gamblingcompliance regulatory briefing · michael joined casinos austria in 1993 as a project...

GamblingCompliance Regulatory Briefing

The Implications of the New EU General Data Protection Regulation (GDPR) for the Gambling Industry March 22, 2016

Organised by Sponsored by

GDPR brochure.indd 1 21/03/2016 11:59

OverviewThis one-day event will take an in-depth look at the effect the new EU General Data Protection Regulation (GDPR) will have and what it means for the industry and provide attendees with deep insight into how to deal with the new regulation in a practical and CPD Certifiedmeasured manner in order to future proof their business. This event is CPD certified and all attendees will accrue five CPD points.

The event will be held at the prestigious Law Society Hall in London and will feature a day of knowledge exchange and networking, culminating in a drinks reception.

Draft Programme Time Speaker Subject

Morning Session - The Regulatory Landscape

9:00 Registration & Coffee

9:45 Chair Welcome Address

10:00Garreth Cameron, Group Manager For Business And Industry, Information Commissioner’s Office (ICO)

Keynote Speech: Overview Of The New Regulatory Regime

10:20

Garreth Cameron, Group Manager For Business And Industry, Information Commissioner’s Office (ICO) Ross McKean, Head of Data Protection, Olswang LLP

Fireside Chat

10:40 Ross McKean, Head of Data Protection, Olswang LLP

Presentation: Discussion on GDPR - Timeline And Key Dates, Penalties And Sanctions

11:10 Coffee Break

11:40

Panel Session Anna Soilleux, Senior Associate, Olswang LLP Michael Mrak, Head of Compliance and Data Protection, Casinos Austria AG and Austrian Lottery GmbHDavid Clifton, Founding Director, Clifton Davies Consultancy

GDPR Readiness - What Gambling Businesses Need To Do In The Next 24 Months

12:45 Lunch Break



Time Speaker Subject

Afternoon Session - The Industry Perspective

13:45 Steve Wright, former Global Privacy Officer, Unilever Keynote Speech

14:05

Steve Wright, former Global Privacy Officer, UnileverRoss McKean, Head of Data Protection, Olswang LLP

Q&A: Best Practice for the Coming Years

14:25

Ross McKean, Head of Data Protection, Olswang LLP Roy Ramm, Founding Director, ExtraYardChris Martin, Senior Business Manager EMEA, Darktrace Mark Raeburn, CEO, Context Information Security

Breach Response Best Practice including presentations on:• GDPR requirements for breach

monitoring and notification – Ross McKean, Olswang LLP

• Using machine learning to detect advanced network breaches in real-time – Chris Martin, Darktrace

• Threats, bad actors and forensic investigations – Mark Raeburn, Context IS

• Working with the police and law enforcement on cyber defence and response – Roy Ramm, Extra Yard Limited

15:40 Coffee Break

16:00 Anna Soilleux, Senior Associate, Olswang LLP Presentation: Marketing, Profiling And Consent

16:30 Ross McKean, Head of Data Protection, Olswang LLP Presentation: International Transfers

17:00 Chair Closing Remarks

17:15 Networking Drinks

18:30 End of Conference

Programme Highlights: • Opening address from Garreth Cameron, Group Manager For Business And Industry, Information

Commissioner’s Office (10:00)• The breach response session will examine GDPR requirements, threats and detection, and

enforcement (14:25)• Insight from experts from across Europe will reveal what gambling businesses need to do in the next

24 months (11:40)


SpeakersGARRETH CAMERON - GROUP MANAGER FOR BUSINESS AND INDUSTRY, INFORMATION COMMISSIONER’S OFFICE (ICO)

Garreth Cameron is the Group Manager for Business and Industry at the Information Commissioner’s Office (ICO). He has responsibility for managing the ICO’s strategic relationships with industry stakeholders in order to uphold information rights in the public interest and promote data privacy for individuals. Garreth also takes a lead role in handling high profile cases involving private sector organisations where there may

be significant media interest. Garreth joined the ICO in 2013 following a successful career in local government trading standards where he regularly advised on aspects of consumer protection law and investigated serious breaches leading to civil and criminal proceedings. Garreth holds an LLM degree in law and has a keen interest in the legal and policy challenges arising from the emergence of the information society.

