Three key aspects of the GDPR for gambling companies
Claudia Arrigoni - Consultant and Data Protection Officer

Gambling is all about accepting risk. Managing a successful gambling company requires just the opposite. To protect players’ privacy and remain GDPR compliant, there are steps your company needs to take to minimize the risk of sensitive data ending up in the wrong hands. Navigating how the GDPR expects you to do that can be complex. While no universal checklist exists, there are key aspects of the GDPR that apply to nearly every gambling company. We’ve summarized them for you.

As gambling is a heavily regulated industry, authorities are monitoring gambling companies’ every move. Any violation of the GDPR are likely to get noticed, resulting in penalties. At the same time, it’s in your company’s best interest to protect players’ privacy as their loyalty depends on your discretion and integrity. As is true of any framework, the GDPR legal framework for data protection and privacy leaves room for interpretation. More often than not, the answer to frequently asked GDPR questions is: it depends. The countries you operate in, the data you collect and the servers you use all play a role in your GDPR checklist. To get started, we have outlined key rules for data transfers and risk assessments and best practices for managing data breaches. By following these rules and guidelines, you can protect your company and your customers.

Meeting the GDPR’s rules for data transfers

Nearly all online gambling companies transfer data across borders. Customer data is sent to and stored in the cloud, powered by data centers located around the globe. The GDPR considers any data that leaves the EU a ‘data transfer’. Those data transfers are only permitted using a so-called transfer mechanism. The easiest way to know if your data transfer is permitted under the GDRP is to ask yourself the following questions:

1. Is my company transferring data to an approved country?
The European Commission lists all non-EU countries that have privacy laws in place that provide an ‘adequate level of protection’. This transfer mechanism is known as the Adequacy Decision. The most up-to-date list can be found on their website.
2. Does my company have Standard Contractual Clauses (SCCs) in place?
There are four SCCs, each of which are out-of-the-box contracts. You don’t need to draft them yourself. To use the SCC option, you need to conduct a Transfer Impact Assessment (TIA), used to identify the risks of the transfer for data subjects and determine what measures to take to mitigate those risks.

Putting the right contracts in place

In addition to following the GDPR rules for data transfers, it is important to have contracts in place with all parties you exchange data with. These contracts address the exchange of personal data to safeguard the privacy of your players. What type of contract you need depends on where you and your partners are located:
• You and your partners are located inside the European Economic Area (EEA): a simple Data Processing Agreement is sufficient. Templates are widely available.
• You’re located in the EU and your partner in the UK (or vice versa): data transfers between the EU and the UK are governed under both the GDPR and the UK GDPR’s Adequacy Decisions. All other data transfers require the UK GDPR’s version of SCCs: International Data Transfer Agreements (IDTAs).
• You’re located in the EU and the UK and your partner in a country that neither considers adequate, such as the United States of America. This requires the SCCs with a so-called UK Addendum attached. This way, both the GDPR and the UK GDPR are covered.

"By mapping your data processing activities, you gain insight into any risks and the actions to take to minimize those risks."

Performing a DPIA to identify and minimize risks

To protect sensitive data from ending up in the wrong hands, it’s important to identify and minimize the risks of your data processing activities. As a gambling company, it’s most likely even required. In addition to collecting personally identifiable information and payment information, many companies are legally required to run players’ information through a database of people who have been banned from gambling due to addiction. This type of information is considered a ‘high privacy risk’ for the individuals involved.

Any processing of any personal data that imposes a high privacy risk requires you to perform a Data Protection Impact Assessment (DPIA). The European Data Protection Board (EDPB) applies the following criteria for mandatory DPIAs:
1. Evaluating people based on personal characteristics
This includes the screening of players against a gambling addiction database and the use of their personal data for the purpose of profiling or predicting.
2. Automated decisions
The use of personal data to make decisions that have legal or otherwise significant consequences for people, such as exclusion or discrimination.
3. Systematic and large-scale monitoring
The monitoring of publicly accessible areas, for example using camera surveillance.
4. Sensitive data
The processing of any privacy-sensitive data, including criminal data, electronic communications data, location data, and financial data.
5. Large-scale data processing
The processing of large amounts of data, from many people, across a large geographical area, for an extended period of time.
6. Linked databases
The combining of otherwise unrelated databases in a way that the people whose data is being processed cannot reasonably expect.
7. Data on vulnerable persons
The processing of data from people who cannot freely give or refuse permission, such as children, patients, and employees.
8. Use of new technologies
The use of new technologies, which carries unknown yet significant privacy risks.
9. Blocking of any right, service, or contract
The processing of personal data to block persons from exercising a right, accessing a service, or entering into a contract

The DPIA should span the entire journey from input to output. It should include whose data is processed, what type of data is processed, how the data is secured, and which external parties are involved. By mapping your data processing activities, you gain insight into any risks and the actions to take to minimize those risks.

Establishing a data breach protocol to protect your customers and your company

While performing a DPIA minimizes risks, it does not eliminate them. That’s why it’s important to develop a data breach protocol. A data breach involves the unauthorized access to personal data, typically resulting from human error, a software vulnerability, or cybercrime. The consequences of a data breach can be devastating for the customer and the company.

A data breach protocol helps companies deal with the consequences of a data breach in a controlled manner. It outlines the steps your need to take to comply with the GDPR and minimize the impact. For example, it tells you if you’re required to report the data breach to the data protection authorities, to the people involved, or both within the 72-hour deadline. To get started, we’ve put together a step-by-step plan for creating a data breach protocol.

Get started

By assessing your company’s data processing activities against the rules for data transfers, conducting a Data Protection Impact Assessment (DPIA), and establishing a data breach protocol, your company has a strong foundation in place to remain GDPR compliant and to minimize data and privacy risks. Ready to take the next step? DPO Consultancy is there to help you check all the boxes so you can focus on growing your business.

A starters guide to provide GDPR compliant online gambling services
White paper
Privacy for Gambling
What the GDPR principles mean for companies in online gambling