The Go-To Guide for Maintaining Your Franchise's GDPR Compliance
Alice Tuffery, writer
Collected data can be a great asset for a business, but keeping customer information safe should be a priority. Understanding how to take care of personal details and adhering to general data protection regulations helps franchisees build relationships based on trust and loyalty. Here’s our guide to GDPR compliance.
On the 28th May 2018, the government introduced the EU General Data Protection Regulation (GDPR), which affects most businesses in the UK. It was created to replace the old Data Protection Act (DPA), overhauling the legal requirements businesses must acknowledge.
Why is GDPR compliance important?
The purpose of the regulations is to give EU citizens more control over how businesses can use their personal information. Local data protection agencies and courts enforce the laws and distribute penalties for businesses failing to comply with them.
The new rules reflect changes in the digital economy and help UK businesses thrive while processing data ethically and securely. Matt Hancock, who was Minister of State for Digital when the GDPR was introduced, described how having a robust legislative infrastructure in place would underpin a healthy economy.
Will GDPR apply to you?
GDPR applies to any organisation involved in “professional or commercial activities”. If you process or store employees’ or customers’ personal details, or track their IP addresses or cookies online, you must take GDPR compliance seriously.
There are some exemptions for small businesses with fewer than 250 employees. Although they must adhere to many of the rules set out in the GDPR, they don’t have to keep data records in most cases.
How does GDPR affect your franchise?
If you’re a franchisee buying into an established franchise, you should be able to rely on your franchisor to take the lead on GDPR compliance. Normally, franchises already have robust data privacy and protection procedures in place.
However, some smaller or younger franchises may have avoided fully investing in GDPR compliance processes, and some franchisors rely on franchisees to individually follow the regulations (more on this later).
The GDPR requirements are fairly complex, so we recommend you read through them in full to make sure you’re operating lawfully. You may also want to consult a legal professional, who will be able to help you adhere to the rules.
Here are some of the main practices you’ll need to introduce in order to achieve GDPR compliance:
Let people know what information you process, how long you’ll store it and why
Use a digital consent procedure allowing your website visitors to actively agree to your data collection methods - in most cases, this system takes the form of an unchecked box users must click to ‘opt in’ before continuing
Make it easy for people to tell you to reveal or remove the personal data you hold on them
Allow parents and guardians to give and remove consent on behalf of their children
Introduce ‘breach protocols’, so your employees know what to do if problems arise
Notify the Information Commissioner’s Office (ICO) within 72 hours of theft or loss of personal data - ideally within 24 hours
Following these rules might seem like a lot of hassle, but the cost of achieving GDPR compliance is relatively small compared to the fines you’ll face if you fail to.
>> Read more:
- 5 Qualities of a Successful Franchisor
- 5 Reasons Why A Strong Franchisor-Franchisee Relationship Is So Important
- 5 Ways to Keep on Learning as a Franchisor
- Franchisor Tips: 6 Mistakes to Avoid When Running a Franchise Network
- What It Really Means To Be a Franchisor
- Ten Ways to Be the Best Franchisor a Franchisee Could Wish For
- Why it’s Important for Franchisors to Visit Franchisees.
How can you prepare for GDPR compliance?
If you’re just starting out on your journey to achieve GDPR compliance, there are a few key steps you’ll need to take:
1. Make sure you have a lawful reason for collecting personal data.
2. Research GDPR - find out which types of data you’ll keep, including IP addresses, internet cookies and DNA, how you can safely process and store them, and how to identify breaches.
3. Work out whether you’re a ‘controller’ (collecting and owning data) or a ‘processor’ (handling it on behalf of another party), as regulations for controllers are more strict than for processors.
4. Develop a plan for the steps you’ll take in the event of a breach.
5. Create clear privacy policies, consent forms and T&Cs to lay out your intentions, practices and rights.
6. Assign a Data Protection Officer (DPO) for your business who can take responsibility for implementing GDPR - if you don’t have any staff, you will be the DPO.
7. Complete an audit of any data you already hold - if you don’t have a reason to keep it, or you previously gathered information through an ‘opt out’ system, you should delete it.
>> Read more:
- Top 8 Tips for Being a Happy Franchisee
- Mythbusters: There Is No Innovation in Franchising
- How to Stay Productive as a Franchisee
- Top 8 Tips for Securing Finance for Your Franchise
- 10 Ways to Boost Employee Happiness, Engagement, and Satisfaction
- 7 Tips for Building a Profitable Franchise
How does GDPR affect franchisors and franchisees?
The GDPR throws up some complications when it comes to franchising. While the franchisor manages the brand as a whole and oversees the entire network, individual franchisees are responsible for the running of their businesses on a day-to-day basis.
Often, both franchisors and franchisees are classed as ‘controllers’, as they both play a part in processing and storing data. Although franchisees run their own businesses, customers and clients ultimately enter into a relationship with the brand as a whole, so the franchisor is involved in the GDPR compliance process.
While franchisors might be tempted to leave data privacy issues down to their franchisees to implement individually, one-off compliance hiccups can have serious implications for the entire brand. So, to minimise risk, most franchisors accept they should take the lead when it comes to enforcing data regulations. Many franchisors create guidance for franchisees, which informs the way they follow GDPR rules in their businesses.
What happens if you don’t comply with GDPR requirements?
The penalties for non-compliance vary, depending on the severity of the crime, but fines can be extremely high. Organisations failing to adhere to the GDPR could lose up to €20 million or four percent of their global turnover (whichever is higher).
More guidance on running a franchise business
Continue your research journey here at Point Franchise; we have thousands of data-driven articles designed to give business owners the information they need to make the right choices.
Alice Tuffery, writer