Data Protection: Changes and Challenges for Franchisors Operating in the EU

But the use of data also presents risks for franchised businesses. Data breaches, cyber-attacks and privacy concerns can damage customer trust and tarnish brands. Franchises may be subject to regulatory action from authorities anywhere in the world that they collect data for breaches of those countries' data privacy laws – and over 100 countries around the globe now have such laws.

To complicate matters further, the legal landscape is constantly changing, locked in a perpetual arms race with technological developments. In Europe, all eyes are fixed on May 25, 2018, when new legislation will introduce the world's strictest privacy regime. In addition to dozens of new requirements and virtually global jurisdiction, Europe's new General Data Protection Regulation (the “GDPR”) will impose fines up to 4% of an organization’s world-wide revenue. 

For franchise systems, the challenges are especially great. Franchisors face the prospect of multi-million dollar fines due to their and/or their franchisees’ non-compliance. Moreover, uncertainty around international data transfers adds further complexity to global brands. The abolition and swift replacement of the Safe Harbor certification scheme with the Privacy Shield is not likely to be the end of the EU-US data transfer saga. 

But regulatory change also presents opportunities. The GDPR will largely harmonize regulation across the European Union (“EU”), eliminating many country-specific requirements. With careful planning and early engagement with customer privacy, franchisors can mitigate data protection risks whilst reaping the benefits that digital business has to offer.

Understanding data protection – personal data

Personal data is any piece of information that reveals directly or indirectly an individual's identity. Personal data may include names, email addresses, Social Security Numbers, zip codes or payment details as well as your marketing lists and any data you collect on employees and/or customers. The concept of personal data also encompasses less obvious identifiers, including IP addresses, location, stats about how often an individual engages with your services and even opinions.

Europe's new regulation, the GDPR, will apply to virtually any entity, anywhere in the world, that processes the personal data of European residents, or monitors their behavior. Clearly, the scope of the GDPR is wide. It will even apply, for example, to a US-based franchisor that stores personal data about European customers or employees on a centralized platform on behalf of its franchisees. 

Not only do data protection rules follow the data – so do the penalties. A franchisor located outside of the EU could find itself either jointly and severally liable or vicariously liable for the acts of its franchisees, depending on how the relationship is structured. Planning ahead in a few key areas can help mitigate the worst of these risks. To meet the 2018 deadline, planning must start now. Below we consider five areas to include in that process.

1. International transfers of personal data

Perhaps one of the greatest data protection risks for US franchisors is the legality of transfers of personal data between their European and US operations. European data protection law forbids the transfer of personal data outside the European Economic Area (“EEA”), except where the country of the recipient provides for adequate protection by law or the recipient puts in place specific compliance measures to protect the legal rights of European individuals. 

Data is considered transferred even if only visible from outside the EEA – it need not be physically transported to be deemed transferred. Thus, for example, a franchisor’s remote access through a point of sale or business management system qualifies as a transfer. 

Because the US is not considered to provide adequate legal protections, franchisors in the US must instead rely on contractual and other safeguards in order to have access to the data. But even these safeguards have risks. In 2015, the Court of Justice of the European Union struck down the Safe Harbor framework, which until that point had been the most important mechanism for US businesses that transferred data from the EU. In finding that US surveillance practices undermined the privacy rights of Europeans, the judgment called into question the adequacy of any transfers to the US and elsewhere, and has left organizations scrambling for alternative mechanisms to allow the legal transfer of personal data from the EU.  

One option is to put in place Standard Contractual Clauses. These are complex contractual arrangements designed by the European Commission, which impose detailed requirements on parties that access the data, including in some cases, requiring pre-approval of vendors, audit rights and an obligation to notify the other party in the case of a breach.

Another option is certifying against the Privacy Shield, the successor to the previous Safe Harbor regime, which requires companies to self-certify and externally verify their compliance against seven privacy principles, on an annual basis.

The mechanism that an organization opts to use may affect its vendor contracts down the line, and the way in which obligations flow down its supply chain. For example, Privacy Shield requires certified organizations to have in place a data retention schedule and ensure that any data they hold is deleted after specific prescribed periods. This retention schedule obligation must be flowed down to any other organization that personal data is passed to – including technology vendors. Moreover, the organization must audit its own performance annually to ensure that its obligations are being met.

To add further complication, these alternative mechanisms are also vulnerable to the same legal scrutiny as the Safe Harbor regime. Indeed, European courts are already hearing challenges to these data transfer mechanisms. If the claims are successful, a franchisor could find its ability to access franchisee data drastically reduced.

Data transfer restrictions are especially challenging for international franchise systems because of the number of different legal entities that may be sharing data internationally. In this fast-evolving space, selecting the right compliance mechanism requires careful consideration of an organization’s specific circumstances. This is an area where regulators are paying attention.

