Lawyer Stuart McMaster explains what operators need to know about the GDPR when it comes into force next year.
As the gambling industry prepares itself for the GDPR to come into effect in May 2018, there are still a number of areas of uncertainty, particularly around the topics of consent and profiling. We are hopefully about to receive some clarity on the latter soon, as the Article 29 Working Party (WP29) is expected to issue its guidelines on profiling and automated decision making in October. Guidance on consent is not expected until December.
Profiling takes many forms: email retargeting; data-driven marketing; automated risk assessments for fraud prevention and AML; loyalty programmes; and behavioural advertising. The Gambling Commission has previously called upon operators to develop profiling techniques to identify and protect problem gamblers, and some operators (such as Kindred and Mr Green) have announced projects that are designed to do exactly that.
Profiling is an activity that particularly interests the regulatory community across the EU. Based on the guidance previously issued by WP29, a business that profiles its customers will probably need to appoint a data protection officer and conduct a formal data protection impact assessment. So what additional guidance do we expect?
In the UK, the Information Commissioner's Office (ICO) has previously flagged that care needs to be taken to ensure profiling is conducted in a way that is transparent, fair and accurate. It is important to ensure that the scope of your profiling operations do not outpace what customers were told would be done with their data. Additional guidance from WP29 around the level of information which must be provided to customers in relation to profiling would be welcomed.
The ICO has also flagged that while profiling is inherently a 'neutral' activity, and can be beneficial for customers by enabling business to target customers with offers that are of most interest to them, there are risks that profiling can produce unfair effects. Profiling may become overly intrusive, for example by building up a picture of a customer which exceeds their expectations of what you would be likely to know about them.
Profiling could result in an inaccurate profile being created, given that individuals may buck the trends being suggested by their profile. There is also a risk that customers could be targeted in an inappropriate way - for example, by reference to racial or religious factors or health issues. Operators must pay attention to any guidance given by WP29 on this topic, given the requirement that all advertising of gambling products be socially responsible.
Where profiling is used to make automated decisions which have a legal effect or similarly significant effect for customers, then an additional raft of safeguards will apply. These safeguards, which include the right for the customer to challenge the automated decision, only apply where the decision is sufficiently material. However, there is currently very little guidance on what counts as material in this context. The GDPR gives the examples of the automated refusal of an online credit application or job application. In April 2017, the ICO commented that 'significant effect' was a concept that was difficult to explain.
In the gambling sector, profiling drives a wide range of decisions, ranging from bonus awards through to account suspensions. Which of those decisions should be regarded as having a 'significant effect' for customers? While WP29's guidance is often very high-level, this is an area which sorely needs greater clarity. There is an expectation that automated decisions around bonusing should not be seen as having a 'significant effect'.
Download the PDF version here.