Cookies on the Gambling Commission website

The Gambling Commission website uses cookies to make the site work better for you. Some of these cookies are essential to how the site functions and others are optional. Optional cookies help us remember your settings, measure your use of the site and personalise how we communicate with you. Any data collected is anonymised and we do not set optional cookies unless you consent.

Set cookie preferences

You've accepted all cookies. You can change your cookie settings at any time.

Skip to main content
  1. Home
  2. About us
  3. Data Protection Policy

Policy

Data Protection Policy

The Data Protection Policy for the Gambling Commission.

Published
20 March 2025

Last updated
20 March 2025 - Changes

Document actions
Print or save (opens in new tab)

  1. Contents
  2. 3 - Scope

3 - Scope

3.1. The UK General Data Protection Regulation (GDPR) definition of “personal data” includes any information relating to an identified or identifiable natural living person”.

3.2. Pseudonymised personal data is covered by the legislation, however anonymised data is not regulated by the UK GDPR or Data Protection Act 2018, providing the anonymisation has not been done in a reversible way.

3.3. Some personal data is more sensitive and is afforded more protection, this is information related to:

  • race or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric ID data
  • health data
  • sexual life and/or sexual orientation
  • criminal data (convictions and offences).

3.4. This policy applies to all processing of personal data carried out by the Gambling Commission including processing carried out by joint controllers, contractors, and processors regardless of the media on which that data is stored.

3.5. The Commission shall ensure that appropriate contractual controls are in place when engaging the services of a third party through our procurement processes.

3.6. The Commission shall follow best practice when implementing technical controls to keep personal information secure. Technical controls shall be implemented as part of Microsoft best practice including having Multi Factor Authentication (MFA) to access Commission systems.

3.7. The Commission are audited against standards frequently in the form of IT health checks which we use to confirm our controls are effective.

3.8. The Commission shall manage data breach notification and response in line with the incident management policy and procedure.

3.9. The requirements set out in this policy apply to all employees, workers, contractors, agency workers, consultants, Commissioners, and Expert Group members.

Previous section
2. Policy statement - Data Protection Policy Next section
4. Roles and responsibilities - Data Protection Policy
Is this page useful?
Back to top