Since May 25, 2018, the EU-wide GDPR has evoked “Ohs” and “Ahs” across the board. Companies in particular found themselves in discussions about the correct labeling of data collections from now on. Those who close their eyes and ears to reality run the risk of fines that are not only sensitive but also economically serious. The pitfalls for the franchise business concept are particularly tricky. Because here it is important as a franchisor and franchisee to ensure a legal basis that applies to the processing of personal information. A point that is often neglected and responsibility that does not allow the two parties to shift back and forth. This article summarizes what needs to be considered in connection with the franchise concept and the GDPR.
Principle of the new EU GDPR
The EU-GDPR puts the protection of personal data of consumers above the will of companies to analyze consumer data for marketing purposes. This is primarily intended to rule out any possible misuse. Anyone who collects data from now on must justify why they are doing this and give the consumer an option to object to the data collection. The lead management and cold calling divisions in particular seem to be thrown back in their efforts by the provisions of the GDPR. Because casting the fishing rod for new customers requires compliance with essential requirements. Anyone who tracks potential customers is obliged to inform them about it.
Data such as:
- full name and address
- IP address
- Bank details
- medical information
The EU GDPR is valid in all countries of the European Union. It supplements the new Federal Data Protection Act and is to be applied simultaneously.
Challenge for franchise companies through GDPR
Data protection issues are more of a subordinate concern to the majority of franchisees. Anyone who believes that the GDPR is purely a matter for the franchisor is wrong and can be held accountable if the measures are not observed. Even if the franchisor provides the user license, the network and specialist know-how, compliance with the GDPR is not his sole responsibility. The responsibility is given to both franchisors and franchisees alike. It is therefore important to classify data protection as one of the A priorities when starting a franchise business.
In addition, there is the misconception that the GDPR is limited to the protection of customer data. It is not so. Other parties that are directly related to the franchise company also require special protection and are part of the GDPR provisions. This primarily includes business partners such as suppliers, but also employees from within the company. Particular attention is therefore paid to personnel management that meets all data protection requirements. As a rule, in the franchise concept, the franchisee is responsible for selecting his own staff. As a result, this also has to deal with the GDPR regulation.
The franchisee is an independent entrepreneur who becomes part of the franchise company via a license. As a result, the franchisee is responsible for all duties associated with his entrepreneurship. This also includes topics such as bookkeeping & Co. For this reason, it is essential for franchisees to ensure that all software components used are GDPR-compliant.
In summary, it can be said that shuffling the buck between franchisor and franchisee with regard to GDPR obligations is not an option. Rather, it is important to come to an understanding in such a way that a joint solution is created.
Practical tips for franchise companies to correctly implement the GDPR guidelines
The franchise partners should agree on what data is to be collected. Which ones are essential for the success of the business operations of franchisees and franchisors and which ones are only “nice to have”? The latter could be deleted from the outset, so that there is less target for official data protection controls.
To be on the safe side, it is recommended that franchisees and franchisors coordinate the data protection regulations in detail. By concluding new contracts between the partners of the respective franchise concept, but also with external service providers, the data protection regulations can be fixed. In plain language, this means that both the actual franchise contract and supplier contracts should be drawn up accordingly. In this context, all parties agree to the data used – regardless of which shared systems are involved.
to create transparency
As a digital mouthpiece, the website of the franchise company is of great importance in the crosshairs of the GDPR. The most important point here is the data protection declaration, which should be absolutely clear with regard to the GDPR. In addition, it is important to provide information at all relevant points where data is collected. This particularly includes the contact form. Anyone who gives their data there should know what happens to them. It is important to place this information in a prominent place in connection with the contact form. A newsletter that may be available and the use of social media channels should also be part of the transparent presentation of the personal data collected. The double opt-in procedure offers franchise partners a very high level of security. The option of revocation also paves the way for consumers to get out of the collection of personal data.
Get staff on board
Even if franchisors and franchisees are legally responsible for compliance with the GDPR, it is important to involve employees in the measures. Because only a team that pulls together is able to comply with the GDPR in all points. This significantly minimizes the risk of fines and the like. It is therefore advisable to train employees regularly with regard to data protection requirements. It goes without saying that sensitive documents must be professionally shredded. In addition, employees must be made aware of absolute secrecy – especially in the context of the home office. The behavior in dealing with incoming e-mails and those to be sent should also be continuously scrutinized by the employees.
Appointment of a data protection officer
Starting with a staff of just nine people, it is necessary to appoint a data protection officer for a company. If you want to outsource this responsible and extremely extensive task, you would be well advised to hire an external service provider.
A close consultation between the franchisor and the franchisee is urgently needed to minimize risks when complying with the GDPR. The closer the coordination and the more extensive the measures, the lower the likelihood of being fined heavily.
Photo by Kaitlyn Baker on Unsplash