The EU privacy regulation will force gambling operators and suppliers to a major change in their internal privacy compliance.
A new approach to privacy compliance
Based on my personal experience, privacy compliance has not traditionally been a priority for gambling operators and suppliers. This was also due to the fact that
- operators and suppliers are usually based in countries that adopt a lighter approach to privacy compliance. But this is no longer going to happen with the EU General Data Protection Regulation (GDPR) which will entitle players to bring claims before the authority of their country of residence, rather than the country of establishment of the operator/supplier; and
- fines were not frequent and their amount was in any case quite low. This is also going to change since – as covered in this blog post – fines will be increased up to 4% of the global turnover of the breaching entity. And as mentioned above, such fines might be issued also by the data protection authority of the country where players – rather than the company – are based.
Players’ personalisations are at risk?
One of the main aspects that will be affected for gambling operators and suppliers is that the customisation and profiling of the gaming offering and marketing will require
- the prior express consent that shall be
- separate from either the consent to the approval of the player agreement or the general consent to the privacy information notice; and
- freely given and indeed bonuses/incentives awarded for marketing consents have been challenged by the Italian data protection authority in the past;
- the outline in the privacy information notice of all the modalities in which the collected data is used as well as the applicable legal basis, without the possibility to rely on a broad and generic wording;
- the performance of a “privacy impact assessment“ which shall have the features outlined in this blog post; and
- the implementation of a “privacy by design” approach in the setting up of the relevant technology.
Competitors might “steal” your customers due to the portability right?
The new privacy portability right risks to give a major advantage to new comers into the market. They might attract customers through bonuses and then encourage them to exercise their portability right. This would enable such competitors to perform a customised offering even in absence of prior trading history.
Precautions need to be put in place to limit the negative effects of such right. I covered them in this blog post, also after the issue of the guidelines by the Article 29 Working Party on the topic.
You need advice tailored on gambling companies
To get ready, gambling companies need to assess the GDPR’s impact on their organisation, taking into account their unique needs, the most frequent issues they encounter and the types of data processing activities they and their suppliers perform.
With more than 130 data protection lawyers worldwide and a deep knowledge of the gambling sector, DLA Piper’s Global Data Protection, Privacy and Security team is familiar with the most relevant aspects of the GDPR that can impact gambling companies.
We ran a webinar dedicated to gambling operators and suppliers with specific reference on the issues that they might face in relation to the adoption of the measures required by the EU Privacy Regulation. You can find the recording and the material of the webinar HERE and below is the presentation
Will you be ready by 25 May 2018?
Operators and suppliers now have until May 25, 2018 to ensure your data processing activities are in line with the newly adopted rules. It seems a long time, but the amount of work that has to be done is really considerable, especially for companies that never ran a privacy audit before.
On the topic, you may find interesting on the topic the following articles