What are the Implications of GDPR for Gambling Companies?

The introduction of the General Data Protection Regulations (GDPR) may have significant impact on companies involved in gambling and betting.

Gambling companies rely on collecting and processing personal data in order to provide players with a tailored gaming experience. They consider personal preferences when deciding on which offers and bonuses to provide. This may be to do with their favorite teams or sports leagues, for example.

They also need to collect and use financial information in order to enable customers to deposit and withdraw money between their gaming accounts and their bank accounts.

When the GDPR comes into force on May 25, 2018, all gambling companies that process data relating to customers who reside within the EU will need to comply with the new standards set down in the regulation.

The Difference that Data Portability will Make

One of the biggest changes for gambling companies when it comes to GDPR compliance is data portability, explained in Article 20. The GDPR introduces measures to allow customers to request copies of the data concerning them that is held by organizations and gives them the right to provide this data to other entities.

This means that not only do customers have the right to request details of personal data held, they can also ask for data to be transferred to another company. This only applies to data that has been gathered with the consent of an individual and that has been automatically processed.

This could lead to a situation where Gambling Company A is required to transfer the customer data relating to a particular client to Gambling Company B, should the client request this to be done. 

In order to satisfy this requirement, gambling companies will need to implement a system to allow all of the data related to each individual player to be collected and shared efficiently, or they risk creating a situation where they will be caught tying up employee time trying to track down customer data in the event of a transfer.

A similar system, or the same one, will be required should clients exercise their right to be forgotten by requesting that their data be deleted. If the relevant EU and national laws do not require certain data to be retained, then the data must be erased.

Other GDPR concerns for Gambling Companies

Data portability is not the only thing that gambling companies need to think about once GDPR becomes a reality. They also need to think about the following issues:

  • Demonstrating compliance – all companies will need to be able to prove that they are complying with the GDPR. This means keeping records of issues such as consent. Consent must be examined in line with the new definition given in the GDPR or companies risk committing violations.
  • Each EU member state will have a different Lead Supervisory Authority. This means that some gambling companies may have to report to more than one Authority.
  • Most companies that deal with large scale data processing will need to appoint a data protection officer (DPO) who needs to have a high level of expertise in the area and be impartial. Data audits, risk assessments, and other data protection subjects should be handled in conjunction with this person.

Given all of these factors, you can see that the introduction of GDPR could have a significant impact on gambling companies. This means that it is vital for them to be well prepared.