The GDPR came in on 25 May 2018 along with a long awaited revision to new domestic data protection laws in the Data Protection Act 2018 (DPA2018”).
These new laws requires businesses in the franchise sector to be more transparent about the ways they process personal data and gives data subjects greater control over what happens to their personal information.
We discuss what franchise businesses should be doing to ensure they comply above and beyond what other organisations are doing in their capacity as data controllers and their franchisees as data controllers and/or data processors.
The new data law changes are extensive for those involved in implementing them but mainly businesses need to know where to start. Our data law compliance top tips are here to give you a steer.
1. Update Your Franchise Agreements
The key legal tool for ensuring adherence to the System is your franchise agreement. It is vital that this agreement is updated to ensure your franchisees are doing what they should do as concerns data law compliance. Most well drafted agreements will contain a Data Protection clause but it is worth checking whether this adheres to the new higher standards of the DPA2018 or not.
2. Populate Your Manual
Like the Harry and Meghan wedding - there is no robust agreement without the policies and procedures being outlined in the corresponding operations manual. It is therefore also vital that your manual prescribes the network position on issues such as your data protection policy, how to handle subject access requests, data breach policies and storage and retention policies. The DPA2018 is all about demonstrating compliance and to do that you need the documentation to back that up.
3. Get Everybody Up To Speed
It is vital that your network, new and old, and your staff, new and old, understand what the DPA 2018 is and how it affects (i) their franchise business; and (ii) the network as a whole. Franchisors should include training at annual conferences and updates whether by podcast or otherwise. Knowledge is power and will help avoid instances that could bring your brand into disrepute.
4. Update Website Terms And Conditions
If you or your franchisees operate websites or phone booking systems for customers it is vital that your web booking process incorporates terms and conditions that are transparent about what you will do with customer personal data.
5. Update Website Privacy Policies
Aligned with point four above - it is key that your website privacy policies are updated to comply with the higher standard required by the DPA2018 as concerns transparency. In particular your policy should demonstrate the valid grounds for processing that you rely on whether that be consent, legitimate interest, performance of a contract or some other lawful purpose.
6. Consider Appointing a DPO or Overall Data Protection Co-Ordinator for a Team
Many franchise businesses are involved in the large scale processing of sensitive data. If you are a kids club franchise and you process children’s data or information regarding medical conditions you will fall into this bracket and may need to have a formally appointed DPO.
7. Deal With Your Dataprocessors
Remember it is not just about you. You may use third parties to process personal data on your behalf e.g. marketing agencies, IT providers, mailchimp etc. It is vital that you ensure they are also operating in a GDPR compliant way and you should seek assurances of this.
8. Update Your Customers
I know we are all utterly sick of receiving opt in requests but many franchise brands will have legitimate interest grounds for continuing to market to existing customers. Re-permissioning may not be necessary but updating customers about how you process their personal data is and the transparency requirement post DPA2018 is higher. So make sure systems and practices are keeping them informed.
9. Test, Check, Train
Compliance with the DPA 2018 is not a “one and done” process, it requires ongoing monitoring and implementation. Ensure business managers are as adept at checking rogue data practices as ensuring customer service is on point. The potential bad publicity and risk of enforcement notices should make this part of your regular checks.
10. Check compliance with the new Domestic Data Laws
The GDPR is in now in but we have also passed our own data laws implementing several aspects of the GDPR the main provisions of which came into force on 25 May. As is typically the case, we have taken our own steer on the GDPR and have made a few tweaks and exceptions here and there. Therefore, it is key your current practices are not only GDPR compliant but in line with our own new domestic data laws brought in by the Data Protection Act 2018.
Data Protection compliance is to be ignored at your peril. Franchise businesses need to be in progress with compliance and ensuring that their franchisees are also on board.
If you're interested in any of the topics raised in this article, or for further information, please contact Fiona Boswell. Alternatively, you can call to speak to one of the team on 0115 9888 777.