COVID-19, GDPR and Online Gaming Business

Stories | 18 Jan 2021

What should operators have in mind when developing online business?

Zlatan Omerspahić, Head of Legal and Compliance at NSoft: All industries, with no exception, have a common denominator for the year 2020. It is financial uncertainty.

Lockdown hit some niches hard. Many businesses were closed in the scenario we have never seen before. The existing COVID-19 pandemic has brought the economies of all countries to a standstill. Betting and gaming industry wasn’t an exception, especially in the retail channel where the restrictions are still in force to a lesser or larger degree at almost all markets.

Still, the fact is that the internet gaming industry has a great chance to become the most popular betting channel. As always, the necessity is the mother of invention – in our case digitalisation. Understandably, the pandemic and the lockdown were a driving force for many operators to invest in online business – weather expanding the existing online betting business or starting from scratch. 

It’s vital to pay attention to regulatory risk regarding online business and data protection in that context. The overriding obligations of the operators are to identify and understand the personal data that they process. The operators must understand legal obligations related to data protection and document all compliance activities. Furthermore, they have an obligation to establish a compliance framework that will comply with GDPR.

What compliance framework covers? Compliance framework comprises of data mapping, analysis of lawful basis and risk assessment. 

  1. Data mapping. An operator shall develop a data map of player’s data which needs to contain at least (what personal data is processed, the source of the personal data, what the personal data is used for and similar);
  2. Analysis of lawful basis for processing. This analysis should cover the legal basis for each processing activity (Article 6 of GDPR);
  3. Risk assessment. The operator shall conduct a risk assessment to determine the level of risk for processing each of the personal data categories.

If an operator wants to have an adequate compliance program related to data protection, internal or external audit should control it periodically. Besides being legally on the safe side when we speak on GDPR and data protection, the operators have to build their business on three main pillars to ensure their players’ trust. 

The following principles must be met: lawfulness, fairness and transparency. 

Regarding security, as a general rule, Article 32, GDPR requires controllers and processors to adopt a risk-based approach to security measures “to ensure a level of security appropriate to the risk”. 

Article 32 of GDPR defines several security measures such: pseudonymisation and encryption of personal data, the ability to ensure ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data, the ability to restore the availability and access to data on time in the event of a physical or technical incident, as well as to document regular reviews of access controls, a process for regularly testing and certification mechanisms. 

In the end, the most important thing is to ensure the implementation of these principles internally, including precise roles and obligations. The crisis is always a chance, but every responsible company needs to think about regulatory risk and reputation, especially in the data protection aspect.