DAVID CLIFTON - FOUNDING DIRECTOR, CLIFTON DAVIES CONSULTANCY LIMITED

David is a founding director of Clifton Davies Consultancy Limited. He is well known for his depth of experience in all aspects of licensing and gambling law in which he has specialised for more than 30 years.

He advises a broad range of leisure and gambling industry clients both throughout the UK and overseas and has been a contributing editor for leading textbooks on the

subject of licensing and gambling law.

While a partner at Joelson Wilson Solicitors, heading up their Licensing & Gambling team, prior to setting up Clifton Davies Consultancy Limited, David was consistently top-ranked in the Legal 500 and Chambers & Partners Guide to the Legal Profession, where he was “singled out for his advocacy skills” and described as “a genuine expert in the field, fantastically dedicated and client-oriented”.

David set up Clifton Davies Consultancy Limited as a non-law firm in May 2013 to provide cost-efficient consultancy advice including new business and strategic planning, compliance and regulatory advice and expert handling of licensing applications to, and advocacy before, gambling regulators and licensing authorities throughout the country.

CHRIS MARTIN - SENIOR BUSINESS MANAGER EMEA, DARKTRACE

Chris Martin joined Darktrace in early 2015, to develop the EMEA sales operation. Chris’ experience is predominately in offensive security, using specialist threat intelligence to plan and manage red-team engagements designed to simulate state-sponsored targeted attacks. Chris specialises in working with organisations across CNI, banking, telecommunications, and defence. Chris has extensive experience in advanced attack methodologies, operational security, threat intelligence and incident response. Prior to

joining Darktrace, Chris gained operational experience in social engineering, having been deployed during customer engagements to elicit intelligence, breach physical perimeters and deliver physical implants into target sites.



ROSS MCKEAN - PARTNER, HEAD OF DATA PROTECTION, OLSWANG LLP

Ross leads the Olswang data protection practice and has broad experience of data protection and privacy matters including audits, compliance assessments, remediation projects, ad hoc and transactional advice. Ross regularly advises clients on security breach, international transfers and data subject access requests. He assists clients

with regulatory investigations and crisis management. Ross is also an experienced sourcing lawyer, advising clients on a wide variety of sourcing deals with a particular focus on the financial services and telecommunications sectors.

He frequently advises on data protection compliance as part of his transactional practice and has recently advised on complex HR cloud solutions, helping to achieve a compliant structure across multiple jurisdictions. Ross is ranked as a leading individual for data protection, technology and outsourcing in Chambers. Before joining Olswang, he was with Baker & McKenzie for 16 years, where he was a partner in the IT/Com department of their London office and an active member of their data protection and outsourcing practice groups.

MICHAEL MRAK - HEAD OF DEPARTMENT COMPLIANCE, CASINOS AUSTRIA AG & AUSTRIAN LOTTERY GMBH

Michael Mrak is a lecturer at the University of Applied Sciences in Graz and he is also well known as a speaker at various seminars about Compliance in the gaming industry.

Since 2008, he has held the role of Head of Department Compliance which covers all Data Privacy, Anti Money Laundering and Anti-Corruption issues of the Casinos Austria

& Austrian Lotteries Group.

Michael joined Casinos Austria in 1993 as a project manager, a role in which he was responsible for the design and implementation of the wide area network of all 12 Casinos in Austria and for the integration of IT systems. He was also responsible for the development and operation of all IT security systems. In 2001, Michael started to work as Data Protection and Information Security Officer.

MARK RAEBURN - CEO, CONTEXT INFORMATION SECURITY

Mark Raeburn is the CEO of Context Information Security, one of the UK’s largest technical security consultancy companies with an expanding network in Germany and Australia.

He has led the company’s growth since its inception in 1998. Prior to this, he was the Security Manager for PricewaterhouseCoopers for ten years, with responsibility for UK and Eastern Europe. Mark has a breadth of security knowledge, collected during 23 years of senior security management.


Mark sits on or chairs a number of security industry panels and has done much to move the professionalisation of the Information Security industry, in both the UK and elsewhere, including Australia, Germany and the US.

His current principal focus is on exploring the challenges of detecting and preventing malware, particularly within the corporate environment, and helping businesses understand the new and growing threats and how to respond.

Mark is supported by a team of more than 150 consultants with a wide variety of backgrounds, who together have worked with the very biggest of organisations to tackle both mainstream and bespoke security challenges.

