Gambling regulation and the General Data Protection Regulation (GDPR)
On 25 May 2018, there will be new data protection legislation in force, both in the UK and across the EU - the General Data Protection Regulation (GDPR).
GDPR is an evolution in data protection. It demands more of organisations in terms of accountability for their use of personal data, and adds to the existing rights of individuals. It creates an onus on companies to understand the risks that they create for others, and to ensure they are mitigating those risks. But it is not a total revolution - GDPR is building on foundations which have already been in place for the last 20 years. Many of the fundamentals remain the same. Fairness, transparency, accuracy, security, data minimisation and respect for the rights of the individual whose data a business wants to process – these are all things that businesses should already be doing with data. GDPR seeks to build on those principles.
The Information Commissioner’s Office (ICO) is responsible for the regulation of the legislation, and issuing guidance on it. More information on GDPR and its regulation in the UK is available on the ICO's website (opens in a new tab).
Some have expressed concerns to the Gambling Commission that GDPR will affect what actions they can take to tackle issues such as problem gambling, and gambling-associated crime.
We take the view that GDPR is not intended to prevent operators from taking steps which are necessary in the public interest, or are necessary to comply with regulatory requirements under a gambling licence. GDPR should not be improperly used as an excuse to avoid taking steps which enable compliance with licence conditions, promote socially responsible gambling, and promote the licensing objectives.
Where licensees have genuine well-founded concerns about GDPR, we are committed to working with industry to get the right outcome - one that safeguards personal data whilst also promoting the licensing objectives.
Whilst this document does not constitute legal advice, it will assist gambling businesses by setting out some factors they should consider when assessing their processing of personal data. It also sets out our expectations on retention of information obtained for the purposes of fulfilling those obligations. It will remain licensees’ responsibility to ensure they are legally compliant with GDPR and with our regulatory framework, and we recommend that operators obtain their own legal advice on compliance.
This document may be updated from time to time in accordance with legal developments, including the finalisation of the Data Protection Bill.
General approach of the Commission to compliance
Personal data processing
Processing of personal data will continue to be required in order to achieve compliance with a gambling licence. Providing facilities for gambling otherwise than in accordance with the terms and conditions of a licence is a criminal offence. It would also mean that operators’ may be fined, and their licence could be revoked. We expect licensees to continue to be able to evidence that they have complied fully with their licence conditions.
We have been working closely with the ICO to ensure that the way in which licensees are interpreting and implementing GDPR does not conflict with the requirements of gambling regulation1.
The ICO produced a series of blogs to bust myths about GDPR. One example of this is the myth that “data can only be processed if an organisation has explicit consent to do so”. The rules around consent only apply if a business is relying on consent as its basis to process personal data. Consent is one way to comply with GDPR, but the new law provides five other ways of processing data that may be more appropriate than consent. For processing to be lawful under GDPR, you simply need to identify at least one lawful basis before you start (though more than one basis may potentially apply).
So in common with the previous legislation, there has been a recognition that consent will not always be the appropriate basis for data processing. For example, it is likely to be acceptable for personal data to be processed where a licence obligation requires it. This may be the case even where the need to process data in this way is not specifically set out by a licence condition, if the processing is realistically necessary in order to achieve the aim of the condition2.
GDPR provides for a number of lawful circumstances which are designed to allow
legitimate processing in circumstances where it may be not practical to acquire consent, and to ensure that public policy objectives (such as the reduction of problem gambling) are met. As well as consent, these include:
i. the processing is necessary3 for compliance with a legal obligation to which the controller is subject
ii. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
iii. the processing is necessary for the performance of a task carried out in the public interest4
iv. the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data)5.
Licensees should note that more than one of the above bases may apply to some of the personal data they obtain (for instance, data obtained to ensure operators know their customers).
There are additional requirements where the personal data which is to be processed constitutes “special category” data, or data relating to criminal convictions and offences. We anticipate that the majority of data which licensees process for regulatory purposes (such as data on customer transactions) will not be special category data.
Where processing of special category data or criminal offence data is required for the purposes of compliance with their licence obligations, licensees will wish to identify a legal basis which allows such processing. In addition to the permissible legal bases set out in GDPR, further permissible legal bases for processing are included in Schedule 1 of the implementing UK legislation (the Data Protection Bill) currently going through Parliament. For example, these include conditions which permit processing by non-government bodies of data about criminal activity where the processing must necessarily be carried out without
the data subject’s consent, is necessary for reasons of substantial public interest, and either:
i. is necessary for the purposes of the prevention or detection of an unlawful act
ii. is necessary for the exercise of a protective function (such as protecting members of the public against dishonesty, malpractice or other seriously improper conduct).
