We have been actively working on GDPR for almost a year now, helping clients and contacts navigate the changes that this new data protection law will bring about. Sadly, many have been misled, remain confused or, despite attending lots of seminars, are still lost as to what to do! Is this you?
With GDPR taking effect one week today, there is little time, but there is time to address and formulate a plan to achieve compliance. And although it is about compliance, in reality it is about setting yourself apart from those of your competitors who will simply choose to do nothing.
It has been reported this afternoon, that after several days, including a delay due to the company in question not having an available barrister for the hearing, the Information Commissioner (ICO) has the warrant they sought to search the offices of Cambridge Analytica.
The delay highlights the weaknesses, however, of the system designed to protect the personal information and data of individuals – something coming into sharp focus with the onset of the General Data Protection Regulation (GDPR) and the Data Protection Bill, currently moving through Parliament, that will deal with related matters and those at the behest of nation states, that will govern the UK’s data protection regime going forward.
After May, it is hoped that the UK regulator will have stronger powers to better protect the personal information of data subjects, as companies and businesses continue to prepare for the new rules – our own approach and practical workshops around Data Protection Advice have focused on the competitive advantages for business in fully embracing a Privacy by Design approach throughout their organisations – something we suspect that consumers (particularly given the light being shone on these issues as a result of the misuse of Facebook data within this case) will themselves embrace, exercising their stronger and new-found data protection rights.
A fundamental change under GDPR – the new data protection code which comes into effect in less than 4 months’ (25 May 2018) – will have particular relevance for anyone involved in a franchisor/franchisee relationship. Why? Because of the way in which data is handled; a franchisee operates their own business and is, under the existing Data Protection Act 1998 (“DPA”), a controller (i.e. a person that determines the purpose for and manner in which data is processed); franchisors, by contrast, and despite their obvious vested interest in that data (under many franchise agreements, client data can only be used within the franchisor’s system, licensed to the franchisee under their franchise agreement) are not merely associated parties; in fact they also have a vested interest in the information that their franchise network collects and processes. Ultimately, customers or clients are entering into a relationship with the brand, meaning the franchisor.
From a practical standpoint, a franchisor’s relationship with ‘its’ customer data has arguably been in the guise of a data processor – with access to records of this information maintained and used by its franchisees and, in some cases, to provide facilities to capture prospects or those that might be interested in a franchisee’s products or services, through a central website or micro-site or page dedicated to a particular franchisee’s territory. A franchisor that does not undertake specific analysis on this data as a whole, is arguably no more than a data processor under the current DPA; but under GDPR, processors become subject to much enhanced obligations, not dissimilar to those applicable to their network of franchisees.
Taking the relationship from another angle, to some degree the franchise network will rely on the franchisor to guide them in best-practice and compliance; after all, their purchase of a franchise would, to some extent, have been to avoid the need to devise, think about and implement much of the back-office function of the business – the expectation within a franchise, as a ‘business-in-a-box’, is to be able to open and focus on sales and growth, without much of burden applicable to a start-up or owner-operator.
Much has been made of the vast fines that could apply to a data breach; these should not be ignored but our own assessment, as with much of the true approach to GDPR, is that proportionality will play its part. If it were going to cost a small retailer, tuning over say £120,000, £50,000 to implement a particular aspect of GDPR, this may not be seen as proportionate, subject to other relevant factors.
But what if you are a franchisor? With a franchisor’s specific role in directing and guiding their network of franchisees, albeit they may not be directly responsible for the processing of that data now, their heightened obligations under GDPR even if they are truly only a data processor and their obvious interest in the protection of their brand/reputation which could be seriously damaged following a data breach by a lax franchisee, franchisors should be taking the lead and communicating not only with their own internal team but also across their franchise network to ensure that plans are in place and assessments are carried out to minimize the potential risks.
Included will be a consumer’s appreciation of the franchisee’s relationship with the franchisor and that much if not all of their data will be made available to the franchisor, both to ensure efficient operation of the franchise business but most likely under obligations binding the franchisee within the franchise agreement or the operations manual, given what is effectively equivalent standing by a specific provision within the agreement; franchisees will look upon franchisors to advise on best communication and to implement and provide updated privacy notices and related documentation, to ensure best practice.
How we are Helping Franchise Businesses:
As specialists in both franchising and technology law, including data protection (recommended in both the 2016 and 2017 editions of independent Directory, Legal 500 in these areas), we are supporting franchisors and franchisees with:
1) Guidance on the practical implementation of GDPR, including data minimisation and analysis;
2) Advice and updates to operations manuals, technical notes and training around secure and effective data management;
3) Updated privacy notices and communications, including on websites and social media;
4) Handling data requests and breach notification plans – a data breach now has to be notified within 72 hours; a challenge if discovered on a Friday(!); and
Ensuring marketing is conducted legally, including under PECR Regulations.