With this document you can:

This box is not visible in the printed version.

Data Protection Policy

The Data Protection Policy for the Gambling Commission.

Published: 20 March 2025

Last updated: 20 March 2025

This version was printed or saved on: 2 May 2025

Online version: https://www.gamblingcommission.gov.uk/policy/data-protection-policy

Introduction

1.1. This Data Protection Policy sets out how the Gambling Commission will ensure compliance with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018) and explain the roles and responsibilities relevant to internal compliance and how this will be monitored.

Policy statement

2.1. This policy provides a framework for ensuring the Gambling Commission meets its obligations under the UK General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018.

2.2. The Commission is committed to transparent, lawful, fair and proportionate processing of personal data. This includes all personal data we process about the public, licensees, staff or those who work or interact with us.

2.3. The Commission complies with the 6 principles of Data Protection legislation that require that personal data is:

2.4. To evidence our compliance with the above principles we shall put in place appropriate and effective measures to make sure we comply with data protection law.

2.5. Compliance with this policy is mandatory and any breach of this policy, operational procedures or guidance may result in disciplinary action.

Scope

3.1. The UK General Data Protection Regulation (GDPR) definition of “personal data” includes any information relating to an identified or identifiable natural living person”.

3.2. Pseudonymised personal data is covered by the legislation, however anonymised data is not regulated by the UK GDPR or Data Protection Act 2018, providing the anonymisation has not been done in a reversible way.

3.3. Some personal data is more sensitive and is afforded more protection, this is information related to:

3.4. This policy applies to all processing of personal data carried out by the Gambling Commission including processing carried out by joint controllers, contractors, and processors regardless of the media on which that data is stored.

3.5. The Commission shall ensure that appropriate contractual controls are in place when engaging the services of a third party through our procurement processes.

3.6. The Commission shall follow best practice when implementing technical controls to keep personal information secure. Technical controls shall be implemented as part of Microsoft best practice including having Multi Factor Authentication (MFA) to access Commission systems.

3.7. The Commission are audited against standards frequently in the form of IT health checks which we use to confirm our controls are effective.

3.8. The Commission shall manage data breach notification and response in line with the incident management policy and procedure.

3.9. The requirements set out in this policy apply to all employees, workers, contractors, agency workers, consultants, Commissioners, and Expert Group members.

Roles and Responsibilities

4.1. All members of staff are responsible for complying with this Policy and completing mandatory training on an annual basis.

4.2. Specific roles are assigned throughout the Gambling Commission to manage the personal data we process and the associated risks in terms of responsibilities, decision making and monitoring compliance.

4.3. The Data Protection Officer (DPO) is primarily responsible for advising on and assessing the Commission’s compliance with the Data Protection Act (DPA) and UK General Data Protection Regulation (GDPR) and making recommendations to improve compliance. The DPO can be contacted at dpo@gamblingcommission.gov.uk.

4.4. Senior Information Risk Owner (SIRO) is responsible for the implementation and maintenance of security standards across the organisation and for ensuring correct procedures and delegations are in place to respond to security incidents. The Senior Information Risk Owner is the Chief Technology Officer.

4.5. Information Asset Owners (IAOs) have responsibility for data protection compliance related to the information assets assigned to them through the Commission’s Information Asset Register.

4.6. Information Management Team (IMT) provide advice, guidance and training on Data Protection issues.

4.7. Information Champions (IC) provide local support to their teams.

Policy review

5.1. To be reviewed every 2 years.

5.2. Next review date due April 2026.

5.3. The Gambling Commission’s Policy Retirement Process will be followed when this policy is no longer required, has been superseded or has been integrated into another policy.

Retention

6.1. Information will be retained in line with the Commission’s Records Management Policy and retention schedule.

Associated policies

7.1. We have overarching policies that provide direction on the application of data protection legislation which include:

Version history

8.1. The version history record is detailed in the following table.

Version history record

Version history record
Version Author or reviewed by Date Description of change
2.0 Head of Information Compliance April 2024 Review of policy to align with new policy format.
2.1 Head of Information Compliance February 2025 Updated role description from Senior Officer Accountable for Security to Senior Information Risk Officer (SIRO).

Annex A

Glossary

Controller

The organisation (or individual) which, either alone or jointly with another organisation (or individual) decides why and how to process personal data. The Controller is responsible for compliance with the DPA and GDPR.

Data Processor

The organisation (or individual) which processes personal data on behalf of the controller.

Personal data

Any information relating to an identifiable living individual who can be identified from that data or from that data and other data. This includes not just being identified by name but also by any other identifier such as ID number, location data or online identifier, or being singled out by any factors specific to the physical, physiological, genetic, mental, cultural or social identity of the individual.

Processing

Anything that is done with personal data, including collection, storage, use, disclosure, and deletion.

Pseudonymisation

The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Special category personal data

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation.