The General Data Protection Regulation published by the European Parliament, the Council of the European Union and the European Commission, is a regulation intended to strengthen and unify data protection for all individuals within the European Union (EU).

2. 1
GDPR Compliance
Kyte is offering a range of services to assist customers in EU GDPR compliance:
Data Protection Healthcheck (Pre- assessment)
A pre-assessment carried out by Kyte establishes a high-level overview of the processes and systems
of the organization that collect information on data subjects. The objective is to determine the
organization’s overall readiness on EU GDPR.
Assistance with documentation for data protection
Assistance with document templates:
❖ Incident Response Plan
❖ Data Protection Policy
❖ Information Security Policy
❖ Data Retention policy
❖ Data Disposal policy and procedure
❖ Privacy policy (for websites)
❖ Cookies policy (for websites)
DPIA (Data Protection Impact Assessment)
DPIA must be performed where processing is likely to result in a high risk to the rights and freedoms
of natural persons. It shall contain at least:
❖ A description of processing and operations.
❖ An assessment of the necessity and proportionality of the processing.
❖ An assessment of the risks to the rights and freedoms of data subjects.
❖ The measures envisaged to address the risks.
❖ Evidence of compliance with approved codes of conduct.
❖ A statement as to whether data subjects have been consulted.
A DPIA can also be useful for assessing the data protection impact of a technology product, for
example a piece of hardware or software, where this is likely to be used by different data controllers

3. 2
to carry out different processing operations. Of course, the data controller deploying the product
remains obliged to carry out its own DPIA with regard to the specific implementation, but this can be
informed by a DPIA prepared by the product provider, if appropriate.
Assistance with data protection audits (Depends on the Supervisory authority of
the country of headquarters)
DPO (Data Protection Officer)
Tasks of the data protection officer:
❖ To inform and advise.
❖ To monitor compliance.
❖ To provide advice with regard to data protection impact assessments.
❖ To cooperate and liaise with the supervisory authority.
❖ To be a point of contact for data subjects.
❖ The DPO must have due regard to risk associated with processing operations.
Article 37(1) of the GDPR requires the designation of a DPO in three situations:
❖ Where the processing is carried out by a public body.
❖ Where core activities require regular and systematic monitoring of personal data on a large
scale.
❖ Where core activities involve large-scale processing of special categories of data.
Note:
We recommend that Remote Gaming Operators appoint a Data Protection Officer due to the regular
processing and monitoring of personal data of players.

4. 3
Article 37(1)(b) and (c) of the GDPR refers to the ‘core activities of the controller or processor’. Recital
97 specifies that the core activities of a controller relate to ‘primary activities and do not relate to the
processing of personal data as ancillary activities’. ‘Core activities’ can be considered as the key
operations necessary to achieve the controller’s or processor’s goals.
Examples of large-scale processing include:
❖ processing of patient data in the regular course of business by a hospital or clinic
❖ processing of travel data of individuals using a city’s public transport system (e.g. tracking via
travel cards)
❖ processing of real time geo-location data of customers of an international fast food chain for
statistical purposes by a processor specialized in providing these services
❖ processing of customer data in the regular course of business by an insurance company or a
bank
❖ processing of personal data for behavioral advertising by a search engine
❖ processing of data (content, traffic, location) by telephone or internet service providers
Note:
The changes contemplated in the GDPR, which was specifically designed to simplify compliance
measures and reduce bureaucracy, is the abolishment of the obligation on data controllers to submit
a notification of processing operations to national data protection authorities.
This notwithstanding, Article 30 of the GDPR which places an obligation on both data controllers and
data processors to, inter alia, keep an internal record of processing activities. As a minimum, such
record is similar to the information previously notified to the Commissioner in the notification form.
The requirement to retain such record shall apply to organizations employing 250 persons or more;
or when the processing involves special categories of data (e.g. health or biometric data) or is likely to
involve risks for data subjects. Following the entry into application of the GDPR, such records shall be
made available to the Commissioner upon request.
Note:
Bear in mind that organizations outside the EU that collect and process information on EU individuals
still need to comply with this regulation. Fines for non-compliance can reach €20,000,000 or 4% global
turnover for the previous year, whichever is higher.