ROY RAMM - FOUNDING DIRECTOR, EXTRAYARD LIMITED

An industry professional since 1997, Roy Ramm’s career has focused on the development of effective responsible gambling policies. As the senior compliance officer in a high-risk industry he also developed highly effective anti-money laundering policies that balanced commercial opportunities with regulatory compliance.

When Caesars Entertainment entered the UK market he was appointed as Governance and Public Affairs Director for Caesars UK. Beyond his primary regulatory remit, he was for ten years the chairman of The Emerald Casino Resort in South Africa, a large hotel, casino and leisure complex, and held an executive role in Caesars interests in the Middle East.

He has taken a leading role in the casino industry’s trade body – the National Casino Forum chairing the Operations Forum for six years – and has led in promoting innovative, responsible and ethical practices through the development of the Playing Safe and SENSE (self-exclusion) initiatives and in developing casino industry policy on crime prevention, anti-money laundering and data protection.

He also led the industry’s engagement with government at ministerial level. He now manages his own consultancy, Extrayard Limited.

ANNA SOILLEUX - SENIOR ASSOCIATE, OLSWANG LLP

Anna is a senior commercial and regulatory lawyer at Olswang LLP, specialising in data, gambling, consumer and e-commerce.

She is a trusted advisor to a wide range of clients, from large US technology and FTSE 100 companies to gambling operators, online retailers, biometrics organisations and

providers of cyber security solutions.

Anna has significant experience across the full spectrum of data and privacy matters. She regularly advises on data breaches, investigations by regulators, marketing issues, data compliance risk audits, data processing and transfer arrangements and the implementation of “privacy by design” practices.

Within the gambling sector, her clients include Gamesys, 888, Betfred, William Hill, AsianLogic and Sporting Index.



STEVE WRIGHT - FORMER CHIEF PRIVACY OFFICER, UNILEVER PLC

Steve Wright is passionate about big data and all things digital. After more than 20 years in the business, designing, developing, managing and delivering transformational data governance, privacy and security programmes, Steve has vast experience as a pragmatic and charismatic leader. Steve is also a published author, a non-executive director and is regularly invited to speak at industry events, trade

associations and thought leadership working groups, working towards continually finding new ways to increase trust and transparency in respect of consumer services, business functions and product vendors.

Steve believes that big data (governance), cyber security and privacy are all inextricably linked as they share common objectives and principles, and therefore, require satisfactory safeguards and assurances. From a business perspective, this can be achieved by building “data trust and assurance” programmes based on the fundamental principles of transparency, accountability, protection, integrity, confidentially and availability, accompanied by clear policies and delivered through comprehensive training, integrated procedures and a robust compliance regime.

As chief privacy officer at Unilever, Steve worked towards achieving is Unilever’s digital ambition to connect with one billion consumers around the world, pushes the boundaries of functionality, connectivity and personalisation. Steve’s role was to work collaboratively and integrally with the business, to help steer and shape the digital conversation and leverage the power of data analytics, while also ensuring that the business remains compliant with laws around the world and acts in a moral and ethical way.

This work involves proactively communicating with Data Protection Authorities from around the world and regularly training lawyers, marketers, HR and R&D personnel to ensure that they understand and know their responsibilities.

Steve has integrated Privacy by Design concepts into Unilever’s applications and architecture and has embedded an easy-to-use Privacy Impact Assessment procedure, across all relevant Unilever Functions. This enables the business to continue to grow and innovate digitally, while remaining compliant and not putting its brands or the business at risk.

Having served as a chief information security officer, and completed similar several leadership development programmes at Deloitte, PwC, Siemens and Capita, Steve has a full appreciation of what is required to get the job done in a cost effective, pragmatic and timely fashion. Throughout his career, Steve’s natural ability to lead from the front, to coach teams in successfully achieving their goals and to take responsibility consistently and courageously to deliver on promises, is what sets him out from the pack.


DATA PROTECTION CONTENT PORTALYour single-source solution for critical information

The Data Protection environment is facing fast-moving and complex regulatory change. Now, more than ever, it’s imperative to have access to reliable information.

Mitigate your data protection risk with the GamblingCompliance Data Protection Content Portal by ensuring your employees understand their responsibilities and obligations in this complex regulatory environment.

