2020: The year that GDPR, regulatory compliance and profitable business collided
Gaming Regulators around the globe, quite properly, require their licensed operators to perform checks upon their customers which are proportionate to the risk(s) they pose. In order to obtain and maintain a license, employees and some third-party suppliers are also subject to checks. When Regulatory reviews are carried out and operators are deemed to have fallen short, they are fined, often to the tune of millions of pounds. The most recent fine in March of this year totalling £11.6million serves as a stark reminder of the penalty faced by licensed operators for failing to comply.
Since Co-Founding Synalogik, a company now providing compliance solutions to a significant proportion of the UK gaming, banking and law enforcement sectors, I have been in the privileged position to work with hundreds if not thousands of individuals who work tirelessly to try to ensure that the standards required of them are not just met, but exceeded. Indeed, it is often the case that licensed organisations exceed the minimum recommendations made by the Gambling Commission.
Similarly, I have the benefit of being able to speak to those in authority at the various Regulators, Commissions, Councils and Charities who don’t just wield the stick of Regulatory fines, but also offer support, guidance and advice to the extent that they are permitted. The sense of common direction and desire from both sides, Regulators and Operators alike, is profound to those, like us, working in the middle. The experience drives us to empower licensed organisations to protect themselves and their customers within the GDPR and data protection framework whilst remaining operationally effective and user friendly.
It is important that we support the sector, the gambling industry provides an opportunity for entertainment and socialising during this difficult time and beyond, demonstrated in the growth estimates since March 2020. One way of doing so is by recognising that licensed organisations do not want money launderers or those involved in wider criminality operating upon their platforms. Neither do they want to present a risk to those vulnerable to problem gambling or who are underage. The assumption might be that licensed organisations have to employ vast numbers of staff to carry out Customer or Enhanced Due Diligence (“CDD” or “EDD”) checks upon their customers to see if they might be politically exposed, have adverse press reports linked to them on the web or be in huge amounts of debt. We argue, this is not the case.
| COVID-19
In March 2020 the sports gaming industry saw the very essence of their operating model disappear overnight when sport was cancelled across the United Kingdom. (I still have to pinch myself sometimes when I write that down…). As bricks and mortar betting premises closed their doors, online gambling searches reportedly reached an all-time high. The shift is concerning for Regulators and Operators alike, primarily for those at high risk of problem gambling and also in the fight against criminal activity at a time when frontline staff can no longer physically engage with customers.
The COVID-19 pandemic rapidly changed how licensed organisations operated, as it did across all industry sectors. From the closure of physical gambling premises to the mass shift to remote working for those employed within the sector, the changes were immediate and unprecedented. The conditions came at a time when Regulatory and data protection requirements were heightened and the volume of data being processed exponentially increased. With margins becoming increasingly squeezed, we have the perfect storm brewing.
| Gambling and Sport
As a Sports Disciplinary Tribunal Chairman and practising sports law barrister, I feel uniquely positioned to see the profound impact that these, perfectly proper, decisions are having, not just upon the immediate seasons and fixtures, but upon the Clubs themselves and their ability to sustain their very existence over the coming years. I have represented a number of professional football, rugby, ice hockey, cricket, rowing, athletics and even archery teams over the last decade. Each and every one of those teams depended to some degree or other upon the sponsorship they gleaned, in part or in whole, from the regulated gaming sector.
Gaming businesses, like them or loath them, are fundamental to the viability of many of our cherished sports and worth an estimated £14.3billion in the United Kingdom alone. If they get squeezed ‘till the pips squeak’ they will be forced to do one of, or a combination of, the following:
- Cease to operate in the UK licensed market, focusing upon the less regulated US, Asian and other markets
- Cease, or renegotiate, fees to sponsor UK clubs, players, teams and television events,
- Go bankrupt
None of us want this to occur; so we (Regulators, Operators and everyone in between) are driven to exploring how this can be avoided. That means striking a balance between privacy, compliance and ensuring that the gaming experience is not overly burdened by tick boxes or pop ups.
| Privacy Law
One key issue faced by Operators is where privacy law and compliance requirements clash. The Data Protection Act 2018 and the General Data Protection Regulation (“GDPR”) govern how organisations, businesses and individuals in the EU and UK collect and process personal data. They apply to any “controller” or “processor” providing goods or services to an individual that lives within those areas. Interpretations about what constitutes personal data differ, but if one assumes at its highest, that any subjective or objective information that could be used, or used in combination with publicly available information, to identify a person is “personal data” then you won’t go far wrong.
There can be no doubt that the provisions represent a huge step forward in the rights of individuals with regards to their personal data and how safely it must be kept by those having lawful grounds to process it. Make no bones about it, the GDPR and associated UK legislation are a very good thing and the collective awareness of the public as to those rights is a positive.
