Updated data privacy regulations from the EGBA.
The European Gaming and Betting Association (EGBA) has released a new set of guidelines on data protection and compliance with the GDPR. This is one of the first self-regulatory initiatives in Europe for the gambling industry to support the implementation of the GDPR.
Motivated by the increasing importance of data protection, privacy, and use of personal data in the lives of many European citizens, the EGBA introduced this codex to celebrate the two-year anniversary of the GDPR. The primary goal of the codex is to safeguard the personal data of approximately 16.5 million gaming customers.
The EGBA's codex is a significant step towards data protection in the gambling industry, as it becomes one of the first sectors in Europe to introduce a self-regulatory codex to support the GDPR implementation.
After consulting with EGBA members since January, operators are now expected to cover a range of specific core areas, such as data mapping, analysis of legal bases, risk assessment, documentation, and review. They are also committed to conducting all data collection activities in a lawful, fair, and transparent manner.
Data Mapping and Analysis
To start, operators must conduct a data mapping exercise to identify and map all the information they hold, including the personal data of players. There are no specific templates, and operators should develop their own overviews and concepts.
After the classification phase, operators are required to analyze their data processing to determine its lawfulness. This analysis should thoroughly document all processing activities.
Regular Audits for Review
Following the analysis, operators must conduct a further risk assessment to be aware of potential data protection breaches and security gaps. They should determine whether personal data is necessary or related to any possible risks, and take appropriate measures to address such issues.
The EGBA does not specify any specific requirements for implementing the codex but recommends regular audits to identify and address potential problems.
Transparency and Accountability in Data Processing
The codex stresses the importance of transparency and accountability in data processing. Operators must cooperate with data protection authorities and other stakeholders to ensure GDPR compliance.
Operators are also required to maintain a continuous documentation system. This includes self-created data cards, recordings of all processing activities, and a guideline covering both the control of data processing activities and the review and maintenance of the card.
Regular Review and Updates to Data Protection Policies
Operators must periodically review and update their data protection policies to keep up with the latest regulations and best practices. This includes conducting regular audits to identify potential issues and take corrective action.
Compliance certificates used in audits must be kept for at least three years.
Consent from Players
EGBA member companies, such as Bet365, Betsson, Kindred, and William Hill, can only collect data if the players' consent has been obtained. Consent must be given in a clear and unambiguous manner, often through checkboxes. Players should also be given a clear way to withdraw their consent at any time.
Personal data should only be used for the stated purposes. For example, data collected for anti-money laundering should not be used for marketing messages. Operators must provide players with relevant information about data processing and the laws supporting it.
Information Retention and Data Deletion
Operators can only withhold information about data collection if it is necessary for an ongoing investigation. Data should not be stored for longer than necessary. Data should also be deleted after the end of a business relationship with a player, unless there is a legal obligation to retain it.
Expansion of Customer Service
Operators must provide a clear process for players to request their own data. There are also special training courses for staff members, enabling them to identify and escalate requests. In the event of data breaches or violations, response teams should be formed and customers notified within 72 hours.
The codex has been submitted to the Maltese Data Protection Authority for approval, aiming to achieve the highest industry standards in the online gambling sector this year.
Read also:
Source: www.onlinecasinosdeutschland.com
