Cookies on the Gambling Commission website

The Gambling Commission website uses cookies to make the site work better for you. Some of these cookies are essential to how the site functions and others are optional. Optional cookies help us remember your settings, measure your use of the site and personalise how we communicate with you. Any data collected is anonymised and we do not set optional cookies unless you consent.

Set cookie preferences

You've accepted all cookies. You can change your cookie settings at any time.

Skip to main content

Consultation response

Changes to information requirements in the LCCP, regulatory returns, official statistics, and related matters

Parts I and II of the consultation response that sets out our position in relation to the information the Gambling Commission requires licensees to provide us.

Contents


Proposal 10: Changes to licence condition 15.2.1 (reporting key events – gambling facilities)

Proposal

For key events concerning the provision of gambling facilities we proposed to:

  • reassign licence condition 15.2.1 (26), concerning reporting of Alternative Dispute Resolution (ADR) entities, from key events to 'other reportable events' under Licence condition 15.2.2
  • remove licence condition 15.2.1 (27) as we no longer need this information to be reported to us as a key event
  • update licence condition 15.2.1 (28) for remote gambling to put beyond doubt that we expect domains covered by ‘white label’ arrangements to be included in the reporting to us of the commencement or cessation of trading on website domains. This will improve our ability to monitor the licensee’s compliance across all website domains through which gambling is being offered in reliance on a Gambling Commission licence
  • amend the footnote for licence condition 15.2.1, to reinforce that key event submissions are to be made online via our eServices’ portal. This will enable us to capture and process key events faster and more efficiently.

Consultation question

Question 1.10. Do you agree with the proposed changes to the licence condition?

Respondents' views

Overall, respondents supported the proposal to reword our key events relating to information security (licence condition 15.2.1 (25a)). Some respondents preferred the explicitness of the original wording (for example 'for longer than 24 hours'), and viewed the new wording as open to interpretation (for example would we need to be notified of one minute of downtime during which customers could not access their accounts). Others commented that the existing wording is more aligned with reporting requirements for the Information Commissioner’s Office (ICO), in which the regulator only needed to be notified of instances that had an 'adverse impact' on the customer data.

It was suggested that the proposal to expand the requirement to all breaches that affect the confidentiality of customer data was disproportionate and burdensome; and is wider in scope than the requirements of the relevant legislation and guidelines on notifiable breaches issued by the ICO. One respondent sought clarity on what would constitute a 'licensee’s environment' and an acceptable amount of time for cyber-attacks that lasted beyond a 'licensee’s defined sustained period'.

Respondents welcomed our proposal to reassign key event 15.2.1 (26), concerning reporting of ADR entities, from key events to 'other reportable events' under licence condition 15.2.2. Respondents also agreed that the removal of key event 15.2.1 (27) will reduce regulatory burden and improve operational efficiency.

Respondents commented that the inclusion of domains covered by ‘white labels’ in the reporting to us of the commencement or cessation of trading on website domains reflected good practice.

There were no objections to our clarification that key events are to be reported to us via our eServices system, rather than by email or other means. A couple of respondents asked whether our eServices system would be updated with the revised set of key events. There was a suggestion that an ‘Other’ option be added to the available sub-categories for reporting of key events and another that the footnote relating to how key events are to be reported to us, be amended from 'Key events are to be reported' to 'Key events must be reported'.

Our position

We have considered comments received about the proposal to update our key event about information security (licence condition 15.2.1 (25a). We accept comments from licensees that the key event should be more explicit and less open to interpretation. Also, that if we focus it only on the reporting of breaches which cause adverse impacts, that this will be more proportionate, and risk based. We have revised the proposed wording in this light.

After the revised set of key events come into effect, we will update the eServices system reporting options in line with those. We will not add an ‘Other’ category for key events, as these are all explicitly defined, but we will do so for ‘other reportable events’.

If licensees do experience technical issues preventing them reporting key events to us via eServices within 5 days, they should capture evidence of the problems experienced and contact their Licensing Account Manager for assistance.

We will use the wording 'are to be reported' to us online via the eServices digital service, instead of 'must be reported', as this allows for exceptions to be made for accessibility reasons.

These changes will take effect from 31 October 2020. We will publish further guidance relating to the changes before that date. This will include updating our guidance on Notification of information security breaches (opens in new tab).

Final wording of amended licence condition 15.2.1 (Gambling facilities)

Gambling facilities

25a Any security breach to the licensee’s environment that adversely affects the confidentiality of customer data; or prevents the licensee's customers, staff, or legitimate users from accessing their accounts for longer than 12 hours.

25b [No change]

26 [Removed and renumbered]

27 [Removed and renumbered]

28 In the case of remote gambling, the commencement or cessation of trading on website domains (including mobile sites or mobile device applications) or broadcast media through which the licensee provides gambling facilities (including domains covered by ‘white label’ arrangements).

In this condition: ‘body corporate’ has the meaning ascribed to that term by section 1173 of the Companies Act 2006 or any statutory modification or re-enactment thereof:

  • a. in respect of a company, ‘holding company’ and ‘subsidiary’ have the meaning ascribed to that term by section 1159 of the Companies Act 2006 or any statutory modification or re-enactment thereof
  • b. a ‘group company’ is any subsidiary or holding company of the licensee and any subsidiary of such holding company
Previous section
Proposal 9: Changes to licence condition 15.2.1 (reporting key events - legal or regulatory proceedings or reports)
Next section
Proposal 11: Changes to licence condition 15.2.2 (other reportable events)
Is this page useful?
Back to top