The Bill also includes a condition which allows processing of special category data where an individual is at risk and the processing is necessary for the purposes of protecting the mental or emotional well-being of an individual.
Licensees will wish to take steps to ensure they can demonstrate that, for each type of processing, they meet the relevant tests of the identified basis.
Data subject rights
GDPR gives data subjects certain qualified rights in relation to their data, such as the “right to erasure” and “the right to prevent decisions being made solely based on the automated processing of data”. Data controllers should be aware of these rights, and make an assessment of the circumstances in which they do and do not apply. For example, such rights may not apply where their exercise conflicts with important regulatory objectives (such as the refusal of service to underage gamblers). Relevant considerations here may include:
i. The right to erasure is restricted where processing is still necessary in relation to one of the permitted purposes - for instance, compliance with a legal obligation, performance of a contract, or for the performance of a task carried out in the public interest.
ii. The right to prevent decisions being made solely based on the automated processing of data will not apply:
1. Where decisions are not made solely on this basis i.e. there is some human intervention
2. If the decision making is based on the data subject’s explicit consent
3. If the decision is one which is authorised by law to which the controller is subject.
Licensees should also consider whether any other exemptions to data subject rights (such as those set out in Schedule 2 of the draft Bill) may apply. In particular, licensees should have regard to their role in preventing crime (including money laundering offences and cheating at gambling) and consider to what extent this objective would be likely to be prejudiced by a request to erase data or restrict processing of personal data, for example.
In addition to identifying a lawful basis for processing, operators will need to comply with other aspects of GDPR, such as any applicable requirements for transparency with data subjects, and safeguarding of personal data.
We do not anticipate that the need for such measures will cause a significant barrier to complying with gambling regulation. Indeed, being transparent with consumers at the outset (including informing them that their data may be passed to regulators when requested) may assist businesses to answer subsequent queries about the retention and use of their personal data for regulatory and public interest purposes. Thorough consideration of transparency requirements will also assist data subjects, and assist data controllers to demonstrate compliance with obligations relating to accountability.
The ICO is continuing to produce guidance to assist businesses in complying with their GDPR obligations. This includes guidance on the available lawful bases. We recommend that licensees have regard to that guidance, as it will assist them to assess the best way of achieving their regulatory requirements under their licence and also meet obligations under data protection law.
We will not accept licensees simply stating that GDPR means that they are unable to comply with an aspect of gambling regulation, or otherwise take certain steps to protect the public interest.
Where genuine concerns, based on a careful and thorough analysis of GDPR and Commission regulation, are raised with us we will work with industry and the ICO to resolve them. However, if an operator thinks that this might be the case, we would expect them first to have carefully considered all available legal bases and exemptions which may allow the specific activity. Documenting the consideration of the processing will assist in meeting requirements regarding accountability and documentation.
Whilst it will remain the responsibility of licensees to ensure they are legally compliant with GDPR, we are committed to offering assistance and support to help ensure that the licensing objectives and regulatory framework are upheld, and not prejudiced by the way operators interpret and implement compliance with their data protection obligations.
Retention of data
GDPR does not substantially alter the principles behind the development of policies for data retention. Licensees should already have assessed how long to retain data for, bearing in mind the legitimate purposes for which it was gathered and has been retained.
Under GDPR, data subjects may request that their personal data (including data which may be relevant to regulatory compliance) is erased. However, this right is not unrestricted. In particular, such requests are unlikely to be valid if retention of the data is still necessary in relation to a lawful purpose.
Where data which is relevant to a licensee’s compliance with the regulatory regime has been obtained, licensees should have regard to the fact that we may wish to investigate whether a licensee has complied with their obligations. In some cases (for instance, where we are investigating a licensee’s compliance with its social responsibility and anti-money laundering requirements as a result of a gambler stealing funds for gambling over a prolonged period of time), this may involve requesting account data which goes back a substantial period. Licensees should ensure that their retention policies ensure that such data will be available to the Commission if requested6.
Based on our experience of investigations to date, licensees should ensure that data which relates in any way to regulatory compliance should be available for a minimum period of five years after the end of a relationship with a customer.
