Since customer data and its uses are key components to competitive success in the betting and gaming sector, operators in this sector will be significantly affected by the General Data Protection Regulation ("GDPR"). Although it will not apply until 25 May 2018, some operators have already commenced their planning and preparations for the GDPR and those who have not should consider doing so now.
There are fundamental strategic decisions to be made as to how personal data should be collected and managed in connection with the GDPR. The following are five key changes to EU data protection law that will be introduced by the GDPR which will be of particular relevance to the betting and gaming sector:
1) Internal Governance and Responsibility
Under the GDPR there will be an increased emphasis on being able to demonstrate compliance. This will involve maintaining a record of data processing activities and associated policies and procedures. As part of this process, operators should create and maintain a detailed `personal data inventory'. Unless and until such an inventory has been created, it will be difficult for any operator to make informed choices on the key strategic decisions to be made in relation to the GDPR.
2) Data Portability
Under existing data protection law, data subjects have the right to receive a copy of any personal data that is held about them (subject to limited exemptions). Under the GDPR, a data subject will have a new additional right to receive personal data, in a `structured, commonly used and machine readable format' and to require the controller to transmit that personal data from the controller to a new controller. This data portability right will apply only in certain circumstances and will be limited to personal data `provided by' the data subject to the controller. However guidance published recently by the Article 29 Working Party indicated that the reference to personal data `provided by' the individual should be interpreted broadly, so that it will include observed data. If the GDPR is interpreted in this way, then much of the content of a customer profile developed by a business may be within the scope of this right and capable of being `ported' to another controller (such as a competitor of that business) at the request of the relevant individual.
The data portability right may apply where personal data has been collected based on the data subject's consent, but will not apply where personal data has been processed based on the `legitimate interest' ground for processing personal data. For businesses who are concerned about the scope of the data portability right, this distinction may have an important bearing on strategic decisions to be made regarding how data collection and use are to be legitimised under the GDPR.
3) Lead Supervisory Authority
The GDPR will introduce a modified `one stop shop' system, whereby businesses established in the EU will be subject to the oversight of a `lead supervisory authority'. If they are established in more than one EU member state, then depending on how they organise their affairs they might have a single `lead supervisory authority' and other `concerned' supervisory authorities, or they may be subject to oversight by multiple `lead supervisory authorities'.
The GDPR does not permit `forum shopping'. Nevertheless, the rules governing data protection authority jurisdiction should be taken into account by any multinational corporation when making strategic decisions regarding where within the EU to locate personnel or resources.
4) Data Protection Officer
Certain entities will be obliged to appoint a Data Protection Officer ("DPO"), including entities likely to monitor data subjects on a large scale. The DPO should be appointed based on professional qualities and expert knowledge of data protection. The DPO role must be sufficiently senior, appropriately independent, free of conflicts of interest and adequately resourced to comply with specified requirements in this regard. The functions of the DPO will include informing and advising the operator of its obligations under the GDPR, monitoring compliance with the GDPR and carrying out data protection impact assessments.
Given the skill set that will be required and the requirements regarding seniority, independence and absence of conflicts of interest, it is anticipated that there will be a significant shortage of appropriately qualified candidates for DPO roles. Any business that will need to appoint a DPO should start considering how the role will be structured and who might fill it now.
5) Security Breaches
The GDPR will introduce a mandatory notification regime in the event of a personal data breach. Controllers will be required to report personal data breaches to their lead supervisory authority no later than 72 hours after becoming aware of such breach, and in some cases, will also be required to report such breaches to affected individuals. Operators will need to ensure that they are in a position to identify and react to security breaches in a manner which complies with the requirements of the GDPR. An internal breach register must be kept and data breach procedures should be implemented and regularly reviewed. For operators established in Ireland, preparing for these obligations should be less of a challenge for those who already have procedures in place to comply with the Data Protection Commissioner's Personal Data Security Breach Code of Practice.