Franchising — dealing with data breaches

Franchise networks and businesses rely on data flow through the franchise networks on a local, national and international basis. Whilst some franchisors have stringent network systems to protect customer and franchise data, often too many lag behind and problems arise when personal or confidential data is breached. This can have a significant impact when you consider the sheer scale of some franchised business and the potential for significant fines and bad publicity.

In the current economic climate, with unprecedented numbers of employees working from home and accessing systems remotely with little or no supervision, protecting data and confidential information is ever more important.

There are, however, a number of practical steps that you can take to prevent such data breaches or limit the damage if they do occur.

Assess the risks

Consider how valuable, sensitive or confidential your data is and what damage could be caused to your business in the event of a security breach. A clear risk assessment will help you to choose the most appropriate security measures for your business needs. You could also take this a step further and undertake the Government backed assessment scheme, Cyber Essentials (or Cyber Essentials Plus). This could also be a requirement imposed on the franchise network, via the franchise agreement or manual.

Employee awareness and training

Franchisor employees and those of the franchisees (at all levels) should be aware of their roles and responsibilities. A thorough and well communicated set of company policies and procedures is a must. These should dictate the use of company/franchise network systems, electronic devices and the transfer of confidential information. You should also train your staff and network members to recognise threats to IT security.

Limit and monitor access

Ensure that access to customer databases, confidential and sensitive franchise data is only granted to those employees and members of the network who need such access. Each user in the company/network should have their own username and password and passwords should be regularly changed and updated.  

Departing employees/franchisees

Employees or franchisees who have decided to leave your business or network present a particular risk, as their interests will no longer be aligned with yours. You should ensure that you swiftly disable access to computers, handheld devices, servers and databases for ex-employees or franchise members.  

Responding to data theft incidents

If you suspect or you are faced with a data theft incident from someone within your own organisation, employing the correct practices at the outset is crucial. A small investment in knowledge and understanding could make all the difference between getting it right (and catching the culprits and retrieving your data) and getting it wrong. Consider our top tips:

• engage legal advisors early
• consider specialist forensic assistance
• decide who within your business will be responsible for investigating the incident in conjunction with any lawyers or specialists
• identify as soon as possible what data has been taken and whether it triggers any obligations for the company, for example any notification obligations to the Information Commissioner’s Office under the GDPR.
• once you have identified the culprits or suspected culprits, make sure you understand their restrictions and obligations – what contracts/policies do you have in place
• consider and understand the available evidence before taking action, albeit recognise that you may need to act swiftly to limit any dissemination of misappropriated data.