What New EU Data Protection Regulation Means for the iGaming Industry
Published By: James Lephew – Senior Compliance & Content Manager at iGaming Academy
GDPR’s introduction marks a seismic change in the digital landscape. After coming into force May 2018, the new EU GDPR regulation radically changes the balance of power between companies and individuals with regards the use of personal data. Individuals will have far more power to control how their data is used, and companies will bear most of the responsibility for ensuring this is possible.
iGaming companies are heavily exposed to GDPR. The regulation touches on numerous areas that are central to digital businesses, and since the iGaming industry serves millions of customers throughout the EU, GDPR is big news for the industry. Significant change will be required to comply with the new regulation.
In this guide, iGaming Academy will help you understand the GDPR regulation, what it means for iGaming companies, and how you can take action now to comply with GDPR.
IMPORTANT: This guide is intended to inform, but does not constitute legal advice. Specialist legal advice should be taken in relation to specific circumstances.
What Is GDPR?
Large amounts of personal or sensitive data are being built upon and collected in the digital economy. GDPR requires that companies provide more information about how this data is used and exchanged and be more responsible for storing and processing it.
The new EU Data Protection regulations are designed to harmonise data privacy laws across Europe, to give greater protection and rights to individuals, and allow consumers to have quicker access to their personal data, showing them who else has handled it and why it was necessary. These rules will also require organisations to appoint a Data Protection Officer to take a leadership role in overseeing a data protection strategy and implementation to ensure compliance.
How will GDPR affect the iGaming industry?
Gaming companies could face significant business risks and administrative fines, for data breaches or non-compliance with GDPR. There are also the reputational risks to consider – possibly the most damaging of all.
Breaches can bring an Operator’s reputation into question, which could compromise its market position, and overall trust from consumers. Gaming companies operating within the EU now face geographical risks as well, especially when monitoring players’ behaviour.
Significant administrative fines and penalties are another risk for operators, and are broken down into two tiers:
- the first tier is up to 10 million EUR or 2% annual turnover
- the second tier can reach up to 20 million EUR or 4% annual turnover of the previous year, whichever one is higher
GDPR became fully enforceable on the 25th May 2018.
Various organisations are involved in the enforcement of GDPR. Since this is an EU regulation which spans multiple territories, regulatory bodies will vary by jurisdiction.
Some of the key parties include:
- Local Data Protection Authority – EU Member countries will be subject to local oversight. Local organisations across the EU will ensure that personal data of customers, providers, organisations, institutions, and individuals within the EU (and non-EU) are in compliance with GDPR.
- Office of the Information and Data Protection Commissioner – Malta – Enforces the provisions laid out in the ‘Chapter 440 Data Protection Act’ for the protection of individuals against the violation of their privacy by the processing of personal data and for matters connected therewith or ancillary thereto in Malta. idpc.org.mt
- Information Commissioner’s Office (ICO) – United Kingdom – Upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals in the UK. ico.org.uk
GDPR’s wide scope means there are many requirements where individuals and departments will need to take responsibility. Senior leadership takes ultimate responsibility for GDPR compliance, but this requirements should of course be accorded to the relevant parties.
Here are some of the key requirements GDPR introduces:
- Appointment of a DPO – All EU Member states public authorities are required to appoint a Data Protection Officers to regularly monitor activities of data controllers or processors involving the processing of special categories of personal data of data subjects.
- Legal Basis For Processing Data – Companies must be able to cite 1 or more of 5 legal bases for processing personal data, including for example explicit consent, or legitimate interest.
- Restrictions on Data Transfers – Gaming companies will need to be aware of the risks of transferring data to non-EU countries, and non-EU controllers may need to appoint representatives in the EU.
- Data Processors Legal Obligations – Gaming companies will be legally liable for data breaches, therefore contractual agreements will need to be updated, stipulating liabilities. The responsibilities of the controller and processor will need to be documented clearly.
