Transcript of the Video
Good evening ladies and gentlemen. Suzanne Dibble here, data protection law expert coming to you raw and uncut. Today, I'm answering a question about specifically what to do with GDPR if you have a franchise business. If you are the franchisor, everything in GDPR applies to you in your own business, but the extra thing that you've got to think about is the actions of your franchisees. Although it's reasonably unlikely that you'd be found to be vicariously liable for the actions of your franchisees, that's only really potentially possible if you're controlling to a great extent certain functions of the franchise. But let's assume that you're not going to be vicariously liable for their actions. Almost as important as that is the brand damage that you might suffer if you have franchisees that are doing things that they shouldn't be doing. Because as GDPR becomes even more of a hot topic, and as consumers become savvier to data protection, then if your franchisees don't know about data protection and do something a little bit stupid, all of a sudden, you could have a really big reputation issue on your hands.
So the main thing for you to think about, aside from getting GDPR sorted out for your own businesses, is to implement a really thorough training program for your franchisees so that they know what GDPR is all about and what they need to do. I'd be putting some procedures in place. I'd be putting in some policies in place. I'd be giving your franchisees the legal documents that they need to enable them to be compliant with GDPR. So I would be giving them the privacy policies. I would be giving them the emails to get the fresh consent. I'd be giving them the processor agreements and pretty much all the other things that are in my GDPR pack, details of which are in the pinned post.
Now, just on that note, if you buy the GDPR pack for your own business, that's not then a license to give it to each of your franchisees. If you want to talk to me about doing a block deal for your franchisees, then I'm sure we could come to some arrangement and a discount for that. But please, the license is just for you, so don't think you can share it with your 20, 50, 100 franchisees.
Training for franchisees. Things that I would be training them in are things like if there's a data breach, if there is a loss or disclosure of personal data, then they have 72 hours in which to notify, in the UK, the information commissioner's office. What you'd obviously need them to do is to escalate that to you first as soon as possible, so that you can then decide how to go forward with that.
Things like data subject rights, so if one of your franchisees receives a data subject access request, for example, they need to know that they can't just sit on that, or think I'm not going to bother replying to that. They need to know that they've got 30 days in which to respond to that and that they can't charge for that anymore. If they were familiar with the existing law, you can't charge any more for that. There are certain things that you have to say in that letter replying to the data subject. That's all in my GDPR pack. There are precedent letters as to how to reply to a data subject access request. It's things like if they've got employees, how to make sure that they're processing employee data correctly. If they're transferring data to their parties for processor agreements, they need to have the right legal ground for doing that. If they're exporting outside of the EEA, and also have the right processor agreement in place.
I think the main thing that I would encourage you to do is to spoon feed your franchisees. Don't wait for them to try to figure this stuff out for themselves because what they do or don't do is going to have a significant impact on your reputation and potentially, your pocket. My advice to you is get some decent training for them. If you want me to put up a bespoke training on for your franchisees, I'm more than happy to talk about doing so and coming to some arrangement on that. If you want, I'll say, if you want to buy in bulk my GDPR pack so you can give one of those to each of your franchisees, then make sure that they're using the right templates and have the right procedures in place, again, more than happy to do that.
That was the main thing. This is just what is distinct to franchisors, I suppose. Obviously, everything that I say about GDPR applies to you and to your franchisees. It's just that you need to think about both camps. You need to think about your own business and then your franchisees’ businesses. Because, obviously, I say what they do or don't do could really impact your brand and on your bottom line.
So I think that's all I'm going to say on that. I'm going to say if you do want me to look at doing training for your franchisees or providing the GDPR pack to them, or both, then get in touch and my day is getting really, really booked up, as you can appreciate. The sooner you get in, the better. Yeah, that's it really.
If you obviously got an international franchise, then that's slightly more complex. That's probably better if you have got an international franchise, probably better if we speak one to one about that. Because there'll be quite a few extra challenges with that. If you do speak to me directly, then you can either message me on Facebook or email me at [email protected]. Okay. So I think that's what I'll say on that.
Have a great evening. I'm off to Birmingham tomorrow to have my old mastermind buddies, so I'm not sure when I'll fit in a video tomorrow. But I'll try my best-est. I know, I will, I will. I've committed to a video a day. I will even if it's doing it at 2 AM from my bedroom. All right, until then, goodbye.
