Gambling and video gaming companies risk not to be compliant with the GDPR since they adopt a merely formal approach, while the EU privacy regulation could impact their model of business.
The impact of the GDPR on the gaming and gambling sectors
The EU privacy regulation was a “revolution” for several industries that had ignored data protection compliance for many years.
The gambling and gaming sectors have exponentially relied on big data and the monitoring of the players’ behavior to improve the players’ experience, reduce the number of potential frauds and avoid gambling addictive conducts. Also, the development of technologies enabling players to gamble with their Internet of Things and mobile devices further increased the amount of data collected and used in the gaming sector.
Data has always been as a significant resource, especially in the online gaming and gambling industry. There are operators which made the customization of their offering to the profile of players as one of the main drivers of their growth. However, such primary resource might end up being a potential “ticking bomb” as it might trigger fines up to 4% of the global turnover of the breaching entity.
I have discussed how the EU Privacy Regulation is introducing new liabilities also on gaming suppliers and might considerably change the business of gaming affiliates. But the approach that we are experiencing with a number of our (especially) gambling clients is that they just
- rushed to have a privacy information notice referring to the GDPR on their site by May 2018, without considering for instance that the data processing activities might be different between a country and another;
- used a quite confusing language in the data protection notice, relying on multiple legal bases of the data processing and referring to legitimate interest when they were not able to justify conducts;
- did not perform considerable work to set up adequate organizational and technical measures required by the GDPR, just limiting their actions to policies referring to general principles of difficult adoption that were often ignored;
- appointed a single global data protection officer that is usually a member of the compliance department with also other roles, and without direct involvement in the business and without notifying his/her details to the data protection authorities of the EU Member States where they operate; and
- run training of their employees through an e-learning tool that was rapidly performed by most of them, without having an impact in the way they operate.
The result of the above is that gaming and gambling operators and suppliers are actually “formally” GDPR compliant, but in practice, they are not.
A data breach could be a “disaster“
There have not been so far cases of significant data breaches impacting the gambling sector, while some major breaches occurred in the video gaming sector, especially before May 2018.
The amount of potential fines is a threat. But it should also be considered the risk of claims from players. Indeed, information about gambling addiction could be revealed through a data breach, leading to reputational damages and consequential claims.
Likewise, the gambling industry considerably relies on third party game suppliers that have access to the details of players located in many jurisdictions. This circumstance means that a delay in handling a data breach can lead to regulatory challenges before different authorities. Indeed, for instance, in the case of country-specific gambling licenses, the local data protection authority might claim jurisdiction for violations impacting players of its country.
The scenario will further evolve with the upcoming ePrivacy Regulation of which you can read the latest update in this article “The new draft ePrivacy Regulation changes on digital marketing“.
My recommendations for gambling and gaming companies to be GDPR compliant
My personal experience is that the operators/suppliers are prudent when it comes to gaming regulatory obligations. However, privacy compliance has always been considered as a “nice to have” as opposed to a “must-have“.
As outlined above, this approach is no longer sustainable under the GDPR. And my top three recommendations are:
- run a detailed data mapping exercise for each of your licenses/country to check whether the data processing activities differ from country to country and reflect the results of this task in the record of data processing activities;
- redraft the data protection notice to reflect the data processing activities performed, making it intelligible and carefully indicating the applicable legal basis of the data processing and retention period;
- perform the data protection impact assessments at least on the significant data processing activities impacting players, with detailed analysis, rather than referring to other documents/policies and carefully justifying the reason why personal data are adequately protected;
- adopt an internal organizational model that enables control over the data processing activities performed by the group, identifying different reporting channels, also in case of external suppliers that shall be informed of how to report data breaches and what shall be reported; and
- review the technical measures adopted by the group and make sure that the data processing activities are not excessive, and data are adequately protected.
On the topic above, you may find interesting the articles “Gambling and video gaming players’ profiling under the GDPR” and “Top 5 privacy issues for gambling operators under the GDPR“.