European Gaming Lawyer magazine Spring 2016 | Page 13
like few others in their use of that data,
especially in the online world. Betting
and gaming companies are operating at
the overlap of regulation, and dependent
entirely on their interactions with, and
exploitation of, the personal data that they
collect – and which they collect directly and
indirectly.
The UK’s Information Commissioner
(the data protection regulator) has recently
published its list of key actions to take
now, noting that with two years to go until
implementation of the GDPR, now is the
time to start planning. Their list of activities
includes:
• Raising awareness of the change to the
GDPR (implementation is likely to
have significant resource implications,
and if awareness has not been raised,
compliance is unlikely to be achieved);
• Identification of the personal data
and types of personal data currently
held, where it came from and who
you share it with. The GDPR has a
higher obligation on organisations
that hold inaccurate personal data, for
example, such that under the GDPR,
an organisation that finds it is holding
inaccurate personal data must notify
another organisation with whom it has
shared that data so that the recipient
can correct its records. As such,
documenting who data is shared with
will be a critical step in making such
notification, and recording the process
and facts will act as a part of the due
diligence defence that will be available.
Failure to do so will make it perhaps
impossible to respond to a regulator’s
enquiry about your level of compliance;
• Reviewing current privacy notices: too
many companies have over the years
simply copied a competitor’s privacy
notice, replacing the organisation’s
name, but without really thinking
through whether their notice reflects
their practices and needs. But under
GDPR, not only will an organisation
continue to need to tell individuals
whose data it collects who it is and
how it plans to use their data, it will
need to additionally notify them of
matters such as data retention periods
(do you even have a data retention
period at present?), and that individuals
can complain to the data protection
regulator if they believe there are
concerns about the organisation’s
data handling, and all of that in plain
intelligible language;
• Individuals will be gaining additional
rights: not just the right to subject
access (often known of as a SAR: subject
access request), but the right to have
information deleted and to have data
portability – do your systems currently
allow you to delete data or to provide
it to another data controller in a
commonly used format?
• The SAR regime will be speeded
up – to 30 days rather than the 40 we
currently have. Are you able to comply
with an accelerated regime? The UK
Information Commissioner’s Office
wonders if you could allow people a
method of self-service, so that rather
than taking up your time dealing with
requests, people could check their own
data;
• You will continue to be able to use data
without consent if the requirements
are met – but understanding what you
are relying upon in your collection of
data will be key. Consent remains as a
means of enabling data processing, but
consent freely given can also be freely
withdrawn, and working out if there is
a better way to justify data collection
(and, therefore, retention) might make a
big difference to an organisation;
• Perhaps the biggest change to the data
re