The General Data Protection Regulation is a massive change for both gaming and gambling operators and suppliers, also introducing sanctions up to 4% of the global turnover of the breaching entity for privacy breaches.
What changes with the EU Data Protection Regulation for Gambling Companies
1. www.dlapiper.com 0Thursday, June 9, 2016
Thursday, June 9, 2016
WHAT CHANGES WITH THE EU
DATA PROTECTION REGULATION
FOR GAMBLING COMPANIES?
Speakers:
Giulio Coraggio – DLA Piper, Milan
Antoon Dierick – DLA Piper, Brussels
Richard van Schaik – DLA Piper, Amsterdam
*This presentation is offered for informational purposes only, and the content should not be
construed as legal advice on any matter.
2. www.dlapiper.com 1Thursday, June 9, 2016
Our DLA Piper team today
Giulio Coraggio
DLA Piper, Milan
Antoon Dierick
DLA Piper, Brussels
Richard van Schaik
DLA Piper, Amsterdam
3. www.dlapiper.com 2Thursday, June 9, 2016
Agenda
1. Timing, scope and importance of the GDPR for gambling companies
2. What changes for gambling companies?
3. What to do to be ready in 2018
4. How DLA Piper can help you
4. www.dlapiper.com 3Thursday, June 9, 2016
A single data protection law across the whole
European Union, with some exceptions…
Put May 25, 2018 on your calendar!
Timing, scope and importance of the GDPR for gambling companies > Timing
5. www.dlapiper.com 4Thursday, June 9, 2016
Purpose of the GDPR:
Protection constitutional rights and fundamental freedom of individuals; more
in particular protection of personal data.
Personal data:
"any information relating to an identified or identifiable natural person ('data
subject'); an identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person"
Personal data
Timing, scope and importance of the GDPR for gambling companies > Scope
6. www.dlapiper.com 5Thursday, June 9, 2016
It applies wherever you are located
both
One-stop-shop benefits
Timing, scope and importance of the GDPR for gambling companies > Scope
7. www.dlapiper.com 6Thursday, June 9, 2016
Whether you are an operator or a supplier…
New obligations for data processor
Renegotiating
data processing agreements?
Timing, scope and importance of the GDPR for gambling companies > Scope
8. www.dlapiper.com 7Thursday, June 9, 2016
Why is it so important for gambling companies?
Large amount of data
Sensitive data
betting
(behavior, financial
transactions etc.)
Deep profiling of
customers
Often
transferred
cross border
Timing, scope and importance of the GDPR for gambling companies >
Importance
9. www.dlapiper.com 8Thursday, June 9, 2016
And the potential sanctions are now massive
of the global turnover
New accountability principle
Timing, scope and importance of the GDPR for gambling companies >
Importance
10. www.dlapiper.com 9Thursday, June 9, 2016
Also, cyber-risk becomes a higher threat
in case of data breach….
Security measures
adequate or not?
Timing, scope and importance of the GDPR for gambling companies >
Importance
11. www.dlapiper.com 10Thursday, June 9, 2016
Agenda
1. Timing, scope and importance of the GDPR for gambling companies
2. What changes for gambling companies?
3. What to do to be ready in 2018
4. How DLA Piper can help you
12. www.dlapiper.com 11Thursday, June 9, 2016
You can still collect data
PRIVACY INFORMATION
NOTICE
More details on data
processing
CONSENT
freely given, specific,
informed and
unambiguous by a
statement/affirmative
action
CONTRACT
PERFORMANCE
Performance cannot be
made conditional to
consent, if processing not
necessary
LEGITIMATE INTEREST
Prevention of fraud, but
also marketing?
What changes for gambling companies > Data collection requirements
13. www.dlapiper.com 12Thursday, June 9, 2016
You can't stop developing your products, so what to change
in your gaming platform and organization?
Better defense!