FIND OUT MORE AT GAMBLINGCOMPLIANCE.COM/DATA-PROTECTION-HUB



How to Prepare for the EU General Data Protection RegulationThe EU General Data Protection Regulation (GDPR) is expected to be finalised in Spring 2016 and come into force in 2018. This guide is based on the latest text and sets out how gambling businesses can prepare for the law.

What is the General Data Protection Regulation?

The proposed EU data protection law, the GDPR, will replace the current EU data protection law, Directive 95/46/EC. The GDPR is expected to be finalised in Spring 2016 and come into force in 2018. This will give organisations/companies sufficient time to implement the required changes to abide by the GDPR.

The GDPR will further harmonise data protection law among EU member states; this will also mean that companies outside the EU will be affected by the GDPR in so far as they have data relating to EU subjects. The legislators have announced that the GDPR will be “a one-stop-shop” for data protection law in the EU — it will aim to ensure that companies and citizens will only have to deal with one single supervisory authority.

Except where indicated otherwise, this guide is based on the latest proposed text published on January 28, 2016 on the website of the Council of the European Union. The European Commission adopted the proposed GDPR on January 1, 2012. This guide will be kept up-to-date with significant progressions in the legislative process.

The European Data Protection Supervisor (EDPS) has released an app to allow comparison between the latest proposed texts.

Legislative history

The legislation has been heavily lobbied along the way — as European Parliament ministers submitted 4,000 amendments to the proposal, there have been many draft versions of the proposed law.

The European Council (European heads of state and government) has been negotiating on the GDPR to reach common agreement between the member states. In May and June 2014, the Council agreed upon:

• Rules governing transfers to non-EU countries or international organisations (Partial General Approach on Chapter V).

• Territorial scope – non-European companies have to apply the same rules when offering services to EU consumers.

In October 2014, the Council reached partial agreement on rules governing the processing of personal data by companies, governments and other organisations, with the objective of cutting red tape and building flexibility.


The Working Party on Information Exchange and Data Protection (DAPIX) held a final meeting on the GDPR in February 2015.

A “general approach” agreement on the text of the GDPR was reached at the meeting of the European Council on June 15-16, 2015.

On December 15, 2015, an agreement on this text was reached between the European Parliament, the Council and the Commission.

The Permanent Representatives Committee (Coreper) of the Council endorsed this compromise text on December 18, 2015.

The latest version of the GDPR was published on the website of the Council of the European Union on January 28, 2016. On February 12, 2016, the Council adopted a political agreement on the text.

The official amendments and opinions can be found at http://eur-lex.europa.eu/procedure/EN/2012_11.

A table prepared by the EDPS comparing the proposed wording of each of the European Commission, the European Parliament and the European Council (“general approach” agreement), as well as the EDPS recommendations, can be found at https://edps.europa.eu/.

Where to from here?

The Trilogue negotiations with the Parliament, the Council and the Commission commenced in June 2015.

Negotiations resumed in September 2015, and on December 15, 2015 an agreement on the text was reached between the European Parliament, the Council and the Commission.

How will the law be enforced?The proposed law will be a regulation, which means that it will be directly applicable in EU member states without having to be transposed into national law. The current law, Directive 95/46/EC, needed to be transposed into national law by each member state.

The package presented by the Commission in January 2012 also consisted of a directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities. This so-called “Police” directive will mean that law enforcement authorities will not have to apply different laws according to the origin of the data. The directive, once adopted, will be EU law, although as a directive it will need to be transposed into national law by each member state.

How should payments businesses be preparing for the forthcoming GDPR?

The new law will require many companies to make changes to their business and companies should begin to look at these potential changes. Having said that, the text of the GDPR has not yet been adopted,

On January 25, 2012, the European

Commission released the

proposal draft for the GDPR, as well

as a draft directive for law enforcement.

On March 12, 2014, the European

Parliament adopted a series of

proposed amendments to the commission text.

On March 28, 2015, the European Council

released its Partial General Approach

on Chapter V.



although it is reasonable to assume that the core developments will stay the same. However, until the text has been adopted, any new strategies should be adaptable to further changes.

Some commentators say that the GDPR will be putting into law what already exists in terms of “best practice” principles.

