17 Jan, 2024

How data processing changes with GDPR in igaming

The igaming industry processes very high volumes of customer data. This data is crucial to customising marketing touch-points and creates intricate customer user profiles which are used to grow customer lifetime value.

GDPR is definitely going to effect the industry. The sheer volume of data means that it is no easy feat to get in line with GDPR requirements. Complying with the rules however, will make sure your customers are happier and will help you build stronger relationships over time.

GDPR in gaming – it’s all about transparency

The GDPR regulations are intended to provide transparency for the end user, easy access to their own data and transparency with regards to how their data is processed and for what purposes.

This becomes a little more complex when using third party suppliers to provide the gaming experience and receive online payments. The way this data is processed through the various platforms needs to be communicated to the end user and provided to them upon request.

The basic rights to respect are:

The right to be forgotten

Customers can ask you to delete their information anytime and you have to comply. You may also be asked to prove this in case of conflict.

Right of Access

You will need to provide access to the data you have on file to the customer whenever they ask, free of charge.

Right of Portability

You will need to provide the data downloaded in a portable format whenever they ask free of charge.

Breach Notification

You have 72 hours to inform all the people involved in case of a breach. If part of your list is hacked, stolen, copied or misused by third parties, you need to inform all the people on that list within 72 hours.

GDPR and internal data protection officers

iGaming companies need to appoint a data protection commissioner that takes the role of customer data hero within the organisation. This person is in charge of making sure that all terms and conditions contain a simple yet exhaustive description of how the data is processed internally by the company and in some cases how this is shared with third parties. Online tools that identify individuals such as cookies, IP addresses and location data are now deemed to be Personally Identifiable Data and the information about how these activities use the data is to be shared with your customers.

Refreshing you data in iGaming

The existing database of emails needs to be refreshed by resending an email to all concerned and allow them to opt-in once again. This is required only if the way they opted-in was not in compliance with GDPR regulations. In most cases this will be applicable. It is especially required if you have migrated your emails from one system to another and do not have proof that the person opted into your list willingly and according to GDPR rules. You may be asked to provide proof so you need to make sure you have proof of compliance before the 25th of May.

What to do if a GDPR breach occurs

Since fines are around 4% of turnover the amount could be substantial and companies must be vigilant. Data processors need to be appropriately armed with the right technology and well trained. Any breaches identified by the data processors should be reported to the data protection official within the organisation. Solid, well thought-out policies and processes need to be in place as to how a breach is to be tackled once it is identified.