Out-Law News | 10 Apr 2018 | 4:11 pm | 2 min. read
In a new note issued to businesses in the British gambling market, the regulator acknowledged that some operators have concerns that the new data protection rules, which will apply from 25 May, will hamper their ability to meet their licensing duties. However, it said it would "not accept licensees simply stating that GDPR means that they are unable to comply with an aspect of gambling regulation".
The Commission's note (8-page / 94KB PDF) set out how it believes operators can lawfully process personal data to meet their obligations on customer self-exclusion, combat money laundering and to meet other social responsibility purposes, as well as share data on suspected illegality.
"We take the view that GDPR is not intended to prevent operators from taking steps which are necessary in the public interest, or are necessary to comply with regulatory requirements under a gambling licence," the Commission said. "GDPR should not be improperly used as an excuse to avoid taking steps which enable compliance with licence conditions, promote socially responsible gambling, and promote the licensing objectives."
"Where licensees have genuine well-founded concerns about GDPR, we are committed to working with industry to get the right outcome – one that safeguards personal data whilst also promoting the licensing objectives," it said.
According to the Commission, gambling operators should retain customer data for at least five years after their relationship with those customers ends where the data "relates in any way to regulatory compliance". The Gambling Commission also said operators should be prepared to provide the regulator with a copy of their data retention policies and that it could also ask the companies to disclose customer data to check their compliance with their licensing obligations.
"Where data which is relevant to a licensee’s compliance with the regulatory regime has been obtained, licensees should have regard to the fact that we may wish to investigate whether a licensee has complied with their obligations," the Commission said. "In some cases (for instance, where we are investigating a licensee’s compliance with its social responsibility and anti-money laundering requirements as a result of a gambler stealing funds for gambling over a prolonged period of time), this may involve requesting account data which goes back a substantial period."
The Commission's note makes it clear that gambling operators should look beyond customer consent as the legal basis for processing personal data to meet its licensing duties. However, it said it, along with the Information Commissioner's Office, the UK's data protection watchdog, is "concerned" that operators are sending direct e-marketing communications to customers without obtaining their "genuine consent".
"Licensees should ensure they are compliant with the law in relation to direct marketing, in particular the Privacy and Electronic Communications Regulations (and the [new EU] e-Privacy Regulation which is due to be implemented shortly)," the Commission said. "Licensees should satisfy themselves that anyone they contract with in relation to direct marketing hold the appropriate consents from consumers for marketing of the licensees’ products. Ongoing failure to ensure compliance may result in regulatory action."
Gambling law expert Diane Mullenex of Pinsent Masons, the law firm behind Out-Law.com, said: "The Commission’s note is further evidence that the regulator is again seeking to push its stance of seeking to protect the customer. It should be hoped that all professional operators will be well advanced in their GDPR preparations and the Commission’s position set out in the note should not come as a surprise to any in the industry."