020 7831 0101

The impact of GDPR on Franchisors & Franchisees

The impact of GDPR on Franchisors & Franchisees

The following article is focused on the impact that the latest data protection regulation has on franchisors and franchisees, written by Cubism Law's Lisa Sen and Yancho Yanchev.

If you ask a franchise businesses what are their most valuable assets, customer data will always be one of them. For businesses now, compliance with the data protection law is a key tool to build customers’ trust and loyalty. Individuals who have a clear understanding of how and why their data is processed are prone to share more with a compliant organisation than one which is not transparent.

The countdown to GDPR which becomes applicable on 25th May 2018, which will replace the current Data Protection Act 1998 (“DPA”) in the UK, has left businesses around 10 months to comply with the new onerous obligations with respect to management of personal data.

Franchisors and franchisees are affected considerably as “data controllers”[1] since they collect, store, analyse and share data belonging to individuals whether they are customers or employees. As a result, franchisors and franchisees have to redesign the manner in which they deal with “personal data”[2] or “special categories of personal data”[3] and revise their privacy policy and consent forms.

To start with, franchisors and franchisees have to review the legal basis of all the data they hold and ensure that there remains a lawful basis for the processing of personal data. They have to obtain specific and unambiguous consent for each purpose separately from each “data subject” (the person whose data is being collected and processed), unless the data has been collected to comply with some other legal requirement.

There is a distinction between ordinary consent required in respect of personal data and “explicit consent”[4] for special categories of personal data. Records of these consents have to be maintained, for possible inspection by the relevant Supervisory Authority[5], Information Commissioner’s Office (ICO) in respect of the UK.

Franchises have to adapt to allowing customers and others whose personal data they hold (unless in compliance with mandatory legal requirement) to delete their data or restrict the processing of their data or require that their data is not subject to automated decision making.[6] Profiling can also be restricted in respect of special categories of personal data or if it affects individuals detrimentally in the sense they face prejudice or are unable to obtain loans.

A requirement imposed on data controllers is to verify age and obtain consent from a parent or guardian when collecting data of minors under 16 years.

Changes in the manner of dealing with subject access requests[7] would require prompt action and co-operation between franchisor and franchisee in having to respond to the data subjects within 30 days without asking for a fee.

In the day and age where most data is electronically filed or stored, the risk of a data breach has become a major focus with constant threat posed by new viruses and malware seeking to steal data or demand ransom.

A successful cyber-attack can not only put data subjects at risk of identity theft but it can also significantly damage the reputation of the company, brand and can devalue the shares of a listed companies.

On top of that are enhanced fines. “Personal Data Breach” under the GDPR is defined widely as breach of security leading to the accidental or unlawful access to, destruction, misuse of personal data.

To best avoid this situation, franchisors and franchisees need to put in place the latest “Technical and Organisational Measures” e.g. install the latest software and anti-virus protection and put in place procedures for detection, reporting and investigation of any breach. Methods officially introduced by the GDPR to protect personal data include encryption, anonymisation and pseudonymisation.[8]

Any breach has to be assessed to see if it is likely to result in risk to rights and freedoms of individuals, such as reputational issues, financial loss, identity theft or breach of confidentiality. In the event of breach, the Supervisory Authority has to be notified within 72 hours “where feasible”. If the risk incurred as a result of the breach is high, then individuals affected have to be notified without undue delay.

Where there is a separate company which is the data processor[9], which processes data on behalf of the franchisor or franchisee, then additional clauses have to be added to the agreement with the data processor to ensure that the latter complies with the standards and obligations under the GDPR. In that context, obligations of data processors are significantly increased compared to the situation under the DPA 1998.

Franchise agreements require franchisees to share information about customers and employees with the franchisor and may require the entire data base to be transferred to the Franchisor on termination. A lawful basis for such processing should be incorporated in future franchise agreements.