‘One-stop-shop’

Under existing law, companies processing data in the EU must deal with 28 national laws and regulators. The GDPR will establish a single European-wide law for data protection. The EU legislators have expressed on numerous occasions that there will be one regulatory authority.

At the December 2014 European Council meeting, the majority of council ministers agreed to the Italian presidency proposal of a “one-stop-shop” mechanism that data subjects can access to pursue legal remedies in cases of important transnational data breaches.

Supervisory Authorities (SAs)

One or more supervisory authorities in each member state will be “responsible for monitoring the application of this regulation” and “shall contribute to the consistent application of this regulation throughout the Union”; the SAs will be required to cooperate with each other.

Proposed Article 51a(1) of the GDPR provides for situations where the processor/controller is established in more than one member state, stating that “the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority”. The supervisory authority of the main establishment, or of the controller or processor, shall be competent for the supervision of the processing of activities of the controller or the processor in all member states.

Article 51a(2a) states that by derogation from Article 51a(1), “each supervisory authority shall be competent to deal with a complaint lodged with it or to deal with a possible infringement of this Regulation, if the subject matter relates only to an establishment in its member state or substantially affects the data subjects only in its member state”.

This will mean significant adaptation where companies operate from different member states and do not necessarily share their data processing obligations. It is also, so far, not ideal for groups of undertakings/corporate groups, despite provision being made for them in the text, providing that the main establishment of the controlling undertaking would be the “place of its central administration in the union” (except where the purpose and means of processing are determined by another undertaking).

Each of the draft texts of the GDPR define “main establishment” differently (see Article 4).

A controller with no establishment within the EU must designate a representative in one of the EU member states in which it offers goods or services or carries out monitoring activities, “unless the processing is occasional, does not include processing, on a large scale, of special categories of data as referred to in Article 9(1) or processing of data relating to criminal convictions and offences referred to in Article 9a, and is unlikely to result in a risk for the rights and freedoms of individuals, taking into account the nature, context, scope and purposes of the processing or if the controller is a public authority or body”.


Article 53 of the GDPR provides for the powers of “supervisory authorities”. Supervisory authorities will be given broad powers. The latest version of the GDPR includes the right for the SA “to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to this regulation”.

Article 74 of the GDPR also provides for a right to a judicial remedy against a decision of a supervisory authority.

European Data Protection Board

The GDPR will provide the European Data Protection Board (EDPB) with an important role as overseeing regulator. Each member state will contribute to the EDPB through the supervisory authority.

Key points

Data minimisation

Gambling companies should prepare by minimising the data they collect and looking at the GDPR to see what types of data it covers. The definition of personal data will be widened – it will include data such as IP addresses, cookie identifiers and device IDs. Therefore, it is important that businesses know whether or not the GDPR will apply to them and, if it is does, they need a justification to process the data.

Privacy by design and by default

The GDPR provides for the requirement for businesses to “ensure that technical and organisational measures are in place in particular in order to ensure the respect of the principle of data minimisation. These measures may include pseudonymisation, as long as these purposes can be fulfilled in this manner”.

Article 23(2) is important as it provides that a “controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed; this applies to the amount of data collected, the extent of their processing, the period of their storage and their accessibility”.

Compulsory breach notification

The proposal is that organisations/businesses would have 72 hours to notify their supervisory authority of security breaches, “unless the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals”.

The GDPR at a GlanceWHAT IS THE CURRENT LAW IN FORCE?

Data protection in Europe is currently based on the Directive 95/46/EC of October 24, 1995.

WHEN WILL IT COME INTO FORCE?

The GDPR is expected to be finalised in Spring 2016 and come into force in 2018.

WILL IT MEAN THAT THE CURRENT LAW IS NO LONGER VALID?

Yes. When the GDPR comes into force, it will replace the current EU Data Protection Directive 95/46/EC.

TO WHOM WILL THE GDPR APPLY?

The law will still apply to all personal data and applies to all business types and all sectors.

WILL A COMPANY NEED TO REGISTER WITH THE SUPERVISORY AUTHORITY OR OTHER REGULATORS?

No. There will be no requirement for a data controller to register with the supervisory authority.



Companies should consider that they will need to implement plans as to how they will identify security breaches to be able to report them in the prescribed time limit.

