Regulation (EU) 2016/679 (better known as the General European Data Protection Regulation or GDPR) replaces existing data protection legislation in Europe and will come into force in all member states on 25 May 2018. There will be no grace period so it is important that all betting and gaming organisations (including B2Bs) have considered the impact it will have on their business.
GDPR is not a complete overhaul of data protection and will retain many of the same concepts and principles. Best practice under the existing legislation has, to a large degree, been codified in the GDPR so that those organisations with good data protection practices and policies will have a head start in achieving compliance with GDPR. Of course, GDPR will bring in new measures that even the most conscientious businesses will need to consider, particularly in relation to a data subject’s right to portability and also in relation to maintaining records of data processing. In addition, data processing agreements, of which gambling businesses will have many, will need to be reviewed to ensure that all provisions set out in Article 28 of the GDPR are included.
For businesses that have taken a less proactive approach to data protection in the past, compliance with the GDPR will require significant time and consideration. The GDPR introduces a principle of accountability, which requires data controllers (and data processors) to be able to demonstrate that they are acting in accordance with the new law. Our suggested approach is for businesses to undertake a gap analysis to identify those areas of non- compliance. This should include looking at records of processing, retention periods, privacy policies, data processing agreements, reliance on processing in accordance with legitimate interests, staff training and notification procedures in the event of a breach. These are, of course, non-exhaustive but highlight the scope of the changes that the GDPR will bring in.
Of particular note are the notification procedures set out in the GDPR. The gambling industry remains a target for cyber criminals seeking to extract valuable data from IT systems. In the event of a data breach, an organisation will need to act fast and consider the appropriate course of action owed to regulators and customers. The assessment of whether there is an obligation to notify the ICO, the Commission or the customers can be less than straightforward and depend on the facts However, it must not be forgotten in the rush to stop the breach.
Finally, a quick note on ‘Brexit’. The GDPR is EU legislation, but it applies to those based in the EU and to those offering products or services to EU citizens. Furthermore, the UK will very likely implement similar legislation to the GDPR upon leaving the EU. As such, businesses are advised to proceed on the basis that the GDPR will be in effect from 25 May 2018 and prepare now for its implementation.