Gambling Commission issues guidance on GDPR

Last week the UK Gambling Commission released an information note on GDPR and how it will impact the gambling industry.  The note is very informative and practical and is we recommend it is digested by all those in the industry.

The headline of the note is that GDPR and gambling regulatory responsibilities are not mutually exclusive, and that using GDPR as an excuse not to comply with licence conditions, promote socially responsible gambling, and promote the licensing objectives, will not be valid.

Specifically, the Commission confirms that GDPR will still permit operators to process lawfully personal data in relation to:

  • AML and self-exclusion
  • Obtaining, retaining and using data for other social responsibility purposes
  • Sharing of data on suspected illegality (such as match-fixing, doping or fraud)

Operators (and all processors related to gambling) will always need to consider its processing of personal data and on which lawful basis it will be permitted.  Information about a person’s health, criminal record or other special categories of personal data will need to be given additional consideration, but ultimately GDPR should not prohibit these forms of processing.

Perhaps of most interest are the Commission’s comments on data subject rights and retention.  On the right of erasure and the right to prevent decisions being made solely based on the automated processing of data, the Commission (correctly, in our view) points out that these rights are not always absolute and that compliance with gambling regulatory requirements may override these rights (at least in part).  On retention, the Commission states that “licensees should ensure that data which relates in any way to regulatory compliance should be available for a minimum period of five years after the end of a relationship with a customer.”  The unambiguity of these views will be welcomed by many as they continue to wrestle with GDPR compliance.

Finally, the Commission reiterates its concerns around direct marketing in the gambling sector.  Gambling marketing receives   amongst the most complaints to the ICO and therefore all operators should review the specific rules set out in Regulation 22 of The Privacy and Electronic Communications 9EC Directive) Regulations 2003 as well as keep an eye on the upcoming ePrivacy Regulation.

The UK Gambling Commission’s Information Note on GDPR can be read here.