Gambling and GDPR: what does the new data protection regulation mean for compliance with gambling regulatory requirements?
On 25 May 2018, the new data protection legislation came into force both in the UK and across the EU on this date. It demands more from organisations in terms of accountability for their use of personal data and adds to the existing rights of individuals. It is not, however, a total revolution but builds on foundations which have been in place for the last 20 years. Many of the fundamentals of data protection remain the same.
What is the Gambling Commission’s stance on GDPR?
There have been concerns expressed to the Gambling Commission that the General Data Protection Regulation will affect what actions can be taken to tackle issues such as problem gambling and gambling associated crime.
Their view is that GDPR is not intended to prevent operators from taking steps which are necessary for the public interest or are necessary to comply with regulatory requirements under a Gambling Licence.
They state that GDPR should not be improperly used as an excuse to avoid taking steps which enable compliance with Licence conditions, promote socially responsible gambling and promote the Licensing Objectives.
Changes to consent under GDPR
Consent is one lawful basis for processing personal data and an indication of consent must be unambiguous and involve a clear affirmative action. GDPR gives a specific right to withdraw consent and people need to know about their right to withdraw. It is not true that data can only be processed if an organisation has explicit consent to do so. The new Law provides five lawful grounds for processing data and in the context of personal data needed to comply with gambling regulation, these other lawful grounds may be more appropriate than consent.
As well as consent, the other legitimate purposes for processing data include:
- Processing that is necessary for compliance with a legal obligation to which the data controller is subject.
- Processing that is necessary for the performance of a contract to which the data subject is the party or in order to take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary for the performance of a task carried out in the public interest.
- Processing is necessary for the purposes of the legitimate interest pursued by the controller or by a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data).
Operating licences will contain conditions requiring operators to put into effect procedures to allow for exclusion, to prevent money laundering and to combat problem gambling. It will be necessary for operators to obtain and process personal data in order to comply with these requirements. It will also be necessary for operators to securely retain data for a period of time in order to evidence compliance with the Gambling Commission in the event of an investigation. Consideration should, therefore, be given to this when determining whether there is an ongoing legitimate purpose for obtaining, processing and retaining personal data.
You should note that whilst GDPR gives data subjects the right to request their personal data is erased, this right to erasure is not unrestricted and in particular you may not need to comply with such requests if retention of the data is still necessary for relation to an identified lawful basis.
If you require any further help with this topic, you can either contact our Licensing team or our Commercial team on 01332 340 211.