What the GDPR principles mean for companies in online gambling
Claudia Arrigoni - Consultant and Data Protection Officer

If you’ve familiarized yourself with the seven principles of the EU General Data Protection Regulation (GDPR), but question how to apply them to your online gambling company, there’s help on the way. A new Code of Conduct sets out specific rules for data protection and privacy management in online gambling, helping you to protect your company and your players.

In 2020, the EDPB (European Data Protection Board), responsible for the consistent application of the GDPR, published a draft Code of Conduct (the Code) for online gambling companies. This Code goes beyond the GDPR and into data processing activities that are specific to online gambling, such as using personal data to combat problem gambling. While the Code hasn’t been adopted yet, the time to act is now. The draft is perhaps the clearest how-to-guide to GDPR compliance there is. More importantly, following the EDPB’s best practices helps you protect your business and your players.


What you need

The Code requires online gambling companies to establish a compliance framework to deliver on the following obligations:

• You must be able to identify and understand the personal data that you are processing.
• You must ensure that your data processing activities comply with applicable laws and regulations.
• You must be able to account for and document compliance activities.

A compliance framework consists of the following components:

1. Data mapping
Data mapping helps you gain a comprehensive picture of your data processing activities. Your data map needs to specify what personal data you’re processing, what the source of that data was, where it is stored, how it flows through your organization, and for what purpose it is used. It’s up to you how to conduct the data mapping process and how to structure the information. Whichever format you use – a diagram, spreadsheet, template or other format – there are some requirements to keep in mind:

1. The data map records personal data at a field level. For example, the recording of a player’s postal address should be stored line by line, rather than as one continuous block of text. You register each line as a separate field.

2. The data map specifies every occurrence of personal data. If a player’s email address, for example, resides in multiple databases, spreadsheets, and other documents, you must register each location.

3. Personal data that is encoded or held in encrypted files is included.

4. The data map makes it possible to easily (within 24 hours) identify where/in what system(s) personal data is located.

5. It captures the entire lifecycle of personal data from creation or collection through corporate use to eventual deletion. This typically takes the form of a process flow map. It should specify where personal data has been added or enriched throughout its lifecycle.

2. Lawful processing analysis
Now that you’ve established your data map, it’s time to test your processing activities against the seven principles of the GDPR. To determine whether you’re adhering to the first principle of lawfulness, fairness and transparency, the Code prescribes a Lawful Processing Analysis. It requires you to consider the legal basis for each data processing activity in your data map. If your company is operating internationally, the laws of each area you’re active in must be considered. The analysis also serves as a foundation for writing and updating your GDPR-compliant privacy policy.

"By treating the compliance framework not just as another to-do on your list, but as a strategic tool, you can rest assured that you're acting within the boundaries of the GDPR, strengthen the trust of your players in your company and turn compliance into a competitive advantage."

3. Risk assessment
A risk assessment tests your processing activities against the principles of purpose limitation, data minimization, storage limitation, and integrity and confidentiality. It is intended to safeguard players’ right to privacy. Again, the data map serves as the foundation for your assessment. For each processing activity, you should evaluate whether it is necessary and appropriate. If you discover that the personal data you’re processing is disproportionate or is stored in an inappropriate location, you must securely move or destroy the data. It is also important to investigate why the data was processed in the first place. Does your company have policies or processes in place that lead to the unnecessary or inappropriate collection of data? In that case, it’s likely that moving or destroying the data is just a temporary fix. By conducting a root cause analysis, you can understand the underlying causes and prevent recurrence.

4. Documentation
Finally, the Code requires you to create and maintain documentation that demonstrates your compliance with the GDPR principle of accountability. Accountability means that you take responsibility for what you do with your players’ personal data. The data mapping exercise, lawful processing analysis and the risk assessment ensure that your company is taking all the necessary steps to protect unauthorized access to players’ data. The authorities will want to review the documentation that came out of these exercises. In addition, they will want to know that you’re treating compliance as an ongoing responsibility, not a one-time thing. That’s why your compliance framework should include the following:

• The data maps that you’ve created.
• A record of processing activities per Art. 30 of the GDPR, which your supervising authority will expect to see.
• A policy document specifying your company’s approach to overseeing and controlling its data processing activities and to reviewing and maintaining the data map and record of processing activities.
• A policy document specifying the involvement of the Data Protection Officer (DPO) in any activities related to the processing or flow of personal data. This includes explanations of any methodologies or concepts they have implemented, such as privacy by design.

Being accountable also means to regularly review and authorize these documents. The authorities will expect you to have processes in place to ensure continued compliance with the Code. These must include periodic internal or external audits. Any changes to your compliance framework documentation must be tracked using version control.


Ongoing commitment

There’s a reason why the EBDP created a Code of Conduct and not just another set of requirements. Conduct implies an ongoing commitment to compliance. It involves embedding data protection and privacy management in your strategic decisions and your daily activities. Conduct is also rooted in values. In online gambling, integrity and the respect for players’ right to privacy are key values. Your company’s success depends on them. By treating the compliance framework not just as another to-do on your list, but as a strategic tool, you can rest assured that you’re acting within the boundaries of the GDPR, strengthen the trust of your players in your company and turn compliance into a competitive advantage.

A starters guide to provide GDPR compliant online gambling services
White paper
Three key aspects of the GDPR for gambling companies
Step-by-step data breach protocol