Due to digital advancement, the EU GDPR will enforce the implementation of security procedures to control data protection. Organizations holding data on EU citizens, regardless of the company's location within the EU or otherwise, will need to comply with the GDPR by 25 May 2018.
Instead of having 28 EU national laws, there will now be a one-stop-shop system where companies deal with one supervisory authority (SA) that will be responsible for monitoring the application of the GDPR. Should the company operate in more than one state, it will appoint a lead supervisory authority within the EU.
One of the main objectives of GDPR is to ensure personal data is protected against unauthorized or unlawful processing. Companies with a workforce larger than 250 employees will need to provide documentation that states why data is being collected, and the duration that it will be held for. Larger companies will need to hire a Data Protection Officer (DPO) to monitor compliance, and to also assist employees when processing their data.
Another objective is to ensure that data is protected against accidental loss, destruction or damage. Individuals can opt to not provide consent for the automated processing of data if they are not provided with an explanation as to why their data is collected. Individuals can also erase any data about them if unlawfully processed, if consent is withdrawn, and if no longer necessary to the organization.
Gaming Sector
Gaming operators are likely to be particularly impacted since the competitive success in the betting and gambling sector is through users data and its use to define the customisation and profiling of players’ personalities. Under the GDPR, the automated profiling through ethnic origin, political opinions, religious beliefs, and other characteristics, to evaluate or predict behaviour or preference, will no longer be allowed. Prohibiting data mining, will affect retention strategies within operators.
Operators will need to outline how players’ data is collected and used. Companies may be required to minimize the data collected, including IP addresses, cookie identifiers and device IDs. To ensure data minimisation, the controller should by default, only store personal data which is necessary - defined as ‘privacy by design and by default’.
With the introduction of the data portability right, players are able to ‘port’ their data from the current controller to a new controller (a competitive gaming operator). This will include processed data such as anti-money laundering and tax documents. However, how legislators will comply to the transfer of data, has yet to be refined.
In case of data leakage, it must be reported within 72 hours whilst also notifying the impacted individuals. Failure to comply, can lead to a maximum fine of 4% of the annual global turnover or €20 Million, depending upon which is greater. For gaming operators, due to the ‘one stop shop system’, players will also need to claim their country of residence - and if the entity is breached, fines by the data protection authority of where players are based, can be issued.
Hence, to mitigate the risk of data breach, organizations need to manage their data sensitivity, system vulnerability and risk assessments, and to deploy a security solution that will ensure data protection.
Financial Sector
Regulators will also be rigorous with the financial services due to the amount of data that is collected and processed such as credit card numbers, financial records, and other personally identifiable information. Also, since customer data can be used to offer tailored services such as loans or insurances based on the consumer's purchase history, customizing offers can be challenging services since automated profiling will be forbidden. Hence, being aware of data usage and locations, and having a secure network and visibility to track data movements are of importance to comply with GDPR.
Marketing Sector
In B2B email marketing campaigns, the trend where users are automatically added (scraped from a website or buying lists) to initiate sales, until users opt out, will be strictly prohibited. Under GDPR, the marketing specialist must ensure that the end user is opting-in to the campaign. Another implication can be the CRM system, where if an automated email is sent to a user who have opted out, can lead to fines. Thus, gaining consent, giving the right to be forgotten to users, and projecting transparency will result in compliance.
The GDPR will impact various sectors and it will be challenging for business to comply to the new regulations across the EU. As KONNEKT, we will be fully GDPR compliant by May 2018.
Disclaimer: This article is not intended to impart advice and I am not in a position to guarantee that this content contains the latest update or all relevant information required. It is advisable that you refer to the relevant entity for more comprehensive information.
Rebecca Mifsud
IT & iGaming Recruitment Specialist
For IT or Gaming job opportunities through Konnekt, click here to find out more and apply.
See also:
Malta: The IT & iGaming Industry