The challenges posed by GDPR include conflicting regulatory requirements, abuse of data subject rights by players, and data sharing challenges when participating in ad networks. In response, the European Gaming and Betting Association (EGBA) has recently launched a consultation on its draft Code of Conduct for compliance with the GDPR.
In this article, we will explore common data protection mistakes and challenges, and propose industry-specific solutions for compliance with the GDPR in accordance with best practice and the proposed EGBA Code of Conduct.
A first challenge for operators that maintain complex environments is gaining an overview of and identifying all data flows relating to personal data, especially when participating in ad networks. General compliance obligations include maintaining a record of processing activities and privacy notices as well as having a lawful basis for each data processing operation.
The gaming industry is a heavily regulated sector, meaning that operators are subject to the many obligations imposed on them by national gaming laws and license conditions, anti-money laundering (AML) laws, rules for responsible gambling, and codes of practice. In practice, this means that certain categories of data must be retained for a longer time than would otherwise be permitted by the GDPR. The diversification of data necessary to simultaneously meet and balance the delete vs. retain requirements of AML, gaming laws and other legal retention obligations which vary from country to country creates extra workload, including implementing changes to their current processes and systems to meet the requirements.
The GDPR sets a high standard for consent, namely that it must be "freely given, specific, informed and unambiguous". In practice, this means the following for consent mechanisms:
When consent is used as a legal basis for processing personal data, operators should ensure players are able to withdraw consent at any time. Some common mechanisms for withdrawing consent include the following:
Games providers may have to implement challenging software modifications when developing procedures in order to ensure that players can exercise their data protection rights under the GDPR. The right to data portability is an especially tricky one.
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. Under Art. 20 GDPR, players have the right to have an operator send their personal data to another data controller by various means such as direct download or data transmission via API. This right applies only to data for which the processing is based on consent or on a contract, where the processing is carried out by automated means and when the data has been provided by the player to the operator. The following data should be considered to be comprised by the right to data portability:
However, the right to data portability does not include personal data where the justification for processing is not consent or contract, for example data which is processed for legitimate interests or legal obligation. Exempt data may therefore include, but is not limited to:
The success of any gaming operator depends also on its ability to leverage personal data and accordingly, operators in this sector are significantly affected by the recent changes brought about by the GDPR. The EGBA represents a first major step towards the standardized approach to handling players’ data. Mapping the data flows per game, embedding mechanisms to manage consent and segregating data which is not subject to data portability are key steps for operators to tackle GDPR compliance.