make financial and operational sense to combine resources.”
They say that two heads are better than one, so with a network of franchises to connect with, pooling resources sounds like the ideal way for franchisors and franchisees to make it out on the other side of judgement day.”