The General Data Protection Regulation, better known for its acronym GDPR, is now fully under effect since May 25th, bringing about substantial changes in the iGaming industry. With plenty of iGaming affiliates still scrambling to make all necessary adjustments in order to be compliant and avoid massive fines – up to €20 million or 4% of their annual turnover – we thought we’d take a look at some different actionable steps that affiliates can take today to ensure they are fully covered within the scope of the law.
Legal grounds to process data
The first thing that all affiliates need to be aware of is the change in the requirements that must be fulfilled in order to process and store personal data of EU citizens. Under the new legislation, affiliates can cite one of six different legal grounds to do so: Consent, Legitimate Interest, Contract, Legal Obligation, Public Interest, and Protection.
Out of the six legal bases available, the two that online casino marketers will be mostly relying on to justify their data processing are consent and legitimate interest.
GDPR sets a substantially higher standard for consent that what had been previously deemed acceptable by former legislation. It is no longer acceptable to sign up clients for mailing lists or collect their information for processing purposes by using pre-checked boxes in forms. Consent must now be entirely explicit, and will involve oral or written statements that clearly agree to the data that can be collected and what it can be used for.
Legitimate interest stipulates that you can prove that the data subject has shown a demonstrable interest in the product or services your company is offering. Since legitimate interest does not have any legal precedents and can be overwritten any time that the subject’s own interests, freedoms or fundamental rights deem it so, affiliates will mostly want to rely on getting consent from their users in order to be fully protected from audits.
Responsibilities of a Controller under GDPR
The first question that all iGaming marketers will have to answer for themselves when preparing for GDPR is whether their company is considered a Controller or a Processor. If your website is using data to its own benefit you are considered a controller, while if you are simply collecting data for the benefit of a controller or providing them with the tools required to collect their data, you are considered a processor.
Under this criterion most iGaming affiliates would be considered controllers, as they are actively using the personal data they collect in order to market to individuals directly. As controllers, affiliates must comply with the following directives:
- Adhere to the code of conduct and the certification process as defined in the GDPR
- Collect and process personal data exclusively for the agreed on purposes
- Provide information to data subjects upon request regarding what data of theirs you hold, and what you plan to do with it within 1 month of the request
- Inform and obtain consent from individuals about any changes in the way their data is being used, or any data transfers to 3rd parties that has not previously been authorized.
- Allow data subjects to have all of their data deleted from your servers
- Implement organizational and technical measures that will guarantee the safety of personal data against any compromise or loss. This may include the pseudonymization and encryption of data, and adherence to CIA (Confidentiality, Integrity, and Availability) security principles
- Maintain records of all data processed, including:
- Name and contact details of the controller, representative or Data Protection Officer (DPO)
- Type of data processed and the categories of data subjects
- Purpose of the data processing
- How long data will be stored
- Whether or not the data will be transferred to 3rd party/country
- What technical and organizational security protocols are being actively implemented
- Conducting a data protection impact assessment (DPIA), if required by the nature of the data
- Establish a contract with your processors that stipulates that they are only to act as established by your explicit instructions, using data only as you have previously established. All processors used by the affiliate must also be GDPR compliant.
- Report any security breaches that could possibly put data subjects’ data at risk to their Data Protection Officer (DPO) within 72 hours of the act.
Where to Start
GDPR regulations can be quite overwhelming to small and large affiliates alike. If you need some help getting started, here are some basic steps you can take to begin:
- Consolidate all the personal data you are currently storing and document what it’s being used for, where it came from, and who you are sharing it with.
- Assign a legal basis that would allow to you process all your data. Any data that cannot conceivably and demonstrably be justified by any legal basis should be deleted from your servers immediately.
- Review your sign up process from start to finish and make sure it provides your users with enough information about how you plan to use their data, and who you will be sharing it with.
- Email all of your clients and ask them for the necessary consent required to continue using their information.
- Analyze all of your current processes to make sure sensitive data is only available to members of the organization that actively require it, and that it’s used only in accordance with the law.
DISCLAIMER- All the information provided above is meant merely for educational purposes and is not to be considered legal advice. Global Gaming advises all parties affected by GDPR to contact a legal professional to assist them with the intricacies of making their operation fully GDPR compliant.