Is Your Franchise Ready for GDPR?
New rules for data privacy in the European Union could have big implications for U.S. franchises.
by Gaylen Knack, CFE, Michael Cohen, and Amanda McAllister
The European Union’s updated and expanded data privacy laws – the General Data Protection Regulation, or GDPR – took effect on May 25. Within the first few days after, multibillion-dollar lawsuits were promptly filed against Google and Facebook. In the United States, we have been inundated with updated privacy notices and requests for consent. So, what impact will GDPR have on franchisors, franchisees and the entire franchise system?
GDPR and U.S. franchisors
U.S. franchisors not established in the EU are subject to GDPR if they offer goods or services to EU residents or monitor the behavior of individuals in the EU. The key question is whether you process the personal data of EU residents. A franchisor may process personal data of EU residents when qualifying franchisees, as part of customer loyalty programs, and for other purposes. Franchisors engaged in targeted advertising and tracking of individuals online who are EU residents as well as any sharing of personal information between franchisors and franchisees will trigger compliance. While mere access to a website by EU residents does not trigger the need to comply, the use of foreign languages or acceptance of foreign currency will bring the website within scope of the GDPR.
Why it matters
GDPR imposes several new requirements and increases the penalties for noncompliance. A primary focus of GDPR has been on the increased fines for noncompliance, which are considerable. Violations can result in fines up to the greater of €20,000,000 or 4 percent of a company’s annual revenue. In addition, a franchisor could potentially be fined for its franchisees’ failure to comply with certain GDPR provisions. Individuals also have the right to sue.
Even if not sued or faced with a regulatory action, a franchisor might be faced with requests from individuals asserting their new-found rights to data access and, in some cases, to have their personal data removed or transferred. Systems and processes may need to be updated to handle such requests.
If a franchisor acts as a controller as defined in the GDPR, it must notify a privacy regulator within 72 hours of the discovery of a data breach. In addition, franchisors must implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk.” The use of encryption and anonymization of any personal data will reduce risk and potential liability. Once anonymized the data is no longer personal data.
The GDPR requires a “lawful basis” to process personal data. While individual consent is the most well-known and popular basis for processing, a franchisor should consider whether another lawful basis is more appropriate. Other lawful grounds for the processing of data include the need to do so to perform a contract, to protect the legitimate interests of the franchisor, or as necessary to comply with a law.
Consent can be more difficult to obtain under GDPR. Consent also may be withdrawn by the individual at any time and provides the individual with additional rights. As a result, it is important to understand the appropriate legal basis a franchisor relies upon for the different types of personal data processed and for what purposes. Franchisors also must document the analysis supporting the applicable legal basis and have it available when asked to demonstrate reliance on such a lawful ground.
Separately, personal data of EU residents can only be transferred to a country with “adequate” data protection. The U.S. is not one of those countries. Unless and until the U.S. is deemed to have adequate data privacy protection, a franchisor seeking to transfer personal data must look to options such as the EU–U.S. Privacy Shield and Swiss–U.S. Privacy Shield frameworks, model contracts, binding corporate rules, derogations such as consent and other limited exceptions under GDPR.
How to prepare
Even if you missed the May 25 deadline, it is not too late to become familiar with any GDPR requirements that might apply to you and your franchise system and take necessary steps to comply.
As a first step, franchisors should perform data mapping so that they become aware of what data flows pertain to personal data of EU residents. What personal data is collected and for what purposes? Who collects the data and how and where is it collected? What is the lawful basis for collecting personal data? Once data mapping is completed, franchisors should conduct a risk analysis to assess and address risks they may face under their current franchise model and activities. Further, document the steps taken to achieve compliance. A key principle under the GDPR is data minimization and franchisors should not collect and store data that is unnecessary.
“It is not too late to become familiar with any GDPR requirements that might apply to you.”
Franchisors should update their policies and procedures, including cybersecurity and data breach response and notification procedures, and permissible use of and access to data across the franchise system. These changes should be reflected in updated franchise agreements, operations manuals, privacy notices, vendor contracts and other agreements. Franchisors should think carefully as to how they will address cross-border data transfers. Franchisors processing personal data of EU residents in the U.S. should consider certification under the Privacy Shield.
“California already is considering GDPR-like requirements.”
Here to stay
Finally, do not expect GDPR to go away anytime soon. In fact, some of the requirements may be adopted by other jurisdictions. California already is considering GDPR-like requirements. Franchisors should view GDPR not just as an obstacle or hindrance, but rather as an opportunity to adopt best practices regarding data privacy and security. Even if you are not covered by GDPR, adopting some of the suggested activities serve as good business practices and may give you and your franchise system a competitive advantage as consumers place more value on privacy and data security.
Gaylen Knack, Michael Cohen and Amanda McAllister are attorneys at Gray Plant Mooty. The three together have decades of combined experience, including special expertise in international and data privacy. Learn more about Gray Plant Mooty at franchise.org/gray-plant-mooty-supplier.