The European Gaming and Betting Association (EGBA) has released a new code of conduct on data protection and compliance with the EU Data Protection Regulation (GDPR). This move has been followed by their previous work and initiatives with a purpose to represent the biggest online gambling operators that are licenced in the EU. More than a month ago we’ve introduced the first pan-European Code of conduct related to safe and responsible online advertising among operators. This code complements existing legal and regulatory matters for online gambling for the European territory, including the UK.
Taking a closer look at data protection
This Code of Conduct on Data Protection in Online Gambling will outline standards on data protection for the gaming industry, reinforcing the sector’s compliance with GDPR. As a result of his move, players will now have better control over how their personal data is used and only grant it with their free and unambiguous consent. Moreover, this code will provide guidance on how companies should use data in their interaction with customers, including how they identify and address problem gambling behaviour among their audience.
EGBA stated that this code is one of Europe’s first-ever sector-specific, self-regulatory initiatives that support GDPR compliance. All EGBA members will have to comply with the Code, which will be open for signature to other online gambling-related companies licenced in the EU/EEA. Adherences will be supervised by an independent third-party monitoring body.
Maarten Haijer the General Secretary of EGBA stated that challenges around data protection, privacy and the use of personal data are still a concern for many European citizens.
For these reasons, this new code will demonstrate the commitment of the online gambling sector to protect the personal data of over 16.5 million customers and support the successful application of the GDPR. He added that they are pleased to be one of Europe’s first industry sector to introduce a self-regulatory code, which explains just how this industry has progressed and grown in complexity over the last years.
Code on defining how operators process data
Under the code, operators must set out a compliance framework which covers core areas such as data mapping, risk assessment, lawful basis analysis, documentation and review, assessment and amendment.
Operators are expected to perform a data mapping exercise to audit all information they keep, including the players’ personal data. EGBA added that there is no specific framework or templated that needs to be followed in order to complete this task. While not required, EGBA recommends that operators where possible include the source of personal data, where it is stored and what is used for. When this mapping is complete, operators must undertake an analysis to evaluate whether their data processing is lawful.
Following this analysis, operators must conduct further assessments in order to protect themselves and become aware of other risks such as data breaches and determine the extent to which any personal information is irrelevant or disproportionate to the risk it carries.
Legal framings and documentation
In line with the abovementioned guide, operators must have documentation that demonstrates compliance with the code. This consists of updated data maps, GDPR required record of processing and policy including both governance of data processing activities and maintenance of the maps. Finally, operators must review, assess and amend their data policy through internal ox external audits. Evidence of compliance used as part of an audit must be retained for a minimum period of 3 years.
EGBA added that data should not be kept and stored for longer than necessary. One operator should not continue to hold data after the end of the business relationship with a player unless there is a legal requirement to keep it for a longer period of time. In the case of data breaches where info is lost, hacked or unlawfully amended, operators have to create teams that will be trained to deal with the issue and notify customers within 72 hours.
The code has been submitted to the Maltese Data Protection Authority to ensure it complies with GDPR. Data protection authorities in Malta and other EU countries, as well as the European Data Protection Board, will review the code in a process that EGBA expects to last between 18 and 24 months.