pixel

FRANCHISES

 

Franchises and Data Protection Part 1:

Key Considerations as a Franchiser

Data protection is important for any business, regardless of the sector they are in and franchises face some unique hurdles and threats in this field. As a franchiser, one of the most valuable assets you have is your brand and a data breach affecting you or one of the franchisees can result in serious damage to that brand.  Studies have shown that 65% of consumers would be unlikely to deal with an organisation that had suffered a serious breach and almost 70% of consumers will boycott an organisation that shows little regard for protecting personal data.  With data protection regulations such as the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA 2018) requiring you to notify the authorities and those affected if you suffer a breach, it ensures that your breaches become public. It is also illegal to attempt to hide a data breach. With all of this in mind, all franchise owners should consider the following to avoid the chances of suffering a breach, or not complying with the law.

  1. What laws and regulations apply to them and their sector?  In addition to general data protection and laws such as the GDPR and the DPA, you will likely need to comply with PCI DSS in order to be able to legally take payments. We recommend creating a legal register, which records the laws that apply and what you are doing to comply with them, as they will help to track this and will also be able to show compliance if you are ever audited.
  1. What is your relationship with the franchisees? It is important that the data protection roles and responsibilities are clearly laid out and included in your legal agreements and terms. You will need to understand what data controllers and data processors are and what the differences mean. You may also need to understand what joint controllers are and what you are required to do in these cases. (You can see our other articles for explanations on these terms).
  1. What training is needed? As most data breaches are down to user error, training can be a massive factor in stopping data breaches. Supplying training as part of a franchise agreement can help prevent data breaches from the franchisee and add value to your franchise offering, as these skills are very useful and can be transferable.

  1. What value a Data Protection Officer (DPO) can add. Whilst a Data Protection Officer may not be required in all cases, you should consider appointing one anyway as all of the franchisees can make use of their services.  This not only helps you to comply with data protection legalisation and avoid breaches but also adds value to your franchise offering.
  1. How data flows and is shared between franchises and the franchise owner. Franchises often have a large central database that is filled and accessed by both the franchiser and franchisees, so it is very important that the data entered into these databases is collected in a legal manner and consented to where necessary. Access to these databases should be tightly controlled and monitored. We recommend that all franchise owners conduct a data mapping exercise, to fully understand and document the flows of data in the franchising operations.

….To be continued in Part 2

If you want to speak to one of our experts about any of the content in this article, you can book a free 30 minute no commitment consultation here.