Why Should U.S. Franchisors Be Concerned About the GDPR?
On May 25 the European Union’s updated and expanded data privacy laws—the General Data Protection Regulation or GDPR—became effective. That same day multibillion dollar lawsuits were filed against Google and Facebook.
Just as we were all getting comfortable with the GDPR, on June 28 California enacted the California Consumer Privacy Act of 2018. This law becomes effective in 2020 and is GDPR like in some of the rights it gives individuals. Stay tuned over the next two years as California legislators fine tune this new law.
So what impact will GDPR have on you as a franchisor?
If you offer goods or services to EU residents, you are within the scope of the GDPR. The key question is whether or not you process personal data of EU residents. As a franchisor you may process personal data of EU residents when qualifying franchisees, as part of customer loyalty programs, and for other purposes. Any sharing of personal information between franchisors and franchisees will trigger compliance.
Violations can result in fines up to 4% of a company’s annual revenue. Individuals also have the right to sue.
We have already seen an explosion in requests from individuals asserting their new found rights to data access and, in some cases, to have their personal data removed or transferred. Systems and processes may need to be updated to handle such requests.
You may need to notify the relevant data protection authority within 72 hours of the discovery of a data breach.
You must have a “lawful basis” to process personal data of EU residents. While individual consent is the most popular basis for processing, consent brings additional rights for the individual. You should consider other lawful grounds such as legitimate interests, necessary for the performance of a contract, or as required to comply with a law.
Personal data of EU residents can only be transferred to a country with “adequate” data protection. The United States is not one of those countries. You might look to legal mechanisms such as the Privacy Shield [see www.privacyshield.gov] that allow such cross border transfer of data.
As a first step, perform data mapping. What data flows pertain to personal data of EU residents? What personal data is collected and for what purposes? Who collects the data, how, and where is it collected? What is the lawful basis for collecting personal data? For how long is data kept? Who is the data shared with and for what purposes?
Once data mapping is complete, conduct a risk analysis of your current franchise model and activities and determine what actions are appropriate.
Privacy policies and procedures may need to be updated along with data breach response and notification procedures. Processes for responding to requests from individuals asserting data access rights may need to be implemented. You may need to update franchise agreements, operations manuals, privacy notices, vendor contracts, and other agreements. How will you address cross-border data transfers and does Privacy Shield certification makes sense?
View the GDPR not just as an obstacle or hindrance but as an opportunity to adopt best practices regarding data privacy and security. Even if not covered by the GDPR, adopting some of the suggested activities serve as good business practices and may give you and your franchise system a competitive advantage as consumers place more value on privacy and data security. It may also prepare you for California and other new privacy laws and regulations.
About the Author: Michael Cohen is a principal and the Privacy Officer at the law firm of Gray Plant Mooty. He is the primary author of A Legal Guide to Privacy and Data Security and holds CIPP/US and CIPP/E certifications from the International Association of Privacy Professionals in recognition of passing examinations in the areas of United States privacy laws and an advanced concentration in European data protection laws, standards, and practices.