It is now less than 6 months until the GDPR comes into force and the level of interest (and perhaps a little perturbation) from our franchise clients is rising. The key concern seems to be with regard to what franchise businesses need to do in order to actively be demonstrating compliance by 25 May next year.
The other concern is whether the GDPR will even apply given our impending Brexit and the uncertainty that this entails. What is clear, is that even though the UK will be in formal negotiations to leave the EU by that date, we will not have left the EU by May next year and so the GDPR will become law in the UK. In any event, due to the increase in territorial scope, even after Brexit, any businesses processing personal data of EU nationals (so for example, this could include US Franchisors)- either through the supply of goods or services into the EU will still be required to comply with the GDPR.
Franchise businesses should not be overly alarmed by the introduction of the GDPR. It is not intended to be a seismic shift in the data processing works of your business; it is intended to make you look at your current data practices and to tighten up in areas where it falls short of expected standards. It is essential to consider the rights of data subjects when collecting and processing personal data and to keep these rights at the forefront of your business activities.
It will have significant implications for both international and national franchise networks. Franchisors always hold the personal information of its franchisees. Franchisors however also commonly obtain customer and employee information from their franchisees and maintain a central database. Some Franchisors receive customer enquiries directly and pass these onto their Franchisees. Franchisors and Franchisees are likely to be joint controllers of much of the data, each using it for its own purposes.
So what should Franchisors and Franchisees be doing? There is much that you can be doing now to ensure that the business is compliant in time. This is our 12 point plan for steps to take now – it is not intended to give you detailed guidance, but is to start you on your journey:
The GDPR will impact on your business and the way that you collect, process and store personal data. It is essential that you have the ‘buy in’ from key decision makers within the business and Franchisors should be supporting their franchisees to ensure compliance across the network, in terms of training and providing clarity within its operations manual on procedures relating to data.
The first step to take is to ensure that the Board is fully briefed on the law coming in and that they support any changes which the business may need to make.
The second step is a fundamental one – under GDPR you will need to have a much greater understanding of the personal data you hold, where it comes from, why you hold it, for how long it is required, and who you share it with. If any processing goes outside of the EEA (including with regard to cloud storage, outsourced payroll or helpdesk services) it is important that this is noted as data subjects will have to be told and in some cases, consent will be required (see further action point 12 below).
We suggest that you separate out each department within the business (as they may hold and process data in different ways) and allocate this task to the department leaders.
3. Record of Processing Activities
If your franchise business has over 250 employees, or where employers process special categories of data (i.e., medical data, data pertaining to sex life, gender, criminal records, biometric data etc) then you will be required to complete a Record of Processing Activities.
This document is currently called a Data Protection Policy but its scope is enhanced under GDPR and should document the results of your audit, together with a summary of the legal basis for processing, how you communicate with data subjects and your procedures for subject access requests (SAR), data breach and impact assessment.
4. Communicating to data subjects – Privacy Notices and Fair Processing Notices
Review your current privacy notices and employment contracts and update them in line with the GDPR which requires that individuals be given more information about what data you hold about them, the purpose for which it is being processed, how long you are going to hold it for and who else will see it.
You must also inform individuals of the increased rights that they have with regard to their data and how to make a complaint.
5. Be aware of the new rights for individuals
In addition to the existing data subject rights to be informed, to access and to object to processing by automated means, a new raft of rights called ‘Delete it, Freeze it, Correct it’ are being introduced allowing data subjects the right to delete, freeze and correct inaccurate data. Data portability is also being introduced which will allow data subjects the right to transfer data from one controller to another where such data is being processed by automated means.
Data subjects should be informed of all of these rights and as a franchise business, you should be aware of your obligations with regard to compliance.
6. Time frames for Subject Access Requests
Previously, SARs had to be responded to within 40 days. This is changing under the GDPR and must be responded to ‘without undue delay and within one month, with an extension of two additional months if necessary, taking into account the complexity of the request.’ The current £10 fee applicable to requests under the Data Protection Act 1998 will be abolished. However, where a request is “manifestly unfounded or excessive” the employer may either charge a “reasonable” fee, taking into account administrative costs, or may refuse to act on the request altogether.
Clearly this is a significant change and a refusal to act altogether is not something to be used lightly – such a refusal will require clear and justified reasoning which must be fully documented.
What is “manifestly excessive” will depend on the specific circumstances, but it is hoped that the ability to either charge a reasonable fee or refuse to act altogether COULD have the potential to discourage vexatious and onerous requests. It is intended that where requests are substantial, the revised rules should lead to a dialogue between the business and the data subject. This should lead to clarity on what information the data subject wants and how to handle the request, with the fall-back of the regulator if either side is being unreasonable.
If nothing else, the new rule should inhibit requests encompassing thousands of emails requiring days of work from a team of people.
The giving of consent by a data subject is one of the gateways (and is the least controversial gateway) through which a business can establish a legal basis for processing personal data.
As you might expect, the GDPR sets out stricter and more detailed conditions for the obtaining of consent: the onus is on the business to show that consent has been given and such Consent must be freely given, specific, informed and unambiguous. It will not be considered freely given if there is no genuine free choice.
Providing proper notice and obtaining consent is especially tricky in a franchised model, where the responsibility for collecting data may be shared between the Franchisor and Franchisee. Where the data of a Franchisee’s customer is to be processed by its Franchisor, Franchisees will be required to give such notices on behalf of the Franchisor before passing the data and evidence of the consent to the Franchisor. Franchisors should be thinking about drafting such notices now and putting in place proper procedures with its Franchisees in relation to obtaining consent.
As is currently the case, an individual has the right to withdraw consent at any time but the GDPR requires that he/she must specifically be informed of this right by the business. The principle is that It must be as easy to withdraw consent as it is to give it.
It is a very common misconception to assume that consent is always required. This is not the case. It is very important that you understand the legal basis upon which your franchise business is relying, in order to process personal data lawfully. Under our current Data Protection Act 1998, Schedule 2 and Schedule 3 conditions set out various different conditions which permit the processing of personal data without consent. These are replicated under the GDPR in articles 6 and 9. It is very important under GDPR that you understand the legal basis that you are relying upon – it probably isn’t consent, particularly in the context of employment; it is far more likely to be based upon a legitimate interest of the business, or in order to perform a legal obligation under which the data subject is a party. Note that the processing of special categories of data has narrower restrictions and should be looked at carefully.
8. Data breaches and impact assessments
Data breaches are more common than you might initially recognise – GDPR introduces the requirement to notify the Regulator (the ICO) within 72 hours where a breach is likely to result in a high risk to the rights and freedoms of data subjects – either individually or as a group. Where the breach is ‘high risk’, the data subjects themselves should be notified so that they have an opportunity to mitigate any further risk.
You should familiarise yourself with the ICO’s guidance on impact assessments as there will be a requirement to conduct them ‘regularly’. You should work out what the risks are to the business, how those risks can be minimised and when the risks are escalated by a change in business practise. In particular, where a new technology or system is put in place in either the Franchisor’s or Franchisee’s business and that technology or system carries a risk to the privacy of data subjects, an impact assessment will need to be carried out.
9. Data protection by design
Subject to what is technically practicable and subject to cost, franchise businesses will need to build in safeguards to comply with the new rules. Measures must be taken to minimise data collected, ensure it is processed ONLY for the specific purpose for which it was obtained; and ensure that the data is retained for no longer than is strictly necessary in the circumstances.
Where a Franchisee is using IT required by the Franchisor – often an accounting package that allows visibility across the franchise network – then the Franchisee should expect to see data protection upgrades and patches prior to GDPR implementation as the Franchisor takes on board the concept of Privacy by Design.
In order to demonstrate compliance, franchise businesses should have comprehensive data protection policies for the internal handling of data; up to date employment contracts and privacy policies for staff and where appropriate, the public; impact assessments and a SAR response.
Franchise agreements typically requires Franchisees to share information about customers and employees with the Franchisor and may require its entire database to be transferred to the Franchisor upon termination of the relationship. Therefore franchise agreements should be updated to include a clear, lawful basis for such processing and to ensure that the Franchisee complies with GDPR. This is particularly important as if a Franchisee fails to abide by the appropriate notice and consent rules when it collects data from customers, the Franchisor could be in breach if it uses the data. Fines for defaulters are increasing – up to 4% of global turnover or if higher, EUR 20m.
Both franchise agreements and operations manuals should clearly identify who has rights to use collected data and for what purposes.
11. Data Protection Officers
It will be compulsory to appoint a DPO where core activities involve large scale processing of sensitive data. Regardless, it is advisable to appoint a senior member of staff as DPO to be the person who will take charge of the business’s compliance, look out for potential breaches, train staff and generally keep on top of the changes that are coming. The data protection officer can be an employee but should be independent when reporting to the Board.
12. International transfers of personal data
In international franchise networks, consideration needs to be given to how data flows between Franchisor, Master Franchisees and Franchisees. If personal data is flowing outside the EEA (for example, to a Franchisor outside the EEA) it is necessary to ensure that the recipient of the data outside the EEA has adequate safeguards in place and individual data subjects can enforce their rights and have adequate remedies in that jurisdiction. For example, US Franchisors can certify against the Privacy Shield (the successor to the Safe Harbor regime).
The liability of data processors increases significantly under GDPR to bring it almost in line with that of data controllers and so it is guaranteed that regardless of being a data controller or a data processor, the legislation will apply to you, whether you are a Franchisor or a Franchisee.
As above, now is a good time to be considering how best to implement the changes needed to your network’s processes and getting the correct supporting documentation in place. This will all assist in demonstrating compliance.
Customer data is very often the most valuable asset of a franchise business. Ensuring GDPR compliance should help protect this whilst gaining the trust of your customers.