The General Data Protection Regulation (GDPR) of the European Union consists of a number of laws and regulations that collect, process, store or otherwise use data from EU citizens. These laws do not only apply worldwide to companies operating in the European Union.
The GDPR was introduced in 2018 and each member state then had to transpose it into national law. The laws should significantly improve existing laws protecting consumer privacy and adapt them to the digital age.
The focus is on the concept of consent and the belief that individuals have the right to say what data is stored about them, by whom, and how it is used. It obliges every company that collects any form of personal data to take protective measures and measures to protect this data. In addition, all information systems and databases must be designed with data protection in mind.
Finally, the data that can be collected can only be collected if they comply with the legal bases set out in the regulations. The data subject also has the right to demand that all related personal data be deleted immediately and for any reason without any consequences.
The GDPR not only applies to back-end processes, it also requires companies to make themselves and the way they work transparent. Yes, the GDPR is a complex, far-reaching and rather complicated law, but it is required.
How will it affect my iGaming startup?
The online gambling industry relies heavily on the collection and processing of user data. This data is used to improve the services, personalize the gaming experience, reduce fraud and identify problematic behavior. The integration of other technologies such as mobile gambling and the Internet of Things also uses and relies on the player’s data.
GDPR also means you can’t buy or transfer email mailing lists to your startup. If you have another company’s email list or mobile marketing lists, even if they are yours, GDPR means you cannot use them for your iGaming startup. This is because each person must choose to receive communications from the entity that is sending them. The GDPR has a lot of consent and cannot be shared or transferred between companies.
You can start building your list by asking your website visitors to sign up to receive marketing materials. Make sure you keep a verifiable paper trail of their consent to make sure you’re following the rules.
These are just a few examples of how GDPR affects starting your online gambling business.
What are the consequences of violations?
You cannot enable, disable or ignore GDPR if you are not based in the EU. For example, if you’re based in Curacao and have clients in Italy or France, the rules apply to you.
Failure to comply with the GDPR has major consequences. These include fines of up to EUR 10 million or 2% of global sales in the previous financial year – whichever is higher. It is also worth noting that this percentage applies not only to the company that committed the breach, but to the entire group, other related business units, and natural persons. In addition, there are criminal and civil sanctions at Member State level against those who violate the law.
You also need to consider the impact this can have on your reputation. As a startup or young company, building your reputation and trust with your customers is an important endeavor. It takes time, hard work, and money to get there. If at any point you fail to comply with GDPR, you risk having all of this reversed and your reputation will suffer significantly.
Whatever benefit you think avoiding GDPR might be will be negated by the consequences of being caught.
There are six main principles behind the GDPR:
1. Right of individuals: Enhancing the rights of individuals with regard to data that is collected, processed or stored in relation to them.
2. Right to be informed: Businesses need to ensure that individuals understand who is collecting their data and how it is being used.
3. Right to be forgotten: Individuals can request that their data be deleted within one month.
4. Data Protection Officer: Companies must appoint a data protection officer to ensure that they are complying with all of their GDPR obligations.
5. Obligations to data processors: data processors must take appropriate measures to ensure the protection of data.
6. Data Protection Impact Assessment: Organizations must conduct data protection impact assessments to ensure compliance.
The last word
Fast Offshore works with a large portfolio of iGaming customers who both operate in the EU and have customers in the EU. We have participated in countless start-up processes, appointed data protection officers and are available for data protection impact assessments. We can advise you on compliance issues not only in relation to the GDPR, but also in relation to similar laws in other jurisdictions.