| UK & Europe | Articles
It’s over a year since GDPR came into force and the Gambling Commission are working closely with the ICO to make sure gambling firms are not only complying, but also using the regulation to improve their operations and client focus.
Having put in place a plan for implementation, now would be a good time to review your governance, processes and documentation. If there’s work to be done, start with areas which involve interaction with consumers.
Using GDPR to improve operations in gambling
The GDPR – or General Data Protection Regulation – is the evolution of the data protection act 1998 keeping the similar key principles at its core, so many of the requirements should not have been a complete surprise to firms if they complied with the DPA98.
In the UK, the Information Commissioner’s Office (ICO) is the supervising authority for data protection, and alongside the Gambling Commission are working together to ensure that firms are really engaging with GDPR. Firms that take this approach can find opportunities to improve their operations. For example, where they discover they are holding superfluous personal data, and understand what they really need and how they can best collect and maintain that information.
Whilst the GDPR introduces a number of changes in the way personal data is treated, the Gambling Commission stresses that firm’s compliance with these requirements should not prevent them from complying with other regulatory requirements under their gambling licence such as anti-money laundering (AML).
In our overview of the market, we’ve seen both good practice, and room for improvement. And we’ve been able to share practical guidance with firms on how to take the next steps, and ensure their GDPR controls are up to scratch.
Good practice
By really engaging with GDPR, firms have found opportunities to improve their operations from an internal point of view as well. For example, some discovered that they were holding superfluous personal data, and have to understand what they really need and how they can best collect and maintain that information.
Firms have often been successful, too, in incorporating data protection into their day-to-day product governance activities, rather than simply treating it as a one-off exercise.
In addition, firms have learned that there’s more help available than they realised. The Information Commissioner’s Office website, for example, is a goldmine of comprehensible guidance for complying with the new regulation.
Since GDPR came into force, we have also seen better awareness from the general public about their data rights, and specifically about the importance of their privacy. Respect for this awareness is reflected in recent advertising by tech companies; one notable example is Apple’s recently launched ‘Privacy Preserving Ad Click Attribution’ feature, which aims to limit the amount of identifiable information about a web user available to advertisers.
Room for improvement
The most common pitfall has been underestimating the scale of what needs to be done to fully comply. Many firms, particularly large and well-established ones, learned that the administrative burden of achieving compliance was bigger than expected, not least because of the large volumes of personal data they were holding. Indeed, the transition has often been easier for smaller and newer firms, where most administrative work is done online with only a minimal paper footprint.
Some firms found they needed to change attitudes to personal data. To achieve this, many have provided staff with education, highlighting the fact that data belongs to individuals rather than to the firm – even when consent for use has been given. In fact, consent isn’t necessarily the best lawful basis for using data, according to the various options the regulation gives us.
We’ve already seen the ICO level some significant fines, and there will doubtless be more to come. For gaming firms, looking to stay on the right side of the regulator, now is the time to be reviewing the controls they put in (in order to meet the deadline), and ensuring they are really fit for purpose – both in terms of meeting the regulatory requirements, and working efficiently within the operational framework of the organisation.
Next steps
Governance
GDPR places more emphasis on accountability, governance and transparency than the old DPA. Organisations are expected to put into place more comprehensive, but proportionate, governance measures aimed at protecting personal data and mitigating the risk of data breaches. In practical terms organisations will need to review the policies and procedures they already have in place to ensure these cover the more explicit governance measures required by the GDPR.
The GDPR principle of accountability requires organisations to implement appropriate technical and organisational processes that demonstrate how they are meeting the requirements including:
- Internal data protection policies
- Staff training
- Internal audits of processing activities, and
- Reviews of internal HR policies.
Organisations must maintain relevant documentation on processing activities and where appropriate, appoint a data protection officer.
Demonstrating compliance includes implementation of measures that meet the principles of data protection by design and data protection by default including:
- Data minimisation
- Pseudonymisation
- Transparency
- Allowing individuals to monitor processing, and
- Creating and improving security features on an ongoing basis.
Process, documentation and evidence
Most firms will have had a plan of some sort in place. Now is the time to make sure you didn’t miss anything during implementation and that what you have embedded is sustainable.
What sort of thing do you need to have documented? Your plan should act as a checklist for documenting compliance with each area of the regulation.
This should include the following:
- A record of processing activities, in any department, that use personal data. What data do you hold? What is processed by whom, and who does it get sent to?
- An appropriate data protection policy
- An articulation of your lawful bases for processing personal data
- An assessment of whether your organisational culture adheres to the core principles of data protection (which haven’t really changed since the 1998 Data Protection Act)
- A process to make sure the data is accurate and up to date
- An approach to obtaining, recording and managing consent to hold personal data
- Procedures to address request from data subjects including updated privacy notices
- A clear retention policy so you only hold data only for as long as it’s needed
- Evidence of appropriate IT safeguards to protect the personal data you process
- Clear notification procedures so that in the event of a breach you can inform the ICO within 72 hours
- Evidence of clear data protection governance across the three lines of defence.
In terms of priorities, start with the areas which involve interaction with consumers. It’s vital to equip your organisation to deal with consumers’ subject access requests, and to display an up-to-date privacy notice telling individuals how their data will be processed.
Helping gambling firms with regulation
Bovill’s Regulatory Compliance team has a wealth of experience helping firms understand and comply with their data protection and regulatory obligations. The assistance we provide ranges from bespoke reviews of firms’ policies/procedures and/or processes, to training across the firm.
Bovill is helping clients figure out how they’re affected by GDPR and assess whether their processes are up to scratch. For more information on this, or to find out about our new GDPR healthcheck, get in touch
