iGaming Business magazine Fraud and ID Verification: Market Report | Page 7

FRAUD AND ID VERIFICATION : MARKET UPDATE

NEED TO KNOW : IGAMING AND THE GDPR

Operators need to be preparing now for changes to how they collect , store and manage data under the EU ’ s General Data Protection Regulation ( GDPR ), writes John Karantzis of iSignthis .
As of May 2018 , the European Union ’ s ( EU ) General Data Protection Regulation ( GDPR ) will come in to effect for UK and EU-based iGaming operators .
The GDPR enhances the data protection rights of EU data subjects ’ data , meaning that operators will now need to provide easier access to personal data , with clear and easily understandable information on its processing , use and storage .
The EU Data Protection Agencies can under the GDPR impose fines starting at € 10m , rising to 4 % of a firm ’ s worldwide gross revenues . The GDPR should be taken seriously and the sector must prepare accordingly .
Understanding personally identifiable information ( PII ) In order for igaming companies to fully understand the effects of the GDPR , they must first understand what PII is .
Within the EU , there is a single definition of personal data for all applications , which will soon be governed by the GDPR or its still-inforce predecessor , the European Commission ’ s ( EC ) Data Protection Directive 95 / 46 / EC .
The GDPR includes all information identifiable to a person , even if the data alone cannot be linked to a specific individual . If it is reasonably possible to use the data in combination with other information available either in the public domain or exposed during a data breach to identify a person , then the data under consideration is to be treated as PII . PII also encompasses Payment Card Industry ( PCI ) data , the security requirements of which most people reading this will already be familiar .
Many of the GDPR ’ s main concepts and principles are similar to those in the current Data Protection Directive . However , some additional steps will be necessary , as the requirement for data collection under the 4AMLD and the 2017 UK Money Laundering Regulations has increased in scope and frequency .
Implied vs explicit consent Except where MLRs or PSD2 specifically require collection of ‘ compliance ’ data , a person ’ s consent will have to be gained explicitly via affirmative interaction , and there will be stringent requirements to demonstrate this is freely given , informed and specific .
Individuals will have new rights companies will have to uphold , including a ‘ right to be forgotten ’ 1 and a ‘ right to object ’ 2 to their details being used , transferred or held . This is not inconsistent with the Payment Services Directive 2 ( PSD2 ), where customers who are Payment Services Users ( PSUs ) must actively and explicitly consent to a transaction 3 , including the collection of amount , payment and personal data , and incorporating a strong customer authentication ( SCA ) process 4 .
So , the popular approach of pre-ticked boxes , assuming implied consent and other forms of subtle or hidden acceptance of the storage and use of a customer ’ s data , will no longer be acceptable .
Data security The GDPR has been framed in such a way as to give individuals better control over their personal data . The GDPR has established a single EU-wide set of data protection rules not subject to state-by-state ‘ transposition ’ and thus avoiding local interpretation . Firms are required to “ implement appropriate technical and organizational measures ” in relation to the nature , scope , context and purposes of their handling and processing of personal data .
1
Article 17 , of the General Data Protection Regulation
2
Article 19 , of the General Data Protection Regulation
3
Articles 52 , 63 , 64 , 65 , 66 , 67 , 68 , 75 , 76 , 80 and specifically 94 of the Payment Services Directive 2015 / 2366 ( PSD2 )
4
Articles , 5 , 13 , 31 of the European Banking Authority ’ s Regulatory Technical Standard on Strong Customer Authentication
5 https :// www . enisa . europa . eu / topics / data-protection / privacy-by-design
Data protection safeguards , and ’ privacy by design ’ 5 must be incorporated into products and services . The data protection safeguards might include :
• Tokenisation , pseudonymisation , and / or encryption of PII and PCI data
• Compliance with PCI DSS and the European Banking Authority ’ s ( EBA ’ s ) ‘ Security of Internet Payments ’ and the EBA ’ s Regulatory Technical Standard on SCA
• Ensuring the ongoing confidentiality , integrity , availability and resilience of systems
• Restoring the availability and access to data in a timely manner following a physical or technical incident
• Disaster recovery processes
• Introducing a process for regularly testing , assessing , and evaluating the effectiveness of these systems
• Introducing a breach policy , including management , notification and residual data safeguarding
• Appointing a privacy officer
What does this mean for iGaming ? Companies should consider carrying out data protection impact assessments , adhering to codes of conduct and proactively seeking certification through approved third-party mechanisms such as ISO and PCI . Data security can also be entrusted to PCI and ISO-certified third parties such as iSignthis .
Ultimately , data protection agencies will be looking to see that privacy by design is being taken seriously .
Thus , the collection , storage and management of data will come under increased scrutiny , with operators looking to outsource aspects of this complex function .
John Karantzis is the founder and managing director / CEO of Australian Securities Exchangelisted EEA Authorised Monetary Financial Instiution iSignthis Ltd ( ASX : ISX / FRA : TA8 / SWIFTBIC : ISEMCY21 ).
iGamingBusiness | Issue 106 | September / October 2017 | 111