ICO approves UKGC’s Single Customer View project as GDPR compliant

The UK Gambling Commission (UKGC) has published the phase-1 findings of a ‘Sandbox Review’, providing GDPR compliant feedback on the development of its ‘Single Customer View’ (SCV).

A regulatory objective of the UKGC’s new three-year national strategy has seen the commission seek to establish a SCV solution to provide a “holistic view of a customer’s online gambling behaviour and help reduce gambling harms”.

The Commission has called on the widest stakeholder (commercial and public) input to develop an effective SCV, that will deliver a cross operator view on a customer’s gambling habits to identify potential risks.

Last November, the Commission put forward its SCV project to be reviewed by the Information Commissioner’s Office (ICO) ‘Regulatory Sandbox’ – an evaluation service for organisations that are creating products/services that utilise public/personal data.

Tim Miller, Executive Director at the Gambling Commission said: “We welcomed the early commitment we received from gambling companies and their trade body to develop and trial a solution.”

“However, we also recognised the questions that existed on how this could be achieved in a way that complied with data protection law. That is why we partnered with the Information Commissioner at an early stage and are pleased that they have been able to provide assurances that requirements on data protection need not be a barrier to making progress.”

Phase-1 of the Sandbox review aimed to establish whether an ‘appropriate lawful basis’ existed for the sharing of behavioural data between online gambling operators via a SCV, observing UK General Data Protection Regulation (GDPR) laws.

As a further requisite, the ICO was asked to consider if a gambling-sector SCV could be maintained as an ‘Article-9 GDPR special category’, allowing for the collection and processing of personal data under existing UK data laws.

Phase-1 of the Sandbox deemed that the SCV’s behavioural data for the purpose of identifying harms could qualify as a ‘Public Task’ or ‘Legitimate Interest’ under UK GDPR’s framework.

A ‘Public Task’ requires there to be a basis in law, for licensed operators to share the data under terms of the SCV, in which data sharing must be carried out in the interest of the public.  

Meanwhile, ‘Legitimate Interests’ have to encompass the needs of a number of parties in order to maintain the legal requirements of a business sector and those of society at large.

The ICO deemed that both determinations offered the Commission’s SCV project a “discretionary gateway to processing data under UK GDPR”.

Furthermore, the UKGC was also advised to identify data processing elements of its SCV project that would require to be classified as a GDPR Article-9 category.

The Commission welcomed the ICO’s Sandbox determination as an “important and helpful steer on how a SCV could be delivered in accordance with data protection law.” However,  the Commission maintained that the project had ‘plenty of issues and complexities that need to be addressed as part of a pilot phase of work’.

Concluding its update, the Commission stated that it had no plans to mandate a particular SCV solution   – “That is for the industry to develop and test – but we do expect the industry to demonstrate the impact its piloted solution has against the challenge we set.”

“We are determined to tackle problem gambling and we are undertaking a comprehensive review of our gambling laws to ensure they are fit for the digital age.” –  remarked DCMS Gambling Minister Chris Philp

“I welcome the Information Commissioner’s Office findings that data can be shared safely and securely between operators to prevent problem gamblers running up crippling losses. It is essential that more action is taken to prevent people becoming dangerously addicted to gambling to the point that lives can be ruined.

“This is an important step towards protecting vulnerable people and operators must now come together to quickly deliver a meaningful solution.”