There is also a requirement, in certain cases, for companies to notify the victim of the data breach (i.e. the person whose data has been breached) (Article 32). This may require that the company not only inform the customer/data subject of the breach but also recommend measures to mitigate the possible adverse effects of the personal data breach. It will not be required to notify the data subjects if the controller can demonstrate, to the satisfaction of the supervisory authority, that it has implemented appropriate information security measures that render the data unintelligible to any person not authorised to access it.

This reform is all the more significant given the harsh consequences for non-compliance. Supervisory authorities will have the power to issue sanctions of up to €10m, or up to 2 percent of annual worldwide turnover.

The controller will also be required to “document any personal data breaches, compromising the facts surrounding the breach, its effects and the remedial action taken” (Article 31(4)).

Cross-border data flow

The GDPR will have a prohibition on transfers of data to countries that do not provide an adequate level of data protection.

Data protection officers

Small and medium-sized enterprises (SMEs) will be exempt from the obligation to appoint a data protection officer insofar as data processing is not their core business activity.

Principle of consent

The definition of “consent” in Article 4 of the GDPR will make it harder to obtain than under the current law. The definition changes from “informed indication” under the current law to “freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”.

Consent is set to require a more positive affirmation than under the current law. Data subjects will, therefore, need to give positive indication of consent to specific activities. As such, passive acquiescence will not be enough to be “consent” and it will be necessary to create “tick boxes” or similar procedures.

Data portability

Article 18 of the initial draft of the proposed GDPR gives a general right for data subjects to transfer their data to another service provider; however, the Parliament amendments replace this with an encouragement to controllers to work towards interoperability. The latest version of the GDPR published on January 28, 2016 gives data subjects the “right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured and commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the data have been provided ...”. Companies should consider this requirement.


The data collected and processed by gambling companies is largely part of legal and regulatory requirements, such as anti-money laundering and tax requirements. It remains to be seen how legislators will provide for gambling companies to comply with the data portability requirement.

The right to be forgotten

Under Article 17, data subjects have a right for their data to be erased where the data is no longer needed for its original purpose. The GDPR also proposes to reverse the burden of proof so that it is a company’s responsibility, and not the individual, to prove that the data cannot be deleted because it is still needed or is still relevant.

Information to the data subject

Information requirements in Article 14 of the GDPR contain more onerous requirements than that contained in the current law. Under the GDPR, the data subject has to be informed about legitimate interests or contractual reasons for data use, retention use and the basis for international transfers.

Are there changes to third-party data transfers?

The rules regarding transfer of data to third countries will remain largely the same as under the current law.

What are the other important changes?

Profiling

Profiling is the automated processing of personal data to evaluate, analyse or predict any feature of their behaviour, preferences or identity.

Article 20 of the GDPR provides restrictions for companies on the use of “profiling” of individuals to the extent that it produces “legal effects concerning him or her or similarly significantly affects him or her”.

Companies need to be prepared as the new law extends the restrictions of profiling much more than under the current law. Companies that use profiling will need to consider how to comply by perhaps implementing consent mechanisms to continue the profiling activity.

The automated processing of “sensitive personal data” (defined in Article 9 as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, data concerning health or sex life) is not allowed under the GDPR.


Group proceedings/class actions

The original proposed text contained provisions (Articles 73 and 77) to enable data subjects to be represented as a group by an association or body acting in the public interest to bring a claim on behalf of them.

The latest version of the text does not, however, contain these provisions.

What about privacy seals and certification?

There are currently various certifications and privacy seals that an organisation/company can obtain to show that they satisfy certain data protection criteria. This gives their clients and partners an assurance

that they abide by certain requirements. Article 39 of the GDPR recognises and encourages certification mechanisms and privacy seals. There are currently privacy seal schemes in Europe

that will eventually be harmonised under the GDPR when it enters into force.

What about conflicts with anti-money laundering legislation?

The GDPR conflicts with some requirements in the 4th Anti-Money Laundering Directive (4th AMLD), especially with regard to customer due

diligence measures required by that directive.

It remains to be seen how companies will reconcile the obligations provided in the 4th AMLD and the GDPR.

What will it mean for companies outside the EU?

According to the latest version of the GDPR, non-European data controller companies have to apply the same rules when offering goods or services to EU consumers (Article 3(2) of the GDPR).

