With the World Reacting to Covid-19, Gambling Operators need to re-think Data Protection.

Why Responsible Gambling Operators should Recognise the Covid-19 Pandemic as a Trigger to Review Data Privacy and Security Policies in Order to Reduce Potential Harm.

If you are a gambling operator and have not reviewed your data privacy or data security policies during the last month, please contact us for a confidential discussion to see if we can help you. You can reach us on 0800 170 1538.

Why do data security and data privacy requirements need to be reviewed?

Data protection and data security risks need to be re-thought when a gambling operator’s circumstances change for the reasons we set out in this article. Often businesses realise that an office relocation, systems overhaul or large-scale transfer of staff can cause such a change of circumstances and these changes can naturally prompt a rethink of data privacy and data security policies. Gambling operators should also realise that the current pandemic is also causing a change of circumstances which should prompt a re-think of data privacy and data security measures. In our view, if an operator is not conducting such a review then they may risk a breach of compliance with data protection legislation and may be putting customers at unnecessary risk. Our lawyers can help.

The UK’s current response to coronavirus Covid-19 (as at Spring of 2020) is causing observable radical social change, socio-economic change and technological transformation as well as less observable but well reported changes to the risk horizon for financial crime and consumer exploitation. These changes may not have triggered a sufficient compliance response by operators since everyone is adapting to new societal normalities and we all repeatedly tell ourselves that the status-quo is the new normal – at least for now. Perhaps that sense of normalisation is undermining the compliance response of gambling operators, however the rapid normalisation of radical change does not logically detract from the fact that change has occurred.

What are the changes in circumstances?

The changes are obvious as soon as they are listed: Some of the changes include that:

  • Customer behaviour is altering with people spending more time at home and significantly more time online without the punctuated breaks caused by commuting or travel.
  • Gambling operators’ office-based staff will likely be reduced to skeletal numbers.
  • Customer service staff are almost certain to be working from home networks without the same standardised corporate IT security infrastructure around them.
  • Customers are more likely to be financially distressed or suddenly and unpredictably impecunious.
  • Historic data of typical employment earnings and affordability is now a far less-reliable indicator of current earnings (since the security of previously steady jobs is now unpredictable), and,
  • Regulators and police services are warning of a steep rise in financial crime, of unscrupulous gangs preying on the vulnerable and of financial scams targeting individuals and organisations.

Potential harm

In light of the above-listed changes arising from the covid-19 pandemic, it is clear that all gambling operators’ need to review their existing data privacy and data security policies as these are unlikely to be sufficient for the present circumstances where data protection failings could lead to potential harm.

Potential harm is described in recital 2 of the GDPR which states that the legislation exists to protect natural persons, respect fundamental rights and freedoms, protect security and justice and to promote social progress and the well-being of natural persons.

For gambling operators, there are two vectors of harm to avoid:

  • The harm from attacks against the organisation itself, and
  • the harm from attacks against individuals.

In summary, as well as seeking to avoid direct financial scams against the organisation, which may reduce an operator’s ability to run its business properly and treat customers fairly, operators should also be taking extra steps to protect the data of individuals. Gambling operators are in the trusted position of holding lists of potentially vulnerable individuals for whom harm should be avoided as well as lists of ‘high-rollers’ for whom additional scrutiny of behaviours of play is needed. Keeping these lists is legitimate, but if through e.g. hacking, unscrupulous criminals could get hold of these lists and then harm could be caused to customers at a large scale even where the organisation is not itself targeted by a scam.

Data privacy risk assessments

Overseas-based remote gambling operators will be familiar with the requirement of the General Data Protection Regulation to conduct a risk assessment and implement appropriate technical and organisational measures for secure data processing (see e.g. Recital 39, 83 and Article 5(1)(f), 32) but may not be aware of the requirements of the UK Data Protection Act 2018 (specifically s.66(1)). Both sets of legislation require appropriate technical and organisational measures to be implemented for data security purposes. As to what is ‘appropriate’, the UK supervisory body, the Information Commissioner’s Office, spells out in its published guidance that it expects a risk assessment to be undertaken to determine this. Indeed, recital 83 of the GDPR spells out an expectation that organisations should specifically evaluate the risks they face. The ICO’s published guidance goes further and specifies that regular reviews of policies are required. In the current circumstances, we have identified that risk have changed and therefore it is clear that risk assessments need to be reviewed.

Jurisdictional application

Although many remote gambling operators may assume that the guidance issued by their local supervisory authority is automatically applicable, the GDPR introduced new requirements for all data controllers and processors to assess which supervisory authority is the appropriate lead authority for their company. In the case of EU/EEA businesses, this will be the single supervisory authority to whom any notifiable breaches should be reported. However, the position is more complicated for those businesses based outside the EU/EEA who will also need to address the requirements in relation to international transfers of personal data from the EU/EEA to their own jurisdiction. Furthermore, non-UK businesses can be bound by the UK Data Protection Act and be subject to UK law (see s.207). We will deal with these important matters in more detail in a separate article.


It is our interpretation of the guidance that by obvious implication, a change of circumstances should naturally trigger a review of data security assessments and data protection policies. It is our opinion that responsible gambling operators should treat the change of circumstances caused by the covid-19 pandemic as triggering a change of circumstances and prompting a need for a review of controls. Failure to do so could lead to complaints to supervisory authorities and potentially costly enforcement action. Taking the positive opportunity to review policies now, will allow gambling operators to publicly demonstrate care for customers specifically and to demonstrate a socially responsible response to the crisis. The review of policies may also give gambling operators the opportunity to more generally streamline and improve their business processes in light of the adjustments to working practices during the global response to Covid-19.

If you are a gambling operator and have not reviewed your data privacy or data security policies during the last month, please contact us for a confidential discussion to see if we can help you. You can reach us on 0800 170 1538.

You may also be interested in: How coronavirus is changing data protection for firms? By Alex Matheson and Annette Fong on www.ftadviser.com

Spread the love