EGBA launches new data protection code

11 June 2020

The European Gaming and Betting Association (EGBA) has released a new code of conduct on data protection and compliance with EU General Data Protection Regulation 2016/679 (GDPR).

EGBA said the code is one of Europe’s first ever sector-specific self-regulatory initiatives to support GDPR compliance.

“On the 2-year anniversary of GDPR, issues around data protection, privacy and the use of personal data are still a concern for many European citizens,” EGBA secretary general Maarten Haijer said. “That’s why we’re pleased to introduce this new code which demonstrates the online gambling sector’s commitment to protecting the personal data of our 16.5m customers and supporting the success of the GDPR.

“We’re pleased to be one of Europe’s first industry sectors to introduce a self-regulatory code which supports compliance with GDPR. It follows a consultation with members on the code that began in January this year.

Under the code, operators must set out a compliance framework which covers the code’s core areas: data mapping, lawful basis analysis, risk assessment, documentation and review, assessment and amendment.

Operators are expected to undertake a data mapping exercise to audit all the information they hold, including player personal data. EGBA noted that there is no specific template that needs to be followed for this.

While not required, EGBA also recommended that operators where possible include the source of personal data, where this data is held and what it is used for.

When this mapping is complete, operators must conduct an analysis to ascertain whether their data processing is lawful. This analysis should document the lawful basis for each processing activity.

Following this analysis, operators must conduct a further risk assessment in order to become aware of other risks such as data breaches, and determine the extent to which any personal information is not needed or disproportionate to the risk it carries.

Operators must also have documentation that demonstrates their compliance with the code on hand at all times. This consists of these data maps, the GDPR-required record of processing and a policy including both governance of data processing activities and the reviewing and maintaining of the map.

Finally, operators must continue to review, assess and amend their data policy through periodic internal or external audits. Evidence of compliance used as part of any audit must be retained for a minimum period of 3 years.

EGBA added that all data collection must be lawful, fair and transparent. For collection to be lawful, it must be taken with player consent, which must be freely and unambiguously given through measures such as ticking a box, or out of necessity for the requests or protection of a player. Players must also be granted an easy to follow way of withdrawing consent, with operators required to periodically check whether their players are still happy for their data to be collected or stored.

For collection to be fair, it should be used only for the stated purposes a player consented to, rather than, for example, using data gathered for anti-money-laundering purposes to send marketing communications.

For collection to be transparent, all relevant data processing, the reasons for it and the laws supporting this have been declared to players in an accessible way. Operators are allowed to withhold information about data collection if it is necessary for an ongoing investigation.

EGBA added that data should not be stored for longer than is necessary and that it should not continue to hold data after the end of the business relationship with a player unless there is a legal requirement to keep it for longer.

Players must also be able to request their own data and operators should train customer service teams to identify and escalate these requests.

In case of breaches, either where data is lost, stolen or unlawfully amended, operators must create response teams to deal with the issue and notify customers within 72 hours.

The code has now been submitted to the Maltese Data Protection Authority to ensure it complies with GDPR. Data protection authorities in Malta and other EU countries, as well as the European Data Protection Board, will review the code in a process that EGBA expects to last between 18 and 24 months.

“Data, and how it is used, is playing an increasingly important role in how citizens and businesses interact online – and the online gambling sector is no different,” Haijer said.

“This code outlines how online gambling companies should ensure their customers understand how their personal data is being used and provides important guidance on how companies should use personal data in their interactions with customers, including how they identify and address problem gambling behavior in their customers.”