Customer data is very often at the core of franchise business.
Ensuring GDPR compliance helps protect sensitive private data whilst gaining the trust and loyalty of your customers.
Remaining GDPR compliant is vital for franchisors and franchisees not only because of the risk of fines but also the need to protect company reputations.
The profession is built on competency to provide a quality service and reliability. There is also an understanding that due diligence is always undertaken.
The implementation of GDPR was intended to make businesses look at current data practices and to tighten up areas where it falls short of expected standards.
The personal information of franchisees is always kept by the franchisor. Franchisors however also usually obtain customer and employee information from their franchisees and maintain this information in a central database. Customer enquiries that are received directly are then passed on to their franchisees.
Franchisors and Franchisees are likely to be joint controllers of much of the data, each using it for its own purposes. Under the GDPR, the liability of data processors increases to bring it almost in line with that of data controllers. Therefore, regardless of whether you are a data processor or a data controller, the legislation will apply to you, whether you are a Franchisor or a Franchisee.
Under the GDPR companies are expected to have the correct procedures for handling private data within the stated guidelines. They must also ensure that staff have the appropriate training to be able to do so.
They must also ensure that rigorous guidelines are in place for the exchange of sensitive and confidential information.
It is important that staff can handle any GDPR related queries from individuals if for example, a subject access request was submitted, or a data breach was discovered.
They must offer the same levels of encryption and authentication as online banking. E-signatures and e-approval can prove valuable to the industry as they provide a full audit trail so they can obtain client approvals quickly, in a GDPR compliant manner, saving money and time.
Other measures including privacy and data protection policies must be implemented and followed correctly to ensure data is being handled compliantly.
Since the GDPR came into force, companies are now liable to a penalty of up to 4 per cent of turnover if they are found to fall foul of the regulations.
The Information Commissioners Office (ICO) has already started flexing its muscles and companies have been fined.
It’s worth bearing in mind that it’s not only big companies hitting the headlines who are getting fined. Small businesses are also on the radar.
PwC is the first of the “Big 4” to be fined under GDPR. The Greek DPA recently fined the company €150,000 for wrongly using “consent” as a basis for processing personal data on staff and gave them three months to comply with GDPR.
British Airways have been fined £183m and hotel chain Marriott £99m.
How fines are calculated
GDPR regulators carve out fines based on these conditions:
- What was the nature of the infringement, including how many consumers were impacted, how long the violation occurred, and the purpose of the data processing?
- Was the infringement intentional or negligent?
- What actions were taken following an incident, including prevention?
- How cooperative was a company with regulatory and authoritative entities following an incident?
- Does the company have a history of data privacy infringements?
- What type of data was compromised or used? The ICO (Information Commissioner’s Office) have started to flex their muscles and it’s important for companies of all sizes and from all sectors to address GDPR.
How can franchisors and franchisees become GDPR compliant?
Recognise the need for GDPR
The GDPR has an impact on your business and the way that you collect, process and store personal data. Franchisors should be supporting their franchisees to ensure compliance throughout the business in terms of awareness, training and providing clarity on procedures relating to data.
Understand your data
It is vital that you understand the personal data you hold, where it comes from, why you hold it, for how long it is required, and who you share it with.
Subject Access Requests
SARs have to be responded to ‘without undue delay and within one month.
The giving of consent by a data subject is one way which a business can establish a legal basis for processing personal data.
GDPR introduces the requirement to notify the Regulator (the ICO) within 72 hours where a breach is likely to result in a high risk to the rights and freedoms of data.
Franchise businesses must take measures to minimise data collected, ensure it is processed only for the specific purpose for which it was obtained; and ensure that the data is retained for no longer than is strictly necessary in the circumstances.
Keep a record
Franchise businesses should have comprehensive data protection policies for the internal handling of data; up to date employment contracts and privacy policies for staff and where appropriate, the public; impact assessments and a SAR response.
With this new era of greater accountability and focus on personal data, iCaaS – which stands for Compliance as a Service, is delighted to have partnered with the AFA.
The AFA have recognised iCaaS software as the premier solution for businesses to achieve, manage and maintain full GDPR compliance.
Features of our solution include:
- Document Generator – Easy-to-use, intuitive tool that allows you to create bespoke GDPR compliant policies and documents.
- Compliance Score – Our module uses monthly activity-based questions to ensure you are up to date with your compliance.
- Evidence of compliance – Our software creates a “Body of Evidence” as prescribed by the regulations as proof of your GDPR compliance.
- Helpful Tools & Wizards – Placed at key points throughout the software, our tools and wizards are available to guide users who have limited GDPR experience.
- Complete Data Review – A series of questions guide you through the entire process ensuring that all relevant information is captured for compliance.
- Supply Chain Management – Record all your suppliers and how they handle your data within our software.
In the next couple of weeks, we’ll have even more modules available which include:
- Subject Access Requests (SAR) – Record and manage all the requests your organisation receives with alerts and notifications built-in for you.
- Breach Management – It’s vital to know what to do in times of crisis and this module guides you through the complexities and importantly, tell you if you even need to report the breach to the ICO.
- Record of Processing Activity (ROPA) – GDPR requires certain organisations to maintain a ROPA and our module automatically creates your ROPA for your organisation.
- Data Protection Impact Assessment (DPIA) – Organisations must carry out a DPIA where a planned or existing processing operation “is likely to result in a high risk to the rights and freedoms of individuals”.
- Training – An essential for all employees who interact with personal data on a regular basis. The course tackles awareness of GDPR principles and individuals’ rights.
iCaaS take the hard work out compliance and make GDPR easy.
Their simple, step-by-step solution, guides users through all the necessary steps to become GDPR compliant, with no prior GDPR knowledge required.
Start your 14-day Free Trial Today. No credit card required. Thereafter, the iCaaS software solution starts from just £9.99 a month.
All AFA members will receive a 15% discount.