Privacy by
design and
privacy by
default
Security
by
design
Data
Protection
Officer
What changes for gambling companies > Additional GDPR requirements
14. www.dlapiper.com 13Thursday, June 9, 2016
Is your players' profile portable?
Keeping the VIP status
Disclosing trade secrets?
What changes for gambling companies > Player data portability
15. www.dlapiper.com 14Thursday, June 9, 2016
Transferring of data outside the EEA
Same rules
but…
What changes for gambling companies > International data transfers
16. www.dlapiper.com 15Thursday, June 9, 2016
Are you going to be certified?
Regulatory
approval
Gambling
certification
Privacy
certification
Where is the burden of the privacy certification
going to stand?
What changes for your company? > Certification
17. www.dlapiper.com 16Thursday, June 9, 2016
Agenda
1. Timing, scope and importance of the GDPR for gambling companies
2. What changes for gambling companies?
3. What to do to be ready in 2018
4. How DLA Piper can help you
18. www.dlapiper.com 17Thursday, June 9, 2016
1. Mapping the data that is currently processed within the group and assessing
whether all data processing is necessary
2. Assessing how data is processed by the company and the technical
infrastructure
– review of internal policies (if any)
– review of technical functioning of gaming platform/client components
3. Deleting data that is not necessary and represents only a potential risk
4. Reviewing the current data processing agreements
What is on your immediate to do list?
What to do to be ready in 2018 > To do list
19. www.dlapiper.com 18Thursday, June 9, 2016
5. Assessing whether the current group structure is privacy efficient under the
one-stop-shop rule
6. Appointing a data protection officer (or outsourcing this function to a third party)
7. Planning the implementation of:
1. Internal policies
2. Privacy impact assessment
3. Privacy by design and privacy by default
4. Security by design
What is on your immediate to do list? (ii)
What to do to be ready in 2018 > To do list
20. www.dlapiper.com 19Thursday, June 9, 2016
Agenda
1. Timing, scope and importance of the GDPR for gambling companies
2. What changes for gambling companies?
3. What to do to be ready in 2018
4. How DLA Piper can help you
21. www.dlapiper.com 20Thursday, June 9, 2016
How DLA Piper can help you > DLA Piper GDPR Compliance Methodology
GDPR impact assessment: Tailored
assessment of the relevance of the GDPR
provisions
Gap analysis: Analysis of the actual level of
compliance
Internal evaluation and prioritization:
Determining the company’s risk appetite and
action plan
Implementation: During this phase, the
action points identified in the action plan
during Module 3 will be implemented. This
should result in taking the necessary
measures to achieve compliance with GDPR
requirements
Consolidation of compliance: Avoiding
GDPR infringements (internal and external
documentation)
23. www.dlapiper.com 22Thursday, June 9, 2016
Access our
Data Protection Laws of the World
Handbook at
www.dlapiperdataprotection.com
How DLA Piper can help you > Stay informed
24. www.dlapiper.com 23Thursday, June 9, 2016
Questions?
Giulio Coraggio
DLA Piper, Milan
Giulio.Coraggio@dlapiper.com
Antoon Dierick
DLA Piper, Brussels
Antoon.Dierick@dlapiper.com
Richard van Schaik
DLA Piper, Amsterdam
Richard.vanSchaik@dlapiper.com
Editor's Notes
who starts speaking?
everyone presents himself?
with some exceptions?
GDPR not applicable to anonymous data!
territorial scope of the GDPR
follow?
maybe be careful with renegotiating (Greentube will be present for example)
how does anonymous tie in with this slide?
sensitive data: betting in the brackets
Also discuss likelihood of sanctions… similar to competition law?
why higher threat?
what is the megaphone link?
what is the question mark link?
details on what is going to be added
basis:
consent
contract
legitimate interest
data portability issue - what is the scope of data portability (what needs to be transferred)?
latest status update on this
also status update on model clauses (are sent to Court)
explain certification mechanism
do we already apply for certification scheme?