With ever increasing compliance responsibilities pursuant to the Gambling Commission’s LCCP and more soon to arise on implementation of the 4th Money Laundering Directive, betting operators might be forgiven for thinking that there was a limit to the extent to which even more onerous regulatory burdens could be heaped upon them in the near future.
However, even greater focus on the need for them to protect customers’ personal data and to prevent data breaches will be required when the General Data Protection Regulation (“GDPR”) comes into force in mid-2018 replacing the current EU Data Protection Directive. It will be directly applicable in all EU Member States, without the need for any domestic legislation to implement it.
This will be relevant even if the UK votes to leave the EU because UK businesses will be affected by the GDPR if they process data relating to EU subjects, and in any event it will be vital for the UK’s digital economy that its data protection laws are of a comparable standard with other major jurisdictions.
Historical analysis has suggested that few gambling operators have consistently complied with their data protection obligations, with:
- customers not being informed as to the scope of personal data being captured from them or the uses to which the data is being put and
- operators taking too much data, retaining it for too long and often failing to utilize suitable security measures.
Designed to give individuals within the EU more enhanced data protection rights and to introduce a stricter data protection compliance regime, the GDPR will enable the Information Commissioner’s Office (“ICO”) in the UK and Supervisory Authorities in other EU Member-States to impose fines of:
- up to 4% of annual worldwide turnover (subject to a €20 million maximum) for the most serious infringements (eg breaching international transfer requirements or the basic principles applicable to data processing such as conditions for consent) and
- up to 2% of annual worldwide turnover (subject to a €10 million maximum) for other infringements.
The good news is that the two year time lapse before GDPR comes into force means that there is time for operators to prepare for the data protection changes that are coming but they would be well-advised to start that preparation sooner rather than later.
The ICO has already published advice on preparatory steps that should be taken now; (see https://dpreformdotorgdotuk.files.wordpress.com) Particularly complex questions will arise for businesses with multi-jurisdiction operations.
There is not space in this article to outline all provisions of the GDPR, but the following aspects will be of particular relevance to betting operators, whether their activities are conducted remotely or non-remotely.
Data protection officer
Under the GDPR, data controllers and processors whose “core activities” involve “regular and systematic monitoring of data subjects on a large scale” will have to appoint a Data Protection Officer (“DPO”). This is going to catch all operators for whom regular and systematic monitoring (including behaviour tracking and profiling) of their customers – not only to ensure effective marketing but also to enable fulfillment of their AML and social responsibility functions – constitutes a core activity conducted on a large-scale basis.
The latest draft of the GDPR appears to encourage EU Member-States and their Supervisory Authorities “to take account of the specific needs of micro, small and medium-sized enterprises”. We await to see what that encouragement means in practice.
However, as matters stand and taking into account the EC’s definition of such enterprises, it seems inevitable that businesses that employ 250 or more or which have an annual turnover of €50 million, and/or an annual balance sheet total in excess of €43 million will definitely need to appoint a DPO and, unless a specific derogation is introduced, smaller betting operators will have the same obligation too.
That will not be an obligation to be taken lightly, given that the GDPR requires that DPOs must have both “expert knowledge of data protection law” (i.e. encompassing more than just UK law for multi-jurisdiction operators) and “expert knowledge of practices” (i.e. technical proficiency to manage IT processes, data security and business continuity issues relating to the holding and processing of personal and sensitive data).
Finding the right person for the job and setting up a workable structure are likely to present very considerable challenges, bearing in mind that DPOs will have to be independent of the company that employs or engages them and will need support teams and all of the ongoing training resources that this will necessitate. Betting operators should therefore start planning their resourcing requirements very soon.
Responsible operators will already ensure that their contracts with affiliates clearly set out the requirements for compliance not only with the same licence conditions and/or advertising and other codes of practice by which the operator is itself bound but also with Data Protection legislation.
However, often overlooked is the ICO’s view that, although an affiliate is using its own marketing list to make contact with individuals, the betting operator whose services are being promoted will be regarded as having instigated that contact, as a result of which both the betting operator (as instigator) and the affiliate (as sender) can be held liable by the ICO when a data breach occurs.
That will not be changed by the GDPR, but the fines are going to be substantially heavier and, because many affiliates are located outside the EU, the betting operator will represent a closer target for enforcement purposes. As a result, rigorous checks should be conducted now on third party marketing lists to ensure that direct evidence of valid consent of the type required by the GDPR to marketing activity of the type conducted by the affiliate can be produced.
The “right to erasure”
The right to erasure being introduced by the GDPR is likely to raise tricky questions for betting operators in relation to customer self-exclusions, bearing in mind the LCCP obligations both to retain records of self-exclusion agreements and to participate in multi-operator self-exclusion schemes.
There will be plenty of potential litigants who would not hesitate to exercise their GDPR right to claim compensation from a gambling operator not handling their personal data correctly. It is therefore essential that sensible and constructive discussion takes place sooner rather than later between the ICO on the one hand and the Gambling Commission on the other so that a common-sense solution is found whereby it is accepted that compliance with the LCCP constitutes a “legal obligation” or an overriding legitimate ground for retaining the personal data in question.
The position will be more straightforward when a customer requests erasure of their data in circumstances where the request is made at a time when the betting operator is contemplating, or has made, a report to the Police or the Serious Organised Crime Agency. That is because the GDPR does not apply to the processing of personal data for national security activities or law enforcement purposes (the wording actually used is “for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties”).
However, I can foresee questions arising when a request for erasure is made in circumstances where no such law enforcement situation has yet arisen, bearing in mind the potential for conflict between (a) the Gambling Commission’s AML and POCA guidance and (b) the onus imposed on the operator under the GDPR to prove that a customer’s data cannot be deleted because it is still needed or is still relevant. This is clearly something else to go on the agenda for dialogue between the Commission and the ICO.
An updated version of the GDPR was published by the EU Council of Ministers on 6 April in readiness for it to come before the European Parliament for a vote, it is thought, on 14 April. More news when we have it!
Clifton Davies Consultancy Limited www.cliftondavies.com (in conjunction with Extrayard Limited http://www.extrayardsecurity.com) are available to advise gambling operators in more detail on the forthcoming data protection law changes.