Policy
Data Protection Policy
The Data Protection Policy for the Gambling Commission.
3 - Scope
3.1. The UK General Data Protection Regulation (GDPR) definition of “personal data” includes any information relating to an identified or identifiable natural living person”.
3.2. Pseudonymised personal data is covered by the legislation, however anonymised data is not regulated by the UK GDPR or Data Protection Act 2018, providing the anonymisation has not been done in a reversible way.
3.3. Some personal data is more sensitive and is afforded more protection, this is information related to:
- race or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric ID data
- health data
- sexual life and/or sexual orientation
- criminal data (convictions and offences).
3.4. This policy applies to all processing of personal data carried out by the Gambling Commission including processing carried out by joint controllers, contractors, and processors regardless of the media on which that data is stored.
3.5. The Commission shall ensure that appropriate contractual controls are in place when engaging the services of a third party through our procurement processes.
3.6. The Commission shall follow best practice when implementing technical controls to keep personal information secure. Technical controls shall be implemented as part of Microsoft best practice including having Multi Factor Authentication (MFA) to access Commission systems.
3.7. The Commission are audited against standards frequently in the form of IT health checks which we use to confirm our controls are effective.
3.8. The Commission shall manage data breach notification and response in line with the incident management policy and procedure.
3.9. The requirements set out in this policy apply to all employees, workers, contractors, agency workers, consultants, Commissioners, and Expert Group members.
Previous section2. Policy statement - Data Protection Policy Next section
4. Roles and responsibilities - Data Protection Policy
Last updated: 20 March 2025
Show updates to this content
No changes to show.