The result for Operators are increased requirements for data storage, processing, analysis, deletion, anonymisation and transparency. Whilst, again, a very good thing, the requirements create more pressure upon the Operators, who are required to take all reasonable steps to identify and not allow people demonstrating certain traits or characteristics onto their gaming platforms and have an auditable record of every check they’ve done, who processed that data, what was the source of the data and how long will it be retained. The risk of falling foul of data protection law is high and the consequences severe. With several data protection class actions making their way through the Supreme Court and increased fines from the Information Commissioner’s Office now capped at 4% total worldwide annual turnover; the risk of exposure to both regulatory financial penalty and civil class actions totalling millions has never been higher.
GDPR is not designed to prevent diligent checks or limit reasonable investigation, on the contrary it provides several gateways to allow Operators to strike the balance between their compliance obligations, social duties and the need to protect privacy. One obvious example lies in the contractual mechanism whereby Operators request their client’s consent to process their personal data for certain purposes as part of the onboarding requirements. This “Article 6” gateway gives the operators clear and express permission to delve into the myriad of different data sets which exist to perform a contract and will allow them to make informed decisions about how much that person should be allowed to gamble, what should their net spend be, should they be concerned if deposit volumes change, should repeat bets be of concern, what number and type of games should they allow them to play and many more questions of this kind. As anyone who has been through a UKGC review interview will attest, they require the operators to demonstrate and evidence their reasoning for every one of these questions when they suspect standards have not been followed and to keep compliance related data for lengthy periods up to 6 years.
Whilst the Operators are put to task by the Regulators when mistakes are made, the Regulators are not allowed to recommend particular products or private companies providing services into the sector that could alleviate the cost and time burden and minimise the risk of exposure to data privacy actions. So, when an Operator’s being hauled over the coals asks, “Well what do you suggest we use to achieve the standards you are setting?” they cannot be told. One can see how difficult life must now be for the Operators who are doing their best, but unaware of the best tools with which to ply their trade.
| Technology
Just as the gambling sector has embraced new delivery methods and igaming, they should embrace how technology can underpin their compliance and regulatory needs. Health warning: This is not going to now become some big sales pitch for our products or services. I’m not even going to name our platform. The numerous Tier 1s, 2s and 3s in the sector know who we are and what we’ve been doing for them for the last three years.
My point is a wider one. When any technology exists which allows businesses to thrive, Regulators to see their wishes being carried out and individuals having their rights protected; that must be a massive win for all concerned. A win which needs shouting from the roof tops!
The knock-on effects could also be profound. If we, as UK businesses, wish to see our fantastic sportsmen and women thrive in UK based team sports, then a key element of that success is going to be ensuring that our land based and igaming sector get the best support that they can from Regulators and the private sector.
Those operators out there who have found resource saving products which lawfully enhance their ability to perform KYC checks without interfering with their “customer journey” should be telling the other companies about it; especially when the Regulators can’t!
Through fully automated workflows, bespoke risk assessments and the aggregating of multiple data sources concurrently, operators can make the right decisions in a fraction of the time it takes to manually process compliance checks and without increased headcount. Secure by design, technology can reduce your exposure to both regulatory penalty and civil or employment actions.
If yours, or another UKGC or FCA regulated business, are still employing people to Google your clients’ names or search through Beta Companies House, then you’re already significantly behind the curve. Similarly, if they’re searching consumer data, consented data or credit reference agency data by logging into each platform separately then these employees are being paid, to a significant degree, to be researchers rather than decision makers.
An average ROI of 10:1 can be achieved through automating the gathering of data for compliance purposes using a single interface.
There are a few businesses who might be able to help you; we’re certainly one of them. Challenge us to show you how swiftly we can do your checks.
Unsure about how the law applies to the due diligence you currently do or intend to do? Our legal partners at Harrison Clark Rickerbys are on hand to help. From reviewing current policy to advising on data protection or employment claims; HCR empowers you to protect your business within the legal framework.
Daniel White
Emma Humphrey
17th November 2020
| Bio:
Daniel White is a barrister specialising in sports, criminal and data protection law. He’s one of the Attorney General’s appointed counsel, a grade 4 prosecutor and sits on and advises individuals and teams appearing before all types of sports disciplinary tribunal.
Daniel Co-Founded Synalogik Innovative Solutions in 2018 with individuals who came from intelligence, policing and military (UKSF) backgrounds. Since going out to market with their platform, they have taken significant market share in the insurance, gaming, banking and law enforcement sectors.
Emma Humphrey is a former Open Source Intelligence specialist with a First-Class Honours in Law from the University of Birmingham. Having recently completed a Masters in Insider Threat and Data Protection issues, she is now training to be a solicitor at Harrison Clark Rickerbys (HCR) with a particular focus on Cyber and Data Protection.
HCR are a Top 100 UK Law Firm with dedicated Technology and Defence, Security and the Forces Sectors. Experienced in delivering legal advice in new and emerging technologies across various industries to include the Gaming Sector, we can confidently guide you and your business to success.
