Cyber Security, Hacking, Phishing, Ransomware and Data Breaches have all been over the news and media outlets, with the most recent being the WannaCry ransomware attack.
So here’s a little something that probably has limited or as little interest as anything you’ll read this year.
That’s unless, or more likely until, you get the call from a franchisee crying and wailing down the phone that they’ve just been battered by legislation or that their computer or electronic device has been compromised!!
While Data Protection & Privacy isn’t often one of the phrases associated with franchising; either as franchisor or franchisee, its profile is likely to be highlighted over the coming months as 25th May 2018 approaches.
Why? Is it important to me and my business?
Yes, it should be and the reason is simple, the current Data Protection Act 1998 is being replaced by the General Data Protection Regulations (GDPR) and is possibly the most significant development in the field of data protection that Europe has seen in nearly two decades.
It’s an update of existing legislation, but takes current technologies into account and the way we work with them both now and in the future.
It’s the legislation that covers personal data (anything that relates to, or can identify a living individual (‘natural person’). Think employee, customer, supplier, franchisee and sub-contractor (etc.), especially sole traders in the business environment.
Is not an excuse, as GDPR enforcement comes into force before any exit from the EU by the United Kingdom, so all EU laws will apply, including GDPR.
Who Will Be Affected?
It applies to EU citizen’s personal data regardless of where the controlling or processing of that data takes place. This means that countries outside of the EU (including the US and an independent UK) would have to apply GDPR for client data where the client is in the EU.
The franchising model is interesting from a Data Protection and Privacy perspective. As a franchisor you are more than likely to be the person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. So under the law you are the Data Controller and this comes with responsibility and possibly monetary penalties if things go wrong.
A franchisee is likely to be the person acting on your behalf and processing the personal data (‘data processor’), which of course is all in the contractual agreements (it needs to be in writing!) as they are not employed by you directly.
Additionally in the franchising model(s) the franchisee may employ sub-contractors. If this is the case the franchisee becomes a data controller in relation to the sub-contractors as well as the data processor acting on the franchisor’s behalf.
Under the current legislation the controller is held liable for data protection compliance, not the processor. GDPR introduces direct statutory obligations on data processors and severe sanctions for failures in compliance.
With monetary penalties increasing in value exponentially from the current maximum of £500,000 up to €20million (or 4% of annual global turnover – whichever is higher), now is the ideal time to check your compliance with the legislation both to protect your franchise and your franchisees.
While the Information Commissioners Office (ICO) has never yet issued any organisation with the maximum penalty, could your business afford it, along with the adverse attention of the press, damage to reputation? Worse still could you operate if the ICO applied an enforcement notice, for instance, precluding you processing personal data for a 30 day period?
Protect your brand, business and reputation by acting now!
Don’t be put off
All the legislation and regulation can seem daunting and possibly the last thing you thought you would have to deal with when going down the franchise route. Don’t be put off; they are actually there to protect you and your business as well as others.
Ensure data protection & privacy advice is sought ideally at the start as part of your planning. If you are already in business, the introduction of the new legislation is an ideal time to review and access your compliance. The recommended route would be to conduct a privacy impact assessment, in fact under the new guidelines privacy impact assessments and privacy by design – are now legally required in certain circumstances.
Training & Compliance
Once you’ve completed the assessments, implemented changes etc. it’s vital to train your employees, ensure your franchisees are aware of all their responsibilities in their varying capacity, update written agreements and the like.
Easy steps you can take now even before embarking on impact assessments could include:-
- Ensuring all your computer systems have adequate and up-to-date:-
- Firewalls, Antivirus, Anti-malware, Anti-Spyware and that they run automatically.
- Backup routines, so that if the worst happens, you can fall-back to previous data; ideally use an external device or destination (cloud).
When the ICO has completed all their consultations with the various bodies and compiled their definitive guidance you and your organisation will be ready for GDPR and you may very well be ahead of any competition. Be proud of it.
eNaycH Data Protection & Privacy Consultancy is operated in Devon by Nigel Hellewell (brother of Ovenu franchisor Rik) and has specialised as a database and web developer for over fifteen years. Redundancy in mid-2015 afforded him the time to re-evaluate his work/life balance and the potential for using his existing skillset to advantage in perhaps a different direction. The decision was to concentrate on Data Protection and Privacy. He enrolled in courses, training and passed his examination in Data Protection in August 2016, becoming an Associate Member of BCS, The Chartered Institute of IT.
If you would like to contact Nigel, please call 01271 595001 or on mobile at 0777 197 8564