Action: Map your international data flows within your organization and ensure that each transfer has a legal basis. Consider which mechanism is best suited to your organization. Maintain awareness of the legal status of these mechanisms and watch out for any existing or potential legal challenges.

2. Data governance

The GDPR introduces new features designed to ensure there is appropriate “data governance” for businesses operating in Europe or targeting European consumers. Like the Sarbanes–Oxley Act, data governance regulation was introduced following a financial crisis, and puts a similar emphasis on the prevention of non-compliance through regular audits, policies, procedures, training and implementation. 

These measures include requirements to document data processing operations, conduct risk assessments, and introduce European terms into your standard contractual language, both within the franchise system and with vendors. Compliance needs to be active and demonstrable, which means employee training and awareness will play an important role.

Action: Update any new franchise agreements and review previous agreements as they come up for renewal. Update your manual and put in place policies and procedures relating to data and cyber risk management. Implement training and staff awareness programs around data risk across all levels of franchise, for any employees with access to personal data. Remember, data privacy failures on the part of a franchisee could result in a franchisor being fined.

3. Dealing with cyber-attacks

Cyber-attacks and data breaches are increasing in number and scope, affecting organizations of different sizes and operating in different sectors. As is evident from the recent breaches, even the most sophisticated tech companies can be affected. As the rate of breaches rises, companies face consequences not only for failing to keep information secure, but also for how they handle their incident response. 

When the GDPR comes into effect, organizations in every economic sector will have just 72 hours from the moment of discovering a breach to report it to regulators. For many franchised organizations, this could include data breaches affecting a franchisee, or even a supplier to a franchisee. 72 hours is a very short time for complex organizations to get to the bottom of an incident and plan their remediation, but an organization can be slapped with significant penalties for failing to report, even if ultimately it was not responsible for the breach.

Beyond legal responsibility, a breach could also harm a franchisor’s brand, in particular if remedial actions and legally required notifications are slow to materialize. It is therefore imperative for all franchisors to create and test incident response plans before an event actually occurs.

Action: Ask yourself, do we have a disaster incident response plan which addresses cyber incidents and data breach risks? If you don't, prepare one so that relevant stakeholders are better placed to react to such incidents, and rehearse it. Assign responsibility for data security more broadly. Whether your team is led by personnel from the legal department, information technology, human resources, or a combination thereof, all will need to be involved.

4.  Obtaining proper notice and consent

Privacy laws across the world already require organizations to notify customers or employees before collecting their data, and to obtain some form of consent for the intended use. The exact form of notice and consent varies by jurisdiction. Under the GDPR, however, the rules relating to consent will become much stricter – businesses cannot rely on pre-ticked boxes or inactivity to indicate consent, and consent must not be “bundled” with other written agreements or declarations.

Providing proper notice and obtaining consent is especially tricky in a franchised model, where the responsibility for collecting data and/or databases may be shared between the franchisor and franchisee. If a franchisee fails to abide by the appropriate notice and consent rules when it collects data from customers, the franchisor could be in breach if it uses the data. Franchisors and franchisees should think through these arrangements at the outset to maximize control and clarity over data collection notice procedures. Franchise agreements and manuals should clearly identify who has rights to use collected data and for what purposes. 

Not only do these measures ensure compliance, they provide franchisors the opportunity to build consumer trust. Data that is collected in the wrong way, without appropriate notice or consent, could be tainted, preventing a franchisor from using it down the line for its intended purposes.

Action: Review your organization’s existing privacy notices and methods of obtaining consent. Track the way personal data is collected and flows through your organization to identify all the points where individuals should be notified. 

5. Respecting the rights of individuals

Privacy laws generally (and to differing extents) give individuals control over their personal data. Perhaps the most significant innovation in the GDPR is the introduction of new rights for individuals over their data as well as the strengthening of existing rights so as to provide individuals with unprecedented control over how organizations use their data. Some of what is being asked under GDPR – for instance, in certain situations, to be able to supply a person's data to a competitor in a compatible form – has never before been imposed on businesses. As with many of the issues identified in this article, scaling these systems across any organization, and in particular across a franchise system, will be no simple feat.

But these new rights also present an opportunity for businesses to distinguish themselves from their competitors in the way they allow users to exercise control over their data. For franchise systems, this will require an acrobatic level of coordination across the enterprise. Projecting a unified brand in the digital world will depend on getting this coordination right.

Action: Conduct a gap analysis to identify where operational changes are needed. Implement strategic planning that focuses on user control as a key asset. Ensure that any user interfaces are accessible and easy to use.

Conclusion: Planning for data protection

Changes to data privacy laws and consumer expectations do not need to stand in the way of the promises of new technology. Rather, by thinking ahead and carefully understanding how your organization relies on data, your franchise system can thrive in this volatile environment. When the GDPR comes into effect, organisations that fail to adapt will see a landscape marred by very high level risk. Those that plan ahead will reap the rewards. 

This article was originally published in The Franchise Lawyer and is republished with permission.