- Data Protection Impact Assessments (DPIAs) – data controllers are required to conduct DPIAs where privacy breach risks are evident.
GDPR Action Points
Do you need guidance on where to start with GDPR? With so much to understand, interpret and act upon it can be easy to succumb to inaction. However, with the regulation now in force – and heavy fines a real potential – now is the time to take action.
1 – Create A Roadmap
KEY QUESTION: What data do you hold, where is it stored and what processing is the data subject to? Your plan will need to include steps to answer this question and resolve any issues.
Clearly, the extent of GDPR means any business who is responding seriously to its new requirements will need a well-structured plan. Your plan (or roadmap) will probably include the designation of responsibility to individuals, an audit of your existing exposure, and review of your policies and procedures. Finally, you’ll want to decide upon a time frame for implementation. This road-mapping in itself demonstrates intent to comply.
2 – Notify Customers & Clients
KEY QUESTION: What notifications am I required to send? All registered customers and clients should be notified as soon as possible after data is received. When data is used for communication purposes, this means ‘immediately’. Notification must always be made before sharing personal data with a 3rd party
Customers and clients must be informed of how you will process their personal data, and any major changes you’re introducing as a result of GDPR. As a gaming operator or supplier, this may include updating your data privacy processes, reviewing notification systems and messages, and capturing and record consent.
3 – Train All Relevant Staff
KEY QUESTION: Who do you need to train? All staff members who handle – or have responsibility for – personal data need to know about GDPR. In practice, this includes the vast majority of iGaming workforces and even front-line teams.
Reacting to GDPR will require organisation-wide effort. Changes need to be made from the senior executive level all the way down to front-line teams. Training will be critical, as staff need to know what GDPR requires, and what they need to do as part of it. Training for iGaming Compliance: iGaming Academy runs GDPR masterclasses and offers GDPR eLearning courses for large workforces. Contact us today to discuss your GDPR requirements
4 – Record Your Actions
KEY QUESTION: What do we document? All process, procedures and uses of customer data should be recorded. Changes to these procedures should be noted and dated, along with legal reasoning to back them up
Recording your policies, procedures and approaches clearly serve two primary purposes. First, clear documentation will help your organisation respond systematically to the many requirements of GDPR. Second, record-keeping provides you with evidence of commitment to compliance; ideal for if ever you’re asked to prove your approach or respond to a complaint.
5 – Respond To Requests
KEY QUESTION: How long do I have to respond? Responses to data-related matters should be responded to within one month of receipt
GPDR is all about rebalancing power back to the individual. Businesses are required to accept and respond to data access requests including requests for deletion and complaints regarding the mis-use of data. Many gaming operators have chosen to build these systems into technical platforms, though any form of clear process with adequate customer service is acceptable.
6 – Review & Repeat
KEY QUESTION: How often do we need to review GDPR? There’s no set timeframe, but your roadmap should show a clearly defined plan for review that includes re-assessment of data collected, processing of this data and the procedures for these activities
GDPR may feel like a one-time deadline, but the reality is this is a regulation that’s here to stay. New technologies and business plans will need to be considered for GDPR compliance. Even ongoing policies and procedures will need regular review to maintain compliance. Additional GDPR refresher training for staff is a great way to keep standards high.
24 OCT 1995 – Data Protection Directive 95/46/EC created to regulate the processing of personal data in the EU.
25 JAN 2012 – Initial proposal for updated data protection regulation by the European Commission
15 DEC 2015 – European Parliament and Council have come to an agreement, and the text will be final as of the Official signing to take place in early 2016
8, 16 APR 2016 – European Parliament and Council adopt the legislation
25 MAY 2018 – GDPR is fully enforceable throughout the EU.
Get Effective Training for GDPR Compliance
iGaming Academy offers highly effective training solutions, helping your company achieve GDPR compliance. We offer GDPR Masterclasses for senior decision-makers, GDPR eLearning courses for front-line staff, or can even custom build training solutions to your exact needs.