General Data Protection Regulation (GDPR)
On 25 May 2018 there will be new data protection legislation in force, both in the UK and across the EU - the General Data Protection Regulation (GDPR).
GDPR is an evolution in personal data protection. It demands more of organisations in terms of accountability for their use of personal data, and adds to the existing rights of individuals.
It creates an onus on companies to understand the risks that they create for others, and to ensure they are mitigating those risks.
But it is not a total revolution - GDPR is building on foundations of data protection law which have already been in place for the last 20 years. Many of the fundamentals remain the same. Fairness, transparency, accuracy, security and respect for the rights of the individual whose data a business wants to process – these are all things that businesses should already be doing with data. GDPR seeks to build on those principles.
In the UK, the Information Commissioner’s Office (ICO) is responsible for regulating the legislation, and issuing guidance on it.
Both the Gambling Commission and the ICO recognise that effective use of personal data is important to tackle issues such as problem gambling, and gambling-associated crime. GDPR is not intended to prevent operators from taking steps which are necessary in the public interest, or are necessary to comply with legal obligations. Accordingly, we do not expect you to suddenly stop doing what you are doing for these purposes.
Whilst it will remain your responsibility to ensure you are legally compliant with the GDPR, we wish to offer assistance and support to help you comply both with the GDPR and with our regulatory framework.
Complying with GDPR
GDPR introduces a number of changes to existing data protection legislation. These changes include improvements to the way businesses must manage personal data, and new rights for people to access and challenge the data businesses hold about them.
You are likely to need to take advice on how to achieve compliance with GDPR.
In doing so, operators and their advisers will want to review guidance published by the ICO. We also expect you to take into account any guidance we publish which relates to the need to obtain and effectively use data for the purposes of complying with licence requirements and achieving the licensing objectives.
The ICO has also published a series of blogs which are intended to address some of the myths about GDPR compliance.
The meaning of ‘consent’
Consent is one lawful basis for processing of personal data. Genuine consent should put individuals in control, build customer trust and engagement, and enhance your reputation. But relying on inappropriate or invalid consent could destroy trust and harm your reputation.
Under GDPR, an indication of consent must be unambiguous and involve a clear affirmative action (an opt-in). It specifically bans pre-ticked opt-in boxes. Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.
GDPR gives a specific right to withdraw consent. If you are relying on consent you will need to tell people about their right to withdraw, and offer them easy ways to withdraw consent at any time.
The rules around consent only apply to the extent that a business relies on consent as a basis to process personal data. One GDPR myth identified by the ICO in its series of blogs is that “data can only be processed if an organisation has explicit consent to do so”. This is not correct. The new law provides five other lawful bases for processing data – and in the context of the personal data needed to comply with gambling regulation, these other lawful bases may be more appropriate than consent.
Legitimate purposes for processing data
GDPR provides for a number of lawful circumstances which are designed to allow processing of personal data. As well as consent, these include:
- processing is necessary for compliance with a legal obligation to which the data controller is subject
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
- processing is necessary for the performance of a task carried out in the public interest
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data).
Consent may be the most appropriate lawful purpose for some uses of personal data (for instance, where you wish to use data for sending direct marketing by email or SMS), but not for other applications (for instance, data obtained and used to comply with obligations under your licence).
Gathering data to prevent money laundering and combat problem gambling
Providing facilities for gambling otherwise than in accordance with the terms and conditions of a licence is a criminal offence. It would also mean that your licence could be revoked. We expect you to be able to evidence that you have complied fully with your licence conditions.
For instance, operating licences contain conditions which require operators to put into effect procedures to allow for self-exclusion, to prevent money laundering, and to combat problem gambling. It will be necessary for operators to obtain and process personal data in order to comply with these requirements. It will also be necessary for operators to securely retain data for a reasonable period in order to evidence compliance to the Gambling Commission in the event of an investigation.
You should give consideration to this when determining whether you have an ongoing legitimate purpose for obtaining, processing and retaining personal data.
Exemptions to GDPR
Whilst you will never be entirely exempt from compliance with GDPR, you should give careful consideration to whether GDPR actually prevents particular uses of data. It is likely to be necessary to consider the legislation carefully to see whether there is an authorisation for the proposed data processing.
Further conditions which may specifically permit certain processing activities (such as for the purposes of integrity in sports) are to be included in the implementing UK legislation (the Data Protection Bill).
In addition, many of the data subject rights are only available subject to certain conditions. GDPR allows these rights to be restricted in certain circumstances. Restrictions will also be included in the Data Protection Bill, and are likely to be broadly equivalent to the exemptions within the current Data Protection Act 1998.
Right to erasure
Under GDPR, data subjects have the right to request that their personal data (including data which may be relevant to regulatory compliance) is erased.
However, this ‘right to erasure’ is not unrestricted. In particular, you may not need to comply with such requests if retention of the data is still necessary in relation to an identified lawful basis.
ICO guidance for the gambling industry
We understand that the ICO will be issuing general guidance on a wide variety of GDPR topics. However we are unaware of any plans to issue sector-specific guidance.
Working with the ICO
Where genuine concerns are raised with us, we will seek to work with the ICO and with industry to resolve them. However if there are concerns, we would expect operators to have first carefully considered all available legal bases and exemptions which may allow the specific activity.
If you have any queries regarding GDPR, you can contact us.