Privacy compliance needs to be a priority for gambling operators whose business is extensively relying on data and the GDPR poses relevant obligations on them.
The EU General Data Protection Regulation (GDPR) is a major milestone for both gambling operators and suppliers, but a large part of them were not ready for the deadline of the 25th of May 2018. This is happening at the time when the customization of the gaming offering to players is becoming a priority. After having discussed on how the GDPR impacts gaming affiliates, below is a (non-exhaustive) list of priacy related issues relevant for gaming operators (and suppliers):
1. Is your privacy consent valid?
The level of detail required for privacy consent under the GDPR is higher than what provided under the current data protection regime. And for instance
- a single privacy consent to the delivery of marketing communications and the approval of the Ts&Cs;
- a single privacy consent to the delivery of marketing communications and the players’ profiling;
- a pre-ticked consent to the delivery of marketing communications; and
- a compulsory consent to the delivery of marketing communications
are all scenarios that risk to render privacy consents previously obtained invalid. Therefore the issues are
- how to change privacy related consents, minimizing the disruption for the business in case consents are not obtained and
- to assess what can be “saved” of privacy related consents previously obtained.
2. Can you rely on legitimate interest to support your gaming business?
Legitimate interest is a valid option in order of being able to perform a “light” profiled direct marketing, without the need of relying on players’ consents. I discussed the topic in this blog post, but it should be clarified that it is not possible to run “any” type of profiled direct marketing under legitimate interest. The applicable scenarios shall not be invasive and shall be clearly indicated in the privacy information notice.
Gaming operators shall run the so called “balancing test” in order to identify the cases when legitimate interest can be exploited for direct marketing.
3. Did you run a data mapping exercise before drafting a new priacy information notice?
A common mistake relates to the assumption that a privacy information notice is a sort of “standard” document that can be drafted, without previously understanding how personal data is processed by the gambling operator for GDPR related purposes.
This can no longer happen under the GDPR which requires a higher level of information in the privacy information notice that shall be “mapped” in the company through interviews, questionnaires and analysis. The risk is otherwise to obtain new privacy consents on the basis of a data protection notice that needs to be subsequently changes so endangering the effort necessary to collect such consents.
4. Did you run a privacy impact assessment of your gambling platform?
The functionalities of a gaming platform are extensively aimed at monitoring the behavior of customers. This is primiarily aimed at preventing frauds and identifying gambling addictions, but a very strong component is to ensure that the website is customized on players’ preferences so that they are more likely to gamble.
Given the large database of gaming operators and the wide number of parameters on players’ behaviors that can be taken into account, the performance of a privacy impact assessment (PIA) on all the processes that require a review of players’ behaviors is a “must-have“. And the results of the PIA can lead to the conclusion that some technical and organizational changes are necessary.
5. Did you create an internal “culture” on privacy compliance and can you monitor the proper processing of personal data?
It is possible to considerably invest on privacy compliance, but employees of some gambling operators are not fully aware of their GDPR related obligations and of the potential fines to which their company can be exposed not only in case of data breach, but also in any circumstance when personal data is not properly processed, accessed or communicated to third parties.
It is therefore necessary to run annual trainings to the benefit of personnel, also by means of e-learning modules, and to create an internal system of controls and reporting which is summarized in the chart below.
This is just a snapshot on how the GDPR is going to impact gambling operators and suppliers, but the privacy related activities to be run are quite extensive. If you found this article interesting, please share it on your favorite social media!