GDPR IS COMING IN MAY – HIGHER FINES, SIMPLER TERMS & CONDITIONS AND MORE RESPONSIBLE DATA PROCESSING APPROACH FOR THE INDUSTRY
Enacted back in April 2016, the General Data Protection Regulation (GDPR) will enter into force on May 25th, 2018. Its main purpose is both harmonization of current diverse national legislation standards relating to data protection and further enhancement of the fundamental human rights in one of their most sensitive aspects – the personal data.
Personal data refer to such natural person’s characteristics which can facilitate his/her identification, that is name, gender, place and date of birth, biometric, political, cultural, economic feature / attitude etc. As regards Betting and Gaming Industry, there are few months left to companies to familiarize with reviewing of their data processing and privacy keeping policies.
The GDPR will be also applying to non-EU legal entities, if they offer goods and services or monitor digital behaviour of data subjects incorporated in the EU, regardless of whether that processing takes place within or outside of EU. In short, the GDPR, besides the location of the processing, takes into consideration the location of the individual whose data is being processed, which means that almost each of the Industry’s actors will be affected with the GDPR provisions.
Each business must ensure the principle of minimised data procession to be implemented by introducing due technical, procedural and organizational standards (IT architecture and risk mechanisms).
Starting from May 2018, the companies will be no longer permitted to point out unclear, ambiguous, and unnecessarily extensive Terms and Conditions. Such T&C will need to be compiled using a simple, understandable language. Flexible and easily understandable rules must also be applicable upon withdrawing the client’s consent to be the subject of the company’s further processing of their personal data.
The GDPR introduces a mandatory notification mechanism in the event of a personal data breach. Data Controllers will be required to report personal data breaches to their supervisory authority no later than 72 hours after becoming aware of the breach.
The customers will have a right to demand their data to be erased starting from the moment such data is no longer needed for its original purpose. It is worth mentioning that the GDPR transfers the responsibility to the companies, and not to the customers, to prove the data in question cannot be deleted due to the fact they are still needed as relevant.
In general, the companies active in betting industry will be exempt from the obligation to appoint a data protection officer, given the data processing activities is not their core business activity.
One or more supervisory authorities (SAs) in each member state will be in charge of monitoring the application of this regulation, and they will also be required to cooperate with each other.
Companies breaching the GDPR can be fined up to 4% of the annual turnover, or 20 million euros, if they are proven the processing of personal data without the explicit consent of the client. The 2% annual turnover rate will apply to “minor” breaches such as inadequately regulated customer data registry.
It is in the best operators’ interest to fully comply with the GDPR provisions, given its undisputed commercial impact. In short, increasing the customers’ awareness of a provider protecting and lawfully processing his/her personal data will result in fostering the customers’ loyalty.