On May 25, many people were panicking at the thought that the General Data Protection Regulation (GDPR) that all of Europe now has to abide by would jeopardize the recent trend of self-exclusion.
What is GDPR?
GDPR is a new European Union regulation about data protection and privacy for all individuals in the European Union (EU) and the European Economic Area (EEA). It aims to make the online privacy experience more transparent. Customers will be able to choose what information about them a company can store, and they can also request that their data be deleted. Companies storing data on individuals without their consent – think junk mailing lists – now risk heavy fines from the Information Commissioners Office (ICO) in the UK.
How does this effect self-exclusion? Well, the process of self-exclusion only really works if it’s easy to do, and that is something that the UK struggles with.
The GDPR, which came into effect last month, allows “lawful processing” of data by operators to comply with license conditions or to satisfy “legitimate interests.” It does not inherently prohibit holding customer data but asks for clear justification of why that data is being held and processed.
The use of ‘explicit consent’ has worried gambling operators scrambling to understand the new legislation, as customers might use third-party tools to make their requests, and it could also affect companies who employ algorithms designed to catch potential problem gamblers early, because this would require using data from customers who do not display any at-risk behaviors.
Vulnerable people looking to self-exclude themselves would previously have had to write to each gambling website or body to request that their details be removed or that their accounts be banned. It was time-consuming and not user-friendly, but now there are third-party options that make it easy to fill out just one single form and have the exclusion then sent to all other operators in that jurisdiction. It’s a format that has become increasingly popular in places such as Malta, but experts were worried that the very nature of sharing information would collapse under the new GDPR rules.
However, experts have decided that that isn’t the case.
Consent “not to be relied upon”
Speaking to Gambling Compliance, Susan Biddle, a technology consultant with law firm Kemp Little, explained: “It is unsatisfactory for an operator to rely on data subject’s consent [in this case], as consent is voluntary and may be withdrawn at any time. And the data subject may exercise their right to be forgotten.”
An operator would have to show that it could not reasonably achieve the same minimization of harm in a less intrusive way, according to Biddle. Operators relying on the legitimate interests must keep a record of their assessment to demonstrate compliance if required, she said.
Social responsibility policies
Social responsibility is a requirement of the UK Gambling Commission’s license conditions and codes of practice (LCCP), so firms operating in this territory were understandably nervous. It’s interesting to note that the UK has one of the most complex policies in self-exclusion, which emphasizes the individual.
Intriguingly, locations such as Malta are rolling out a remote self-exclusion method that will make it much easier to self-impose. In the UK it seems to be all about that key buzz phrase “social responsibility”.
A Gambling Commission spokesperson said: “We expect operators to continue to obtain and analyze data for the purposes of ensuring that their social responsibility policies, taking into account the state of the art and currently available techniques for identifying and minimizing gambling-related harm.”
The ICO issued updated guidance for the GDPR in May, promising to be a “fair and proportionate regulator” and asking organizations who are “not quite there” to “not panic”.