How Will Your Franchise Be Affected By The New Data Privacy Law?

20/03/2018 08:00 | Start a business

GDPR for franchises

Anyone investing in a franchise business will know that customer data can be one of their greatest assets. Understanding how to take care of this data and complying with data protection law helps franchisees to build relationships based on trust and loyalty with their customer base.

On the 28th May 2018, a new data privacy law will be introduced which may impact your franchise. The new law is named the EU General Data Protection Regulation (GDPR) and will replace the Data Protection Act (DPA) in the UK. This is a complete shake-up of the legal requirements which any small business that handles the personal data of EU citizens must comply with.

The purpose of the regulation is to give EU citizens more control over how a business can use their data. Local data protection agencies and courts will enforce the new law, and they'll have the power to fine defaulters up to 20 million euros, or 4% of a business turnover, whichever is greater.

Read more about what is GDPR?

Will GDPR apply to you?

GDPR will apply to businesses, including franchises, with more than 250 employees. But you should note that if youre buying a franchise with fewer than 250 employees, it doesnt mean that you dont have to comply with the regulation.

Franchisors and franchisees are deemed as data controllers because customer and employee data are collected, stored, analysed, and sometimes shared. The particular types of data that are affected by the regulation include health information, racial or ethnic origin, political connections, religious beliefs and sexual orientation.

How will GDPR affect your franchise?

The new legislation means that for franchises that need to be GDPR compliant, there will be additional responsibilities with regards to franchise information:

  1. A designated Data Protection Officer will need to be appointed who is adequately skilled at understanding GDPR obligations. This may not apply to all franchises, but it makes sense to assign a senior member of your team to take responsibility for implementing GDPR changes. If youre buying a franchise that doesnt require staff, then this responsibility falls to you.
  2. The rules about reporting theft or loss of personal data will now be much firmer. The Information Commissioners Office (ICO) must be notified within 72 hours of the loss of data, and preferably within 24 hours.
  3. The concept of consent has also been redefined. Customers and employees must now give explicit consent for how their personal information can be used. To achieve explicit, rather than implied consent, individuals will now opt-in as opposed to just forgetting to opt out, which is currently the case. This new definition will be applied retrospectively to any previously collected data. If existing data doesn't meet the standards of the new legislation, they will be deemed as unlawful and cannot be used.

How can you prepare for GDPR?

The new legislation shouldnt cause too many problems for franchisees that are buying a franchise that is part of a reputable franchise brand that already has robust data privacy and protection procedures in place. Having said this, there are many smaller, less established franchises that may have neglected investing in franchise processes when it comes to personal data. This should be addressed as a matter of priority, because as of the 28th May 2018, the penalties for non-compliance will be significantly higher than they are at the moment.

Once a Data Protection Officer has been appointed, here are some steps that you may need to take to ensure franchise information collected is done so compliantly:

  • Step 1: Update all privacy policies, T&Cs and consent forms to ensure that the rights of individuals regarding data collection are made clear.
  • Step 2: Gain a full understanding of what data is classed as personal, where its kept, who has access to it, and how to identify breaches when they occur.
  • Step 3: Develop a plan stating the process to follow should a breach happen, including who it must be reported to.
  • Step 4: Undertake an audit of all existing data. If previously collected data was gathered based on opt out consent, or the data is considered unnecessary to hold, then it should be deleted.

General Data Protection Regulation in summary

It can be easy to overlook the importance of changes to regulations that may affect your business when youre busy running a franchise. But the GDPR deadline is fast approaching and should be understood sooner rather than later.

Yes, laws can be complex and difficult to understand, but thats no excuse for non-compliance. The Minister of State for Digital, Matt Hancock, stresses that having a robust legislative infrastructure in place underpins a healthy economy, and this new law will help the use of data thrive in the UK.

To recap, the new legislation will:

  • Make it easier for individuals to remove consent for the use of personal data
  • Give individuals the right to ask for their personal data held by businesses to be deleted
  • Allow parents and guardians to give consent on behalf of their children for their data to be used
  • Require explicit consent to be given for processing sensitive personal data
  • Add IP addresses, internet cookies and DNA to the definition of personal data
  • Strengthen data protection law to reflect changes in the digital economy
  • Make it simpler for individuals to ask for businesses to share the personal data it holds on them free of charge.

Investing in franchise updates to the privacy policy on websites and in manuals may seem like a lot of effort and expense, but this cost will be negligible in comparison to the price of non-compliance. By making sure that your franchise adheres to the GDPR regulation will also give you a competitive advantage in the marketplace, as you will gain the trust of your customers and employees.

Other recent articles


post a comment

Characters remaining: 250