GPWA Times Magazine - Issue 39 - November 2017

This obligation is reinforced by the need for gaming affiliates to keep a “record of all categories of processing activities carried out on behalf of a controller.” Therefore, a gaming affiliate that might process personal data on behalf of several operators shall keep a separate record of the categories of processing activities carried out by each of its operators. How should operators select gaming affiliates? Because of the scenario above, the selection of gaming affiliates might require much more detailed due diligence. Data protec- tion authorities have not yet accredited any certification entities that might certify the level of privacy compliance of their clients, but in the long term, this is likely to become a “must-have” or at least to represent a competitive advantage. Regardless of the presence of any sort of certification, it is recommendable that – at least prior to the effective date of the GDPR – operators do the following: • Map all their gaming affiliates and their sub-affiliates that shall be disclosed. • Oblige those entities to provide the registry of data pro- cessing activities required by the GDPR, outlining – among others – all the data processing activities performed on behalf of the operator and the measures put in place to protect personal data. • Exclude gaming affiliates that are too small or are reluctant or unable to comply with the GDPR privacy obligations, requiring affiliates to have a very limited line of sub-affiliates in any case. • Perform – even if remotely, through webinars with multiple questions – a training for gaming affiliates on the measures required by the GDPR, and repeat the training at least every other year. • Enter into a new data processing agreement with each gaming affiliate meeting the requirements of the GDPR. • Perform periodic random audits, and have in place technical measures aimed at identifying potential illegal access or processing of personal data processed on their behalf. • Require each gaming affiliate to send the updated version of the registry referenced above at the end of each year, together with a filled-in checklist showing full compliance with the GDPR and the lack of any data breach or lack of compliance to report. A big question mark as we near the start of the GDPR is whether affiliates will take privacy seriously, or if operators will oblige them to do so. My view is that there will be a tran- sitional period in which privacy compliance will still not be a priority for affiliates. However, the first fines issued, along with the negative publicity from potential data breaches – amplified by claims from players interested in keeping their gambling activities confidential – might be the game-changer that will force affiliates to comply with the EU General Data Protection Regulation. Giulio Coraggio is the head of the global gambling and gaming group at the global law firm DLA Piper. He fre- quently speaks at conferences on gambling, privacy and IT law issues and is the blogmaster of www.gamingtechlaw. com. Giulio can be reached at giulio.coraggio@dlapiper. com and on Twitter at @GiulioCoraggio . GDPR Key Changes 41 W W W . G P W A T I M E S . O R G ​The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the one in which the 1995 directive was established. Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies. Increased Territorial Scope Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of subjects residing in the Union, regardless of the company’s location. Pre- viously, territorial applicability of the directive was ambiguous and referred to data process ‘in context of an establishment.’ GPDR makes its applicability very clear: It will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU. Penalties Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements. There is a tiered approach to fines. It is important to note that the rules apply to both controllers and processors – meaning “clouds” will not be exempt from GDPR enforcement. Consent The conditions for consent have been strengthened. Companies will no longer be able to use long, illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.​ Source: www.eugdpr.org