Cyber Security, Hacking, Phishing, Ransomware and Data Breaches have all been over the news and media outlets recently.
While Data Protection & Privacy isn’t often one of the phrases associated with franchising; either as franchisor or franchisee, its profile is likely to be highlighted over the coming months as May 2018 approaches.
Data Protection & Privacy
The franchising model is interesting from a Data Protection and Privacy perspective. As a franchisor you are more than likely to be the person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. So under the law you are the Data Controller and this comes with responsibility and monetary penalties if things go wrong.
Your franchisee is likely to be the person acting on your behalf and processing the personal data on your behalf, which of course is all in the contractual agreements (it needs to be in writing!) as they are not employed by you directly.
Additionally in the franchising model(s) the franchisee may employ sub-contractors. If this is the case the franchisee becomes a Data Controller in relation to the sub-contractors as well as the Data Processor acting on the franchisor’s behalf.
Under the current legislation the controller is held liable for data protection compliance, not the processor. GDPR introduces direct statutory obligations on processors and severe sanctions for failures in compliance.
With monetary penalties increasing in value exponentially from the current maximum of £500,000 up to €20million (or 4% of annual global turnover – whichever is higher), now is the ideal time to check your compliance with the legislation both to protect your franchise and your franchisees.
While the Information Commissioners Office (ICO) has never yet issued any organisation with the maximum penalty, could your business afford it, along with the adverse attention of the press, damage to reputation?
We’ve been conducting some research into the franchising model(s) and details a theoretical start-up.
You’ve researched the business model, completed all your market research and decided to go down the fantastic route of franchising possibly the last thing on your mind is data protection and privacy.
You decide on the name of the business and secure the web presence, registering the domain name(s). You then look at a cost effective hosting provider to handle it. You design the pages. You describe the business in all the detail needed and decide to offer a newsletter, an ecommerce portal if selling products, and perhaps a page for prospective franchisees to contact you. In fact you have chosen most of the methods that attract your website visitors to divulge personal data to you.
- Legislation states:- Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The most ‘cost effective’ may not therefore be the most compliant route to take.
You’ve never been much good at anything technical so you were persuaded by your best friend down the pub to use the WordPress content management system. They’ve used it for years due its simplicity and more importantly – it’s free. It’s also used to power over 27% of all websites worldwide.
It may be free, but ‘out of the box’ it’s not necessarily compliant with the legislation either. It needs updating regularly (security and vulnerability fix/patches). Like desktop or other computerised systems it also needs backing up. All of which takes up your time which you want to use to better advantage in setting up and selling your business
- The ICO guidance states “You could breach the seventh data protection principle if you don’t define and adhere to an appropriate software updates policy for systems that process personal data”
The Newsletter you’ve chosen is an electronic communication, so you’ve just landed yourself another regulation to be aware of. Privacy and Electronic Communications Regulations (PECR)- well done.
eCommerce: Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013, the old Distance Selling Regulations.
These apply to sales of goods or services to consumers without face-to-face contact
What about cookie and privacy legislation?
These also need to be considered and compliance achieved.
Don’t be put off
All the legislation and regulation can seem daunting and possibly the last thing you thought you would have to deal with when going down the franchise route. Don’t be put off; they are actually there to protect you and your business as well as others.
Ensure data protection & privacy advice is sought ideally at the start as part of your planning. If you are already in business, the introduction of the new legislation is an ideal time to review and access your compliance. The recommended route would be to conduct a privacy impact assessment, in fact under the new guidelines privacy impact assessments and privacy by design – are now legally required in certain circumstances.
Training & Compliance
Once you’ve completed the assessments, implemented changes etc. it’s vital to train your employees, ensure your franchisees are aware of their responsibilities in their varying capacity, update written agreements and the like.
When the ICO has completed all their consultations with the various bodies and compiled their definitive guidance you and your organisation will be ready for GDPR and you may very well be ahead of any competition. Be proud of it.