EGBA launches Data Protection Code of Conduct

Cvetanka Cvetanovska | Published 12 Jun 2020, 1:48 p.m.

The European Gaming and Betting Association (EGBA) has released a new code of conduct on data protection and compliance with the EU Data Protection Regulation (GDPR). This move has been followed by their previous work and initiatives with a purpose to represent the biggest online gambling operators that are licenced in the EU. More than a month ago we’ve introduced the first pan-European Code of conduct related to safe and responsible online advertising among operators. This code complements existing legal and regulatory matters for online gambling for the European territory, including the UK.   

Taking a closer look at data protection

This Code of Conduct on Data Protection in Online Gambling will outline standards on data protection for the gaming industry, reinforcing the sector’s compliance with GDPR. As a result of his move, players will now have better control over how their personal data is used and only grant it with their free and unambiguous consent. Moreover, this code will provide guidance on how companies should use data in their interaction with customers, including how they identify and address problem gambling behaviour among their audience.

EGBA stated that this code is one of Europe’s first-ever sector-specific, self-regulatory initiatives that support GDPR compliance. All EGBA members will have to comply with the Code, which will be open for signature to other online gambling-related companies licenced in the EU/EEA. Adherences will be supervised by an independent third-party monitoring body.
Maarten Haijer the General Secretary of EGBA stated that challenges around data protection, privacy and the use of personal data are still a concern for many European citizens.

For these reasons, this new code will demonstrate the commitment of the online gambling sector to protect the personal data of over 16.5 million customers and support the successful application of the GDPR. He added that they are pleased to be one of Europe’s first industry sector to introduce a self-regulatory code, which explains just how this industry has progressed and grown in complexity over the last years.

Code on defining how operators process data

Under the code, operators must set out a compliance framework which covers core areas such as data mapping, risk assessment, lawful basis analysis, documentation and review, assessment and amendment.

Operators are expected to perform a data mapping exercise to audit all information they keep, including the players’ personal data. EGBA added that there is no specific framework or templated that needs to be followed in order to complete this task. While not required, EGBA recommends that operators where possible include the source of personal data, where it is stored and what is used for. When this mapping is complete, operators must undertake an analysis to evaluate whether their data processing is lawful.

Following this analysis, operators must conduct further assessments in order to protect themselves and become aware of other risks such as data breaches and determine the extent to which any personal information is irrelevant or disproportionate to the risk it carries.

Legal framings and documentation

In line with the abovementioned guide, operators must have documentation that demonstrates compliance with the code. This consists of updated data maps, GDPR required record of processing and policy including both governance of data processing activities and maintenance of the maps. Finally, operators must review, assess and amend their data policy through internal ox external audits. Evidence of compliance used as part of an audit must be retained for a minimum period of 3 years.

EGBA added that data should not be kept and stored for longer than necessary. One operator should not continue to hold data after the end of the business relationship with a player unless there is a legal requirement to keep it for a longer period of time. In the case of data breaches where info is lost, hacked or unlawfully amended, operators have to create teams that will be trained to deal with the issue and notify customers within 72 hours.

The code has been submitted to the Maltese Data Protection Authority to ensure it complies with GDPR. Data protection authorities in Malta and other EU countries, as well as the European Data Protection Board, will review the code in a process that EGBA expects to last between 18 and 24 months.

Posted in:

Editors Choice

Other Top Stories

Jul 03, 2020
House of Lords report calls on drastic changes among regulators

A new report released by the House of Lords has called for urgent action from the UK gambling regulators to protect players.

Jul 02, 2020
Michigan and Illinois sports betting updates

Michigan started accepting sports betting licence applications, while the Illinois sports betting market welcomes DraftKings’s gaming services.

Jun 24, 2020
Louisiana approves daily fantasy sports legislation

After two years, the Louisiana Senate agreed on the tax rate and approved daily fantasy sports betting legislation.

Jun 22, 2020
Sports betting bill proposed in Georgia

Georgia is the next state in the list of US states that are considering sports betting legalisation. The bill is now in front of the full Senate and it seems that the state's professional sports teams are also in support of the idea.

Jun 18, 2020
APPG asks for UK gambling advertising ban

The APPG has called for a ban on all gambling advertisements in the UK, as well as a £2 stake limits for online slots.

Jun 15, 2020
Operators to donate £100 millions to problem gambling

The largest gambling operators in the UK have pledged to donate £100 million to problem gambling, as well as additional funds to other charities and causes. This has been regarded as a testament that the industry is willing to take its part and help tackle problem gambling.