With General Data Protection Regulation (GDPR) in full effect, gambling companies will need to comply with new guidelines and regulations.

GDPR is a new set of rules designed to give citizens more control over their data. GDPR has come in full effect from May 25th, 2018.

Data is a key component to competitive success within the gambling industry. This means gambling operators will be heavily affected by GDPR. There are significant decisions to be made as to how personal data should be collected and stored.


The regulations follow the same course as the Data Protection Act of 1998. Not only does it institute hefty fines for failure to adhere to regulations or for information breeches (among other various stipulations) it extends the regulations equilaterally across the Union. The rules also apply to non-EU countries which handle information about EU citizens or businesses.


Gambling has long been and remains one of the most regulated industries in modern history. It has also been an industry plagued by resistance to such regulations. Much of the online gambling industry has been unfairly maligned by regulatory agencies but that is soon to all change.

The frequent target of accident claims for spam SMS marketing. But that is most often traced back to marketing affiliates, not operators. The sad fact of the industry, however, is that operators are held liable. And in the case, liability can reach into the millions.

Outlined below, are three key changes introduced by GDPR which will affect the gambling industry.

1) Internal Governance and Responsibility
Under GDPR, there will be an increased emphasis on being able to demonstrate compliance. This consists of maintaining a record of data processing activities and associated policies and procedures.

2) Security Breaches
In the event of a personal data breach, GDPR will introduce a notification regime system alerting data handlers. They will be required to report personal data breaches no later than 72 hours after becoming aware of such breach.
Gambling operators will need to ensure they are able to identify and react to security breaches in a manner which complies with the requirements of the GDPR.

3) Data Portability
Under existing data protection laws, consumers have the right to receive a copy of any personal data that is held about them.

The data portability right may apply where personal data has been collected based on the data subject’s consent but will not apply where personal data has been processed based on the legitimate interest ground for processing personal data.

By not adhering to the new GDPR regulation, your organisation risks being hit financially with penalties, damaging your reputation, Ultimately GDPR is no laughing matter.