UK Regulator Fires ‘Warning Shot’ On GDPR

With less than two months until the EU’s General Data Protection Regulation (GDPR) comes into effect, the UK Gambling Commission has said that the GDPR should not be used as an excuse for UK-licensed operators to shirk their player protection or anti-money laundering (AML) obligations.

In the note published on Tuesday, the commission said that once the GDPR becomes effective on May 25 it should not prevent operators from using customer data in ways that are “in the public interest”.

The commission said it saw no conflict between strengthened data protection rules and its licence conditions, and would not accept the argument that the GDPR prevented compliance with any aspect of existing gambling regulation.

It added that it would be working closely with the industry to alleviate any “genuine well-founded concerns about GDPR” that operators might have, to safeguard personal data while promoting the commission’s own licensing objectives.

Richard Williams of Joelson law firm said the commission had “fired a warning shot to operators that they will find themselves in hot water if they try to use GDPR as an excuse for not implementing procedures to prevent money laundering or problem gambling”. 

The guidance advises gambling operators to retain data for at least five years after the end of a relationship with a customer and cautions licence holders to be ready to provide the commission with a copy of their data retention policies and customer data upon request.

However, some gambling law experts found the eight-page guidance note to be deficient.

“I doubt it’s adequate but it’s start,” said David Clifton of London-based law firm Clifton Davies. “I foresee a need for further commission guidance in relation to the processing of data for AML purposes, particularly given that, of all gambling operators, only casinos (remote and non-remote) presently fall within the regulated sector for AML regime purposes.

“Given that the commission and the Information Commissioner's Office (ICO) have reportedly been in discussion together on GDPR issues for the last two years or so, this should not be an insurmountable task and it may be that further guidance will be available when the Data Protection Bill is finalised,” he added.

Susan Biddle, a consultant at law firm Kemp Little, agreed: “Inevitably, there are areas where it would be useful to have further guidance, such as the collection and use of 'special category' data for developing algorithms and other products that facilitate identification of at-risk customers.”

With respect to personal data processing, the commission acknowledged that consent would not always be practical in every situation and pointed to a series of “myth-busting” blogs recently published by the ICO, which detailed five ways apart from explicit consent that allowed for GDPR-compliant processing of data.

“Any operator who is taking their GDPR responsibilities seriously should be taking account of the much more copious guidance that has been emanating from the ICO for a very considerable period of time, rather than merely seeking to reply on the Gambling Commission’s rather belated guidance on the subject,” Clifton said.

However, Joelson’s Williams said that he thought it was fair that “the commission acknowledges that it cannot provide definitive guidance on the implementation of GDPR and [that] the ICO will address issues on a case-by-case basis”.

Biddle, however, added that it would be helpful if the commission clarified the information needed to justify “legitimate business interests” as a ground for processing.

“It is important that, before starting to process personal data, each licence-holder considers what personal data must be processed in order to achieve the required outcome in each case, and which of the permitted lawful bases for processing applies in each case,” noted Clifton.

In its guidance, the commission also sharply criticised the large-scale unsolicited sending of marketing emails and texts, which it viewed as “not undertaken in the public interest or to comply with regulation, but done in order to sell a product”.

The ICO has previously named the gambling sector as a frequent violator of electronic communication regulations and the commission has warned of a crackdown if operators fail to comply with UK rules around marketing, as well as the incoming EU ePrivacy Regulations.

With fast-moving updates within regulation and legislation, ensure your employees understand and comply with key laws, regulations and internal policies with our eLearning solutions. View our eLearning courses.