The European Union's updated and expanded data privacy laws--the General Data Protection Regulation, or GDPR--took effect on May 25. Within the first few days after, multibillion-dollar lawsuits were promptly filed against Google and Facebook. In the United States, we have been inundated with updated privacy notices and requests for consent. So, what impact will GDPR have on franchisors, franchisees and the entire franchise system?
GDPR AND U.S. FRANCHISORS
U.S. franchisors not established in the EU are subject to GDPR if they offer goods or services to EU residents or monitor the behavior of individuals in the EU. The key question is whether you process the personal data of EU residents. A franchisor may process personal data of EU residents when qualifying franchisees, as part of customer loyalty programs, and for other purposes. Franchisors engaged in targeted advertising and tracking of individuals online who are EU residents as well as any sharing of personal information between franchisors and franchisees will trigger compliance. While mere access to a website by EU residents does not trigger the need to comply, the use of foreign languages or acceptance of foreign currency will bring the website within scope of the GDPR.
WHY IT MATTERS
GDPR imposes several new requirements and increases the penalties for noncompliance. A primary focus of GDPR has been on the increased fines for noncompliance, which are considerable. Violations can result in fines up to the greater of [euro]20,000,000 or 4 percent of a company's annual revenue. In addition, a franchisor could potentially be fined for its franchisees' failure to comply with certain GDPR provisions. Individuals also have the right to sue.
Even if not sued or faced with a regulatory action, a franchisor might be faced with requests from individuals asserting their new-found rights to data access and, in some cases, to have their personal data removed or transferred. Systems and processes may need to be updated to handle such requests.
If a franchisor acts as a controller as defined in the GDPR, it must notify a privacy regulator within 72 hours of the discovery of a data breach. In addition, franchisors must implement "appropriate technical and organizational measures to ensure a level of security appropriate to the risk." The use of encryption and anonymization of any personal data will reduce risk and potential liability. Once anonymized the data is no longer personal...