Things could get complicated when the transfer is from a franchisee in the EU to a franchisor outside the EU as it is necessary to ensure that the recipient of the data outside the EU has adequate safeguards in place and individual data subjects can enforce their rights and have adequate remedies in that jurisdiction. Any agreements (e.g. Model Contracts: Binding Corporate Rules) between the franchisor and franchisee would need to be authorised by the Supervisory Authority.[10] In addition specific consent would be required from the Supervisory Authority for such transfers under the GDPR.

Both the Franchisor and Franchisee Company may have to appoint a member to staff who will be made responsible for data protection compliance and communication. The “Data Protection Officer” appointment is mandatory in cases where the data processing operations require regular and systematic monitoring of data subjects on a large scale, a common situation for many online service providers.

Furthermore, when a new technology or system is put in place in the franchisor or franchisee business, when that technology or system carries a risk to the privacy of data subjects, a Privacy Impact Assessment has to be carried out.


Those caught by GDPR are not only entities or service providers within European Union but anywhere in the world if they offer goods or services to individuals in the EU or monitor behaviour of individuals in the EU. Furthermore, Her Majesty’s Government issued a statement dated 21 December 2016, confirming that the applicability of the GDPR will not be affected by Brexit.

The fines for failure to maintain records, to notify authorities in the event of data breach or carry out Privacy Impact Assessment can be as high as 2% of an enterprise’s global turnover or 10 million Euros. Fines for serious infringement such as not obtaining consent from data subjects or implementing privacy by design can attract fines up to 4 per cent global turnover of the company or 20 million Euro (whichever is higher). This is significantly higher than the current maximum of £500, 000 in the UK. Now is the time to amend clauses of franchise agreements to ensure compliance with the GDPR and have indemnities in place!

Overall, Franchisors have to allocate more time and resources in modifying their privacy policy on websites, manuals, provide training, potentially change means by which lawful basis for processing is obtained, appoint staff and negotiate terms with data operators. Those seeking to buy a franchise and join a franchise network need to be aware of the extra financial burden and manpower required to deal with the GDPR compliance.

However, the GDPR must not just be seen as a burden. Investing in compliance now would cost a fraction of the price of what non-compliance may potentially cost in the future. Ensuring GDPR compliance would give your franchise an edge over competitors and will gain the trust of your customers and business partners.

Non exhaustive Checklist:

  • Draft an inventory of all personal data held and processed
  • Get rid of all unnecessary personal data and stop collecting it
  • Update privacy policies in the light to new requirements
  • Draft an internal statement specifying data protection responsibilities with your organisation and documenting your accountability
  • Assess the risks commercially and consult an expert on your specific obligations. It is likely that some obligations are irrelevant for your business.



[1] The entity that determines the purposes, conditions and means of processing personal data.

[2] Any information related to a natural person or “data subject” that can be used to directly or indirectly identify the person.

[3] Data consisting of racial and ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or orientation.

[4] Article 29 of Working Party definition “all situations where individuals are presented with a proposal to agree or disagree to a particular use or disclosure of their personal information and they respond actively to the question orally or in writing” https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-3-consent/

[5] A public authority which is established by a member state in the EU in accordance with article 46 of GDPR to deal with matters relating to data protection.

[6] This refers to the “right to be forgotten” or “data erasure” where data can no longer be used for processing, introduced by the GDPR

[7] Subject access right or “right to access” entitles data subjects to have access to and information about the personal data that a controller has concerning them.

[8] Involves replacing any identifying characteristics of data with a pseudonym, or in other words, a value which does not allow data subjects to be directly identified.

[9] A natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

[10] GDPR recommends use of “Binding Corporate Rules” by which multi-national corporations, international organisations and group of companies to make intra-organisational transfers of personal data across borders in compliance with EU data protection laws. Also the EU-US Privacy Shield framework can be used for exchange of data for commercial purposes between EU countries and the US. The other option are the so-called ‘Model Contracts’ available on the EU Commission’s website.