COVID-19 Licensing Update
Our Licensing team outlines the latest guidance from the UK Government and how its plan to ease lockdown restrictions will affect the hospitality sector.Read more
The General Data Protection Regulation demands more from organisations in terms of accountability for their use of personal data and adds to the existing rights of individuals.
It is not, however, a total revolution but builds on foundations which have been in place for the last 20 years. Many of the fundamentals of data protection remain the same.
There have been concerns expressed to the Gambling Commission that the General Data Protection Regulation will affect what actions can be taken to tackle issues such as problem gambling and gambling associated crime.
Their view is that GDPR is not intended to prevent operators from taking steps which are necessary for the public interest or are necessary to comply with regulatory requirements under a Gambling Licence.
They state that GDPR should not be improperly used as an excuse to avoid taking steps which enable compliance with Licence conditions, promote socially responsible gambling and promote the Licensing Objectives.
Consent is one lawful basis for processing personal data and an indication of consent must be unambiguous and involve a clear affirmative action. GDPR gives a specific right to withdraw consent and people need to know about their right to withdraw. It is not true that data can only be processed if an organisation has explicit consent to do so. The new Law provides five lawful grounds for processing data and in the context of personal data needed to comply with gambling regulation, these other lawful grounds may be more appropriate than consent.
As well as consent, the other legitimate purposes for processing data include:
Operating licences will contain conditions requiring operators to put into effect procedures to allow for exclusion, to prevent money laundering and to combat problem gambling. It will be necessary for operators to obtain and process personal data in order to comply with these requirements. It will also be necessary for operators to securely retain data for a period of time in order to evidence compliance with the Gambling Commission in the event of an investigation. Consideration should, therefore, be given to this when determining whether there is an ongoing legitimate purpose for obtaining, processing and retaining personal data.
You should note that whilst GDPR gives data subjects the right to request their personal data is erased, this right to erasure is not unrestricted and in particular you may not need to comply with such requests if retention of the data is still necessary for relation to an identified lawful basis.
Scroll to next section
Scroll back to the top