Increasingly, when a franchise business is asked to identify its most valuable asset, it points to its customer data. Inexhaustible developments in technology mean that businesses now have access to information about their customers as never before. Whereas a business might previously have run a marketing campaign based on focus group feedback, now it can target its marketing based on how individuals visit its website and use its app (on tablets and smartphones), as well as how they rate and recommend it on social media. Moreover, a business can perform this analysis of customer interactions on staggering amounts of data.

Effective use of customer data can replicate the personalised offline experience in an online setting. It can enable franchisors and franchisees to respond more quickly to customer trends and develop an integrated approach to marketing and brand-building campaigns. Franchise businesses that embrace this approach should ensure that teams are structured around the customer and not just the channel, thus guaranteeing more integrated collaboration between the corporate-owned business and franchisee-owned business.

However, with commercial opportunity comes the challenge of legal compliance – any handling of customer data is likely to trigger the application of data protection and privacy rules. Issues of intrusiveness and data security concerns have increasingly led to more countries legislating for data protection. Franchise businesses which collect and use data from European citizens – whether established in the European Union or not – should be aware that the legal landscape is set to change dramatically with the implementation of the EU General Data Protection Regulation.

General Data Protection Regulation

After years of debate, the negotiating parties have reportedly agreed the text of the European Union's successor privacy legislation, the General Data Protection Regulation. The key driver behind this legislative change is to update Europe's ageing data privacy rules for the modern technological era; it is undoubtedly the most important change to EU data privacy law of the past 20 years.

However, this is not the formal end of the legislative process – while the text of the new regulation has been agreed by the negotiating parties, it has yet to be formally adopted by the European Parliament and European Council. This is likely to be a rubber-stamping process that will take place in early 2016, after which the regulation will become law. The countdown will then begin to the date on which it comes fully into effect – two years after adoption (ie, 2018).


The new regulation will usher in an era of greater accountability, with significantly increased transparency and controls for individuals to manage their data. It will have a global effect, so that any business that collects and uses data from European citizens – whether established in the European Union or not – will potentially find itself subject to EU data protection rules.


The new regulation will apply to both data controllers and data processors, which means that service provider businesses (eg, the business-to-business cloud) that previously were not directly subject to EU data protection compliance requirements will find themselves caught by the new rules. In the franchising context, the rules will apply to both franchisors and franchisees; the franchisor will nearly always be the data controller of customer data, but a franchisee may be either a data controller or a data processor, depending on the arrangement between the parties. The franchisor and franchisee are usually independent data controllers – that is, they both have rights to access and use the personal data, but for their own separate purposes. A franchisee may be a data controller of customer personal data even if the franchisor lays claim to IP rights in the data.

Notably, non-compliant businesses risk fines of up to 4% of global turnover.


Good data protection compliance can be a significant enabler for businesses by increasing customer trust and encouraging interaction. This can help franchisors and franchisees to know more about their customers and thus open up new and enhanced marketing strategies. However, compliance should be seen not as a drawback, but rather as a means of exploiting customer data in the most effective way. Failure to take data protection compliance seriously can result in serious fall-out for companies –whether that entails a loss of reputation, compensation claims or regulator fines. Many major companies have learned this to their cost when their non-compliance with the rules became public. It is likely to be only a question of time before a franchisor and its brand are similarly caught out.

Finally, there is the good news that the patchwork quilt of 28 different EU member states' laws (all with their own quirks and kinks) will be replaced by a single, unifying data protection law, which will hopefully lead to significantly greater data protection harmonisation throughout the European Union – a 'win-win' for consumers and businesses alike. Data protection authorities must live up to this challenge of harmonisation through the mechanics of the new regulation's one-stop shop and consistency mechanism.

The introduction of the General Data Protection Regulation is undoubtedly an achievement of epic proportions that will define the future of Europe's digital single market and of data protection for decades to come.

For further information on this topic please contact Gordon Drakes or Phil Lee at Fieldfisher by telephone (+44 20 7861 4000) or email ( or The Fieldfisher website can be accessed at

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.