The impact of GDPR for online gambling sites

22 February 2021
The European Union’s General Data Protection Regulation (GDPR) is a set of laws and provisions that collect, process, store, or otherwise uses in any way, the data of EU citizens. These laws apply worldwide, not only to companies operating in the European Union.
GDPR was implemented in 2018 and each Member State was then required to transpose it into national law. The laws were designed to provide a significant upgrade to existing consumer privacy laws, adapting them for the digital age.
At their core is the concept of consent and the belief that individuals have a right to say what data is held on them, by whom, and how it is used. It obliges any company that collects any form of personally identifying data, to put safeguards and measures to keep that data safe. Furthermore, all information systems and databases must be designed with data privacy in mind.
Lastly, in terms of the data that can be collected, it can only be collected if it satisfies the legal bases specified by the regulations. Also, the data subject has the right to demand that all personal data related to them is erased immediately and for any reason, without repercussion.
The GDPR not only applies to back-end processes but requires companies to be transparent about themselves and the way they work. Yes, the GDPR is a complex, far-reaching, and quite complicated set of laws, but they are required.
How does it impact my iGaming startup?
The online gambling industry relies heavily on collecting and processing user data. This data is used to improve services, personalize the player’s experience, reduce fraud, and identify problematic behavior. Also, the integration of other technologies such as mobile gambling and the Internet of Things both uses and relies on the player’s data.
You cannot buy or transfer email mailing lists to your startup.

You cannot buy or transfer email mailing lists to your startup. (photo by Flickr)

GDPR also means that you cannot buy or transfer email mailing lists to your startup. If you have an email list or mobile marketing lists from another business, even if it’s owned by you, GDPR means you cannot use it for your iGaming startup. This, because each individual has to opt-in to receiving communications from the entity that is sending them. The GDPR is big on consent and it’s not something that can be shared or transferred between companies.
You can start building your list by asking visitors to your site to opt-in to receive marketing materials. Be sure to keep an auditable paper trail of their consent to ensure you complied with the rules.
You will also have to display policies on your website including terms and conditions, privacy policies and information on who you are, where you are based, and how to opt-out of communications. You must also advise people they can request to have all data you hold on them removed, and how to request this.
These are just a handful of the ways that GDPR impacts your online gambling business startup.
What are the consequences of non-compliance?
GDPR is not something you can opt into, opt-out of, or ignore if you're not based in the EU. For example, if you are based in Curacao and have clients in Italy or France, the rules do apply to you.
Non-compliance with GDPR carries big consequences. These include fines of up to EUR 10 million or 2% of the global turnover of the preceding financial year- whichever is greater. It’s also worth noting that this % is not just for the company that made the breach, it applies to the entire group, other connected corporate entities, and natural persons. Additionally, at a member state level, there are criminal and civil penalties that can be levied against those who violate the law.
You also have to consider the toll it can take on your reputation. As a startup or fledgling business, building your reputation and trust from your clients is an important undertaking. It takes time, hard work, and money to achieve. By failing to comply with GDPR at any stage, you risk undoing all of that and your reputation suffering significantly.
Whatever benefit you think avoiding GDPR might have, is voided by the consequences of getting caught.
Core elements
There are six main principles behind the GDPR:
1. Right of individuals: Strengthening the rights of individuals in terms of data that is collected, processed, or stored relating to them.
2. Right to be informed: Businesses must ensure individuals understand who is collecting their data and how it will be used.
3. Right to be forgotten: Individuals can request their data to be erased within one month.
4. Data protection officer: Companies must appoint a data protection officer to ensure they comply with all their GDPR obligations.
5. Obligations on data processors: Data processors are required to implement appropriate measures to ensure data is protected.
6. Data protection impact assessment: Companies must carry out data protection impact assessments to ensure compliance.
The last word
Fast Offshore works with a large portfolio of iGaming clients that both operate in and have clients located in the EU. We have assisted with countless startup processes, helped appoint data protection officers, and be on hand for data protection impact assessments. We can advise on compliance matters not just concerning the GDPR, but to similar laws in other jurisdictions.

Ron Mendelson

Ron Mendelson is the Director of Costa-Rica based business and financial consultancy firm, Fast Offshore. With over two decades of experience in corporate services, iGaming, international business, finance, licensing and legal matters, he advises a number of international clients on their business needs in the Americas, Europe, and beyond.