Data compliance: CSR-commercial balancing act required

| By contenteditor
Operators will have to find right balance between generating sign ups and complying with the GDPR.   

Issues related to social responsibility and preventing crime or fraud all fall under data and its different uses for the igaming sector. Operators will have to find right balance between generating sign ups and complying with the GDPR, writes Amanda McCormack.

The regulatory landscape is to change significantly for the UK gambling industry over the next 12 months, with the issues of data and security set to take centre stage.

Data has become a prominent feature in people’s daily lives and as the stories of identity theft and big company data breaches grow, so does the issue of data security.

This is particularly significant for the gambling sector, where companies are trying to increase the data they have on players to improve personalisation, but are also under increasing scrutiny for how they store and use the information.

Preparing for the GDPR
The General Data Protection Regulation (GDPR) was approved by the European Parliament in April 2016, its enforcement date is set for 25 May 2018 and it will be directly applied in all EU member states.

Organisations that are found to be in non-compliance will face heavy fines, ranging up to 4% of their annual global turnover or €20m.

Lawyer Elle Todd, partner at Olswang, told iGaming Business: “The looming implementation of the new GDPR across Europe in 2018, with its new requirements and heavy fining regime, will mean that operators will be upping the priority of data compliance in the business. We expect 2017 to be a year of data mapping and preparation in order to be ready in time since there is a great deal to do.”

So how do gambling operators and, potentially, affiliates avoid getting a fine? The simplest answer is that they will need to make sure the methods they use to record and keep data are in order.

The GDPR’s requirements contain new rights for individuals such as the ‘right to be forgotten’, a requirement to appoint a data protection officer, a higher standard for obtaining consent and stricter requirements around customer profiling.

Todd said that there is still some uncertainty over what the requirements will be as the Privacy and Electronic Communications Regulations (PECR), which sits alongside the GDPR and contains details regarding consent requirements and cookies, is not yet finalised.

However, she said: “We do have some clarity (if not yet guidance) around the profiling requirements in the GDPR. Operators need to review their current and planned profiling activities in order to appraise whether they do or don't fall within the provisions and also consider steps that can be taken to ensure they don't or that activities can fall within exceptions.

“The first step however is in properly understanding what their own activities actually involve, which isn't always straightforward.”

ICO warning
The Information Commissioner’s Office (ICO), the organisation responsible for the enforcement of the Data Protection Act in the UK, recently sent a letter to over 400 affiliates claiming it was following up on a large numbers of spammy texts linked to the gambling sector.

Todd said the letter served two purposes: “First, reacting to high levels of consumer complaints about spam in the sector and two, to get operators involved in taking responsibility for the activities of their affiliates.”

Taking responsibility
UK Gambling Commission chief executive Sarah Harrison, speaking at the ICE Totally Gaming exhibition in February, said her message for the affiliate business was that “they need to get their house in order, but more importantly my message to the operators is the affiliates that drive people to your sites, are your responsibility and you are accountable for them”.

This is a key message to gambling operators that they are not only seen as responsible for their own data gathering and targeted personalised marketing campaigns, but also for those of their affiliates.

Harrison also emphasised that some companies that put commercial gain over compliance were putting gambling as a mainstream activity in Great Britain “at risk”.

She said: “I still hear that some are adopting a strategy of ‘wait and see’, wait for it to be illegal before acting and meanwhile wrap their customer in VIP status, instead of being curious about their level of spend, this is unacceptable practice and the industry can and must do better.”  

Importantly, the issues of data protection and data usage are strongly linked to fraud prevention and fall under the agenda of social responsibility.

Fraud and igaming 
At a recent breakfast meeting hosted by Onfido and Featurespace, the topics of preventing crime and fraud in igaming were high on the agenda.

Accordign to Featurespace, its machine-learning software records and learns the habits and behaviours of criminals over multiple platforms and then uses the data to identify fraud and profile it against regular online players. 

Consultant Christina Thakor-Rankin says an aggregated solution is needed to tackle fraud and that “a multi-dimensional picture is needed to catch criminals”.

“The boundaries are blurring between problem gamblers and criminals, they are hard to identify and you need to start thinking about it [security] as there will be a 4% penalty,” she added.

Jeremy Harding-Roberts, sales manager gaming at Featurespace, said that in total half to 5% of ID documents supplied to online gambling companies are fakes.

Thakor-Rankin added: “Criminals use gambling to see if they can get away with the identity they have stolen. If they can use it they may then say it has passed the test.”

This puts a moral responsibility in front of gambling operators, as not only do they need to use data to ensure their players aren’t abusing bonuses with multiple accounts or fake documents, but also to make sure that they don’t then continue with criminal activity elsewhere.

For Playtech’s Francesco Rodano, some of the blame for bonus abuse has to be laid at the feet of operators.

He said: “Bonuses that need turnover of 50 times are unreasonable for average players, so they may have attracted the professional gamblers and criminals who work through them to exit that money.”

Some of the data analysis needed to identify criminals has to burrow deep inside identity documents.

Thakor-Rankin revealed that criminals are now so accustomed to being asked for a photo of them holding their photo ID document that they have become accomplished at Photoshop skills to falsify documents whenever needed.

It has also become so intricate that criminals actually go into the code of the photo file to say it is produced by iPhone instead of Photoshop.

This means that data analysts have to look for signs such as whether the photo ID is published on the internet or if the part of the photo showing the face is the same resolution as the rest of the photo or not.

There are worries that with the stringent data regulations coming in next year, companies may find it hard to obtain all of the personal details and playing patterns they need in order to identify criminal behaviour.

The major problem with this is the fact they will then be seen as reneging on their social responsibility.

It is a hard balancing act which involves more security systems being introduced, but these come with their own set of problems as too many verification steps could result in players dropping-off out of frustration.

In the end, innovation, new security levels and systems for data will be the key for igaming companies looking to avoid future fines and restrictions.

With systems needing to be in place by May 2018 the quicker companies have these tested and implemented the better.

Related articles: UK regulatory waters will require careful navigation in 2017 
ICO to crack down on personal data usage in online gambling
UK gambling advertising: what to watch for in 2017

Subscribe to the ICE365 newsletter