No matter where the physical server of a company processing data is located, non-European companies, when offering to European

consumers, must apply European rules.

Which aspects will stay the same as the current law?

Controller/processor definitions

The “controller” and “processor” roles that are currently used to determine responsibility for compliance in Article 2 of the current law will be carried on in Article 4 of the GDPR. This

will be helpful in terms of language used generally and for contractual language.


In the GDPR, “controller” means the company “which alone or jointly with others determines the purposes, conditions and means of the processing of personal data”. This includes companies that have personal data on their customers and then determine what they then do with that data.

“Processor” means a company that processes personal data on behalf of the controller (Article 4(6)). The distinction is important because the characterisation determines the legal and compliance responsibilities.

As is the case in the current law, the GDPR will allow data subjects to obtain compensation for damages from a controller or processor for damage suffered as a result of processing carried out in breach of the regulation (Article 77).

The right of subject access

Data subjects will continue to have the right to obtain, by request, information regarding their data such as the purposes of the processing and the recipients to whom the data is disclosed.

The right to object

Data subjects are entitled to object to processing of personal data where the legal basis is the legitimate interests of the controller (Article 19).

Will there be flexibility in the proposed law for EU member states to opt for stricter approaches?

Under the current law, member states are able to implement laws that are even stricter than those in the directive. This will no longer be the case under the GDPR, as it will be directly applicable in all member states.

However, some areas related to data protection will be left to member states’ discretion, such as:

• Employment law (Article 82).• Professional secrecy laws (Article 84).• Journalism and freedom of speech (Article 80).

What are the proposed penalties for breach of the GDPR?

Under the current law (Directive 95/46/EC), sanctions and penalties for breaches of national data protection law are not harmonised.

However, businesses that fail to protect personal data adequately under the GDPR could face fines of up to 4 percent of their annual turnover, up to €20m, under the GDPR.

This is a significant reform making it important for businesses to ensure they are compliant.


This course provides a detailed analysis of data protection law and regulation. Real life examples of data protection failings are used to ensure that learners understand the importance of safeguarding personal data.

Practical case studies are used throughout the course to ensure learners are able to apply the law to business situations.

Learning Outcomes

By the end of the course the learner will be able to:• Describe what is personal

data and sensitive data• State the purpose and

application of data protection law

• Apply the data protection principles

• State the rights of individuals in relation to data protection

• Explain how data protection regulation has an impact on their day-to-day responsibilities

Course Outline

• IntroductionThe course begins by examining the importance of protecting personal data and the consequences of data protection failures. The learner is made aware of key terminology and data protection roles and responsibilities, including the role of the Information Commissioner.

• Data Protection ActDetails of the scope and application of data protection law and the types of information that must be protected.

• Data Protection PrinciplesExamination of each of the data protection principles along with practical examples on how staff can ensure that they remain compliant.

• Case StudiesPractical and engaging case studies are used to ensure staff are able to apply data protection law to business situations.

• Course TestThe course finishes with a multiple-choice test that randomises from a large question bank.

To find out more about our eLearning courses, contact [email protected]

gamblingcompliance.com/elearning

eLearning - Data Protection Safeguarding Personal Data


About UsGamblingCompliance is the leading provider of independent business intelligence to the global gambling industry, specialising in legal, regulatory, political and market data, bespoke research and eLearning. We help gaming operators, regulators, advisors and analysts to make sense of the complex and rapidly changing regulatory environment.Subscribers to GamblingCompliance receive daily industry-shaping news, analysis and data to build the fullest possible picture of changes taking place across online and land-based gaming. Our in-house team of editors and lawyers, and team of commissioned experts, provide detailed and impartial content to help you be more informed within your business.

Images: © IR Stone, Maksim Kabakou, Hilch and mamanamsai, all via Shutterstock.



Notes


If you would like a free three-week trial, visit

www.gamblingcompliance.com or contact us:

UK Office Saddlers House44 Gutter Lane

London EC2V 6BR

Tel: +44(0) 207 921 9980Fax: +44(0) 207 960 2885

[email protected]

US Office1725 I St NW Suite #300, Washington, D.C. 20006

Tel: +1 202 261 3567Fax: +1 202 261 6583

gamblingcompliance.com


gamblingcompliance regulatory briefing · michael joined casinos austria in 1993 as a project...

Documents