Let me start with a simple question: what is significant about Friday, May 25, this year?
Just three weeks until the World Cup? (And as I’ll be supporting England, about four weeks until we’re knocked out on penalties…)
Yes, but there’s something else: Friday, May 25, is the day is the day on which GDPR arrives – legislation from the European Union that will impact all our lives and will most certainly impact gambling companies.
GDPR stands for General Data Protection Regulation, European legislation that comes into force in six weeks that will affect all companies and organisations – including gambling companies – who handle customer data in the EU. And, although the UK is scheduled to leave the EU in March 2019, the government has already indicated that GDPR will be adopted as UK law.
In the UK, GDPR will replace the 1998 Data Protection Act as the piece of legislation governing how personal data is used and stored in the UK. Essentially, the EU wants to give control over their data back to people. If you handle employee and/or customer data, you will need to comply with GDPR – and woe betide any companies who don’t. GDPR will be enforced by fines for non-compliance, with industry experts predicting that the fines will far outstrip those currently imposed for breaches of the Data Protection Act.
Gambling Commission weighs in
Gambling companies clearly have a lot of data on their customers: not just name, address, and bank details but data on what types of bets they are likely to place, their gambling preferences and much more in-depth data: Are they likely to chase losses? Have they excluded themselves from gambling at any time?
It has famously been said that “data is the new oil.” The phrase was coined by Clive Humby, the man behind the Tesco Clubcard, in 2006 and to some extent it’s right. Data has become the price we pay for using the Internet: Google isn’t free, we pay with our data.
In the same way, we are not just “paying” the gambling companies by placing a bet on the correct score and the first goal-scorer markets: we are also “paying” by allowing them to collect and hold our data.
So it is no surprise that the Gambling Commission is taking a firm stance on GDPR. It has published an eight-page report on gambling regulation and the pending GDPR legislation, stating that it will “not accept that licensees stating that GDPR means they are unable to comply with an aspect of gambling regulation.”
In simple terms, the Gambling Commission’s report says that operators will need to meet the requirements of GDPR and the Gambling Commission – safeguarding customers’ data while at the same time making sure that they are promoting responsible gambling and meeting other requirements, such as identifying possible money-laundering through gambling.
The Commission added that gambling companies should retain customers’ data for five years after the relationship ends, “where the data in any way relates to regulatory compliance”.
Gambling law expert Diane Mullenex of solicitors Pinsent Masons commented: “The commission’s note is further evidence that the regulator is again looking to push its stance of seeking to protect the customer. It should be hoped that all professional operators will be well advanced in their GDPR preparations and the Commission’s position … should not come as a surprise to the industry.”
GDPR has not been kept a secret – it was adopted by the EU in April 2016 – and regulators not just in the UK but throughout Europe are likely to take a dim view of companies who cannot or will not comply with the regulations. With customer protection ever more to the fore, non-compliance with GDPR is likely to be harshly punished, by both the EU and the gambling regulators.
Gambling companies may also face an added administrative burden. GDPR – and its attendant coverage – is going to focus people’s minds on privacy and the question of data breaches, especially given the publicity surrounding the data breach at Facebook. People are going to become more aware that they are “paying with data” – and less willing to do so.
So gambling companies may need to gear up for a rough ride, under pressure from the regulators and GDPR on one side, and from customers on the other, demanding to know exactly what personal data the companies are holding and how it is being used.