Specific scenarios considered
We have been provided with a number of scenarios in respect of which industry has expressed concern that GDPR will prevent them from processing personal data needed to comply with licence conditions and further the licensing objectives. We comment on a few of the following areas, in order to illustrate the approach licensees should take when considering such issues.
Self-exclusion and anti-money laundering
i. Licensees should consider the requirements of their licence (for example, those requirements included at Annex A). As licensees must achieve these outcomes, licensees should:
1. consider what personal data should be processed to achieve these outcomes
2. consider which of the permitted lawful bases for processing may apply to such processing
ii. As well as for compliance in relation to specific accounts, licensees may need to collate other personal data (such as data on changing customer demographics) in order to formulate effective policies, procedures and controls in these areas (and other areas) - see for example Licence condition 12.1.1.
iii. Licensees should also consider to what extent data subject rights, such as the right to erasure and right not to be subject to automated decision-making, may not apply given the relevant lawful basis
iv. Licensees should consider what retention period is necessary for any data obtained and processed for self-exclusion or anti-money laundering purposes (whether also obtained for other purposes). Operators should take into account that we may need to obtain such data even after an account has closed in order to establish whether or not a licensee has complied with its regulatory obligations.
Obtaining, retaining and using data for other social responsibility purposes
i. Licensees gather and retain personal information on customers in order to enable them to enter into and perform contracts, whilst taking into account their regulatory obligations. In common with other sectors we anticipate that licensees will continue to do so.
ii. Our licence conditions and codes of practice require operators, at the account opening stage and thereafter, to:
1. continue to obtain and retain information which is sufficient to satisfy them that underage gambling is not taking place
2. continue to obtain and retain information to enable them to comply with SR 3.4.1 in relation to identification of problem gambling, which requires operators to "use… all relevant sources of information to ensure effective decision making"
Licensees are expected to continue to obtain and analyse continue to obtain and analyse data for the purposes of ensuring that their social responsibility policies and procedures are fit for purpose, taking into account the state of the art and currently available techniques for identifying and minimising problem gambling.
iii. Licensees should also consider to what extent data subject rights, such as the right to erasure and right not to be subject to automated decision-making, may not apply given the relevant lawful basis.
iv. Licensees should consider what retention period is necessary for any data which is obtained and processed for these purposes (whether also obtained for other purposes), noting that we may need to obtain such data even after an account has closed in order to establish whether or not a licensee has complied with its regulatory obligations.
Sharing of data on suspected illegality (such as match-fixing, doping or fraud)
i. Licensees should consider whether processing of such data is for a permissible purpose, such as it being necessary in the public interest and/or a regulatory requirement. See Annex A for more information.
ii. Although Article 10 of GDPR provides that, usually, processing of personal data relating to criminal convictions and offences shall only be carried out under the control of official authority, there are exceptions to this. The Bill includes conditions that allow processing to be carried out without the data subject’s consent, if necessary for reasons of substantial public interest, and either:
1. necessary for the purposes of the prevention or detection of an unlawful act
2. necessary for the exercise of a protective function (such as protecting members of the public against dishonesty, malpractice or other seriously improper conduct).
iii. Licensees should also note that there is a specific condition (at Schedule 1 para. 23) of the Bill to allow processing for the purposes of eliminating doping in sport, and a specific condition (at Schedule 1 para. 24) to allow processing designed to protect the integrity of a sport or sporting event.
Marketing to consumers
Separately, concerns have been raised about the volume of unsolicited direct e-marketing (predominantly via email and SMS) for gambling products which consumers receive. Such marketing is not undertaken in the public interest or to comply with regulation, but is done in order to sell a product. The ICO report that the gambling sector is one of the most complained about sectors in this respect. We, along with the ICO, are concerned about consumers receiving such direct marketing without their genuine consent.
Licensees should ensure they are compliant with the law in relation to direct marketing, in particular the Privacy and Electronic Communications Regulations (and the ePrivacy Regulation which is due to be implemented shortly). Licensees should satisfy themselves that anyone they contract with in relation to direct marketing hold the appropriate consents from consumers for marketing of the licensees’ products. Ongoing failure to ensure compliance may result in regulatory action.
1We expect operators to take into consideration the Gambling Commission’s views expressed in this document. However operators should be aware that the Gambling Commission cannot provide any definitive ruling on the interpretation of the GDPR, and the ICO will address any issues on a case by case basis.
2Note that in respect of special category personal data, a further specific basis for processing would also be required.
3‘Necessary’ in the context of such exemptions typically means “more than desirable but less than indispensable or absolute necessity.” This test may involve the consideration of alternative measures which would also sufficiently achieve the legitimate aim in question.
4Use of this basis is not limited to public bodies.
5We recommend that licensees refer to the guidance published by the ICO on use of this basis.
6Additionally, some licensees will be subject to specific statutory requirements to retain relevant data, under the Money Laundering Regulations 2017 for example.
Social responsibility code 3.1.1 – Socially Responsible Gambling
Licensees must have and put into effect policies and procedures intended to promote socially responsible gambling, including the specific policies and procedures required by the provisions of section 3 of this code.
Social responsibility codes 3.5.1 and 3.5.3 – Self-Exclusion
1 Licensees must have and put into effect procedures for self-exclusion and take all reasonable steps to refuse service or to otherwise prevent an individual who has entered a self-exclusion agreement from participating in gambling.
2 Licensees must, as soon as practicable, take all reasonable steps to prevent any marketing material being sent to a self-excluded customer.
6 Licensees must put into effect procedures designed to ensure that an individual who has self-excluded cannot gain access to gambling. These procedures must include … a register of those excluded with appropriate records …
Licence Condition 12.1.1 – Anti-Money Laundering
1 Licensees must conduct an assessment of the risks of their business being used for money laundering and terrorist financing. Such risk assessment must be appropriate and must be reviewed as necessary in the light of any changes of circumstances, including the introduction of new products or technology, new methods of payment by customers, changes in the customer demographic, or any other material changes, and in any event reviewed at least annually.
2 Licensees must ensure they have appropriate policies, procedures and controls to prevent money laundering and terrorist financing.
3 Licensees must ensure that such policies, procedures and controls are implemented effectively, kept under review, revised appropriately to ensure that they remain effective, and take into account any applicable learning or guidelines published by the Gambling Commission from time to time.
Social responsibility code 3.4.1 - Problem gambling
Licensees must put into effect policies and procedures for customer interaction where they have concerns that a customer’s behaviour may indicate problem gambling, including:
e. Specific provision for making use of all relevant sources of information to ensure effective decision making, and to guide and deliver effective customer interactions, including in particular:
i provision to identify at risk customers who may not be displaying obvious signs of, or overt behaviour associated with, problem gambling: this should be by reference to indicators such as time or money spent.
ii specific provision in relation to customers designated by the licensee as ‘high value’, ‘VIP’ or equivalent.
Licence Condition 15.1.1. – Reporting suspicion of offences etc – non-betting licences
1 Licensees must as soon as reasonably practicable provide the Commission or ensure that the Commission is provided with any information that they know relates to or suspect may relate to the commission of an offence under the Act, including an offence resulting from a breach of a licence condition or a code provision having the effect of a licence condition.
Licence Conditions 15.1.2 - Reporting suspicion of offences etc – betting licences
1 Licensees must as soon as reasonably practicable provide the Commission or ensure the Commission is provided with any information from whatever source that they:
a know relates to or suspect may relate to the commission of an offence under the Act, including an offence resulting from a breach of a licence condition or a code provision having the effect of a licence condition
b suspect may lead the Commission to consider making an order to void a bet.
2 Licensees who accept bets, or facilitate the making or acceptance of bets between others, on the outcome of horse races or other sporting events governed by one of the sport governing bodies for the time being included in Part 3 of Schedule 6 to the Act must also provide the relevant sport governing body with sufficient information to conduct an effective investigation if the licensee suspects that they have any information from whatever source that may:
a lead the Commission to consider making an order to void a bet
b relate to a breach of a rule on betting applied by that sport governing body.
Licence Condition 15.3.1 – Information provision
Licensees are required to provide the Commission on request with such information as the Commission may require about the use made of facilities provided in accordance with the licence, including … the licensee’s policies in relation to, and experiences of, problem gambling.
Licence Condition 2.3.1 – Technical standards
Licensees must comply with the Commission’s technical standards and with requirements set by the Commission relating to the timing and procedures for testing.
For example, remote gambling and software technical standard 11 requires licensees to implement measures intended to deter, prevent, and detect collusion and cheating. Gambling systems must retain a record of relevant activities to facilitate investigation and be capable of suspending or disabling player accounts or player sessions. Operators must monitor the effectiveness of their policies and procedures.