The GDPR effects both Franchisors and Franchisees

What GDPR means to you

What are the specific challenges to your sector?

How we can help

Achieve Compliance with the GDPR123 Framework

Want more information?

Contact us to discuss your specific business requirements

Specialised GDPR services for Franchises


The introduction of the GDPR on 25th May 2018 has brought in significant changes to the privacy landscape and new challenges for franchises of all shapes and sizes. The GDPR applies to any entity, anywhere in the world, that processes personal information about European residents, or monitors their behaviour. This means that any franchise serving European countries must be compliant with the regulations, wherever the Franchisor is headquartered, or its franchisees are based.

For most Franchises, the most valuable assets are its customer data and its brand. It is therefore critical that the processes in which customer data is collected, managed, stored and used are compliant with the GDPR. These processes are often mandated or significantly influenced by the Franchisor, but it is still the responsibility of each franchisee to be independently compliant with the new regulations. In all instances, it is important that both Franchisees and Franchisors are aware of the GDPR fundamentals.


The structure of many franchised operations can create some unique challenges for preserving consumer privacy and protecting personal information:

  • The franchisor will commonly be the data controller of customer data, but a franchisee may be either a data controller or a data processor, depending on the arrangement between the parties.
  • The franchisor and franchisee can be joint data controllers but are more usually independent data controllers for much of the data they hold – in that they both have rights to access and use the personal data, but for their own separate purposes.
  • Franchisors commonly obtain customer and/or employee information from their franchisees and hold this in a central database. This is often mandated in the franchise contract, which may also stipulate that the entire franchisee customer database be transferred to the Franchisor on termination of a franchise agreement. A lawful basis for this type of processing must be incorporated in future franchise agreements.
  • Under the GDPR, Data Controllers are required to provide information to data subjects about the controller and the proposed processing. In most circumstances they must obtain the consent of the data subject to the processing. Notices need to be provided to data subjects, and consent obtained, even when the personal data was supplied by someone else. Franchisors may well need to update procedures and policies so that franchisees are required to give such notices on behalf of the franchisor before passing the data and evidence of the consent to the franchisor.
  • Sometimes Franchisors receive information directly from enquiries and pass it on to their franchisees. They may also carry out processing of customer data on behalf of their franchisees.

Things could get even more complicated when a data transfer is from a franchisee in the EU to a franchisor outside the EU that is either not on the “Adequacy list” (pre-approved third countries deemed to have sufficient data-protection regulations in place), or a US company registered on the EU-US Privacy Shield, as it is necessary to ensure that the recipient of the data outside the EU has adequate safeguards in place. Any agreements between the franchisor and franchisee would need to be authorised and given specific consent by the Supervisory Authority (the Information Commissioners Office in the UK) for such transfers under the GDPR.

Considering that Franchisors face the prospect of potentially crippling fines or sanctions due to their and/or their franchisees’ non-compliance, it is critical that no matter how they are structured, Franchises do not ignore the GDPR and instead consider how the new law applies to them and ensure that both the Franchisor and their Franchisees understand their respective rights, roles and responsibilities and put the relevant contracts, processing agreements, policies and procedures in place to achieve and maintain compliance.



Considering the challenges and potential complexities detailed above, both the Franchisor and its Franchisee companies should consider employing someone who will be specifically responsible for data protection compliance and communication – a “Data Protection Officer” (DPO).

The appointment of a DPO is mandatory for organisations with over 250 employees, or in cases where the data processing operations require regular and systematic monitoring of data subjects on a large scale, a common situation for many franchises, especially online service providers.

Franchisors are likely to have to allocate more time and resources to achieving and maintaining GDPR compliance. As such even if it’s not mandated, employing a DPO would be beneficial for many reasons including; modifying privacy policies on websites and contact forms, updating manuals and contracts, providing ongoing awareness training, advising on the means by which lawful basis for processing can be obtained, reporting breaches to the ICO, and liaising with partners, suppliers and franchisees with regards to data protection.



Book your 15 minute consultation and speak to one of our experts who can evaluate your needs, and answer any queries you may have regarding the GDPR.

15 Minute Consultation Form

3 + 14 =



How we can help


GDPR123 are compliance experts who can guide you through the process of becoming GDPR compliant so that you can build client confidence, help you satisfy due diligence investigations as well as avoid fines and remedial actions imposed by the Information Commissioners Office (ICO).

  • Stage 1 Audit / Gap Analysis
    Your organisation will be measured against the GDPR which will result in a Non-conformity report.  This is a clear set of instructions that explain what you need to do to become compliant.
  • Prepare a Legal Register and Documents
    Review/supply policies, procedures and plans.
  • Prepare a Due Diligence Pack
    Quickly turn around and satisfy Due Diligence enquiries.
  • Cyber Insurance Review
    Ensure you have the right level of cover in place.
  • Review Web Operations
    This includes Web-based forms to ensure they obtain appropriate and affirmed consent as well as ensuring they are unambiguous.
  • Training and Awareness
    With 8 in 10 data breaches resulting from Human Error they GDPR requires organization to implement appropriate organisational measures to ensure the safeguarding of PII (Personally Identifiable Information).  This includes appropriate levels of awareness training.
  • Dealing with Brexit
    We understand the implications of Brexit and will advise you accordingly as the various stages of Brexit are implemented.
  • 72 Hour Breach Notifications
    It is important to have an appropriate and tested plan in place for data breaches.  Failure to have this in place can attract a penalty of between 2% of your global turnover or 10,000,000 Euro, or 4% of your global turnover or 20,000,000 Euro.  The fines are calculated to whichever is the greater and are purposely designed to be dissuasive.
  • Handle SARs (Subject Access Requests and Rights Requests)
    GDPR gives Data Subjects human rights in terms of their Data and with this comes their right to request the Data Controller or Data Processor to undertake certain actions.  Failure to respond to a request in time is a breach if their rights and is taken very seriously so you need to be prepared.
  • Determine and Appoint/Act as a DPO Data Processing Officer
    In some cases a DPO needs to be appointed.  We will help you determine if you need a DPO or make a recommendation if it would be advisable.

Search All Sectors


Other Sectors


Financial Services
Trade Associations
Marketing / Telesales
Charities / Non-Profit
Child Services / Education
Retail / E-commerce