• Kevin Jones

Audrey Ferrie: Pinsent Masons - Data protection and the Single Customer View.

Gaming Eminence speaks with Audrey Ferrie Consultant and formerly Legal Director at Pinsent Masons around data protection laws. Topics we focused on were Big Data, data misuse, third-party providers, Single Customer View (SCV), and privacy laws.

*Please note the below are opinions of Audrey Ferrie from the point of view of a gambling lawyer and not a data protection lawyer nor does it represent legal advice from Pinsent Masons.


GE) Big Data and its use is growing across all industries, none more so than in understanding customer behaviour and habits for gambling operators. Where do you see issues arising for a growing operator to leverage data to grow profits, whilst ensuring those profits are then not lost via fines of data misuse?


AF) Operators must ensure that they comply, not only with data protection regulations but also with the terms of their gambling licences, possibly in multiple jurisdictions. Operating across jurisdictions complicates compliance for operators, particularly since Brexit. The European Betting & Gaming Association published a code of conduct on data protection for operators in June 2020 which may still provide a useful resource1.


Another issue for operators is the potential for conflict between different statutory regimes. For example, the UK Gambling Commission continues to work with the ICO to ensure that the way in which licensees are interpreting and implementing data protection regulation does not conflict with the requirements of gambling regulation. The Gambling Commission has produced a guide2 for operators with examples of specific scenarios and a link to the ICO website.


Fines for data misuses are not the only potential sanctions to which operators might be subject; licensees run the risk of committing a criminal offence if they fail to provide facilities for gambling in accordance with the terms and conditions of their licence. Operators can be fined by the GC, and their licence could be revoked. The GC takes the view that data protection legislation “is not intended to prevent operators from taking steps which are necessary in the public interest or are necessary to comply with regulatory requirements under a gambling licence. [It] should not be improperly used as an excuse to avoid taking steps which enable compliance with licence conditions, promote socially responsible gambling, and promote the licensing objectives”.


GE) Across the industry you will find operators who manage data in-house vs those utilising a third party tech or software firm. What are pros and cons from a compliance perspective of both?


AF) Compliance with myriad regulations is a huge issue for operators and requires both technical and human resources and continuous training and updating of policies. By outsourcing data management, operators can benefit from the expertise of those third party tech or software firms who specialise in data management. However, by doing so they do not relieve themselves of the responsibility for compliance. The expectation of the UKGC is that it remains the responsibility of the licensees to ensure that they are compliant.


GE) The UK Gambling Commission over the last few years has consistently talked about its requirement to take an innovative approach via use of evolving technology to address gambling harm. At the top of the agenda is the ‘Single Customer View’ (SCV), and leveraging operator data. At this point in time what are the challenges for the UKGC to be able to enforce the SCV? What should operators be considering in the way they evolve managing their data with the anticipation of the SCV?


AF) Andrew Rhodes, the UKGC CEO, at the recent ICE regulatory briefing, spoke about SCV. The Commission is committed to using data to meet its regulatory goals – in this context, to better protecting customers from harm while protecting their personal data. He accepts that the GC will face challenges.


It seems to me that the major challenges for the GC are the resources, both financial and human, to police the SCV, the size of the industry, the multiplicity of jurisdictions and markets in which the industry operates. He correctly recognises that collaboration will be key – collaboration between regulators, potentially joint investigations and joint enforcement action and collaboration between operators. This has long been a wish of the GC but, perhaps understandably, operators have been reluctant to share commercially sensitive data with competitors.


This conflict will not disappear. However, the Betting and Gaming Council, the main UK industry body, launched a Code of Conduct, reaffirmed in January 2021, which references the Industry’s Self Exclusion Schemes (GAMSTOP, MOSES, SENSE) 3. Those operators who are members of the BGC are obliged to participate in those schemes and any other schemes that the industry elects to establish.


The difficulty is that many smaller operators will not have signed up to this or any other code of conduct. In anticipation of the SCV, all operators should be reviewing their policies, procedures and training in relation to data protection and consider signing up to and adhering to one or more of the industry codes of conduct.


GE) Following on from the above question. To be able to analyse bulk amounts of data from a global operator that distributes products in multiple countries to a mixture of nationalities. Where do you see challenges for both the UKGC and Operators when it comes to data privacy laws?


AF) For the UKGC resources and securing the co-operation of a multiplicity of regulators will be the key challenges and for operators compliance with different regulatory regimes and ensuring that their staff are suitably trained.


GE) Leading on from my earlier question. How does the dynamic of which parties are acting as controllers and processors play a challenge in the SCV initiative?


AF) I don’t believe that it does to any degree unless the boundaries between the two become blurred. As I said in answer to question 2, even if an operator (most likely the data controller) outsources the processing to a third party, the Gambling Commission will expect the operator to be responsible for compliance.


About our contributor

Audrey is now a consultant and in her last role she was Legal director at Pinsent Masons. Audrey has more than 35 years experience in licensing (alcohol, gambling & civic government) and litigation.