The UK Gambling Commission has been given the green light by the Information Commissioner’s Office (ICO) to progress its single customer view (SCV) and financial risk assessment projects.
It follows the ICO writing an open letter to UK Finance, a trade association for the UK banking and financial services sector, confirming that data protection laws do not stop gambling companies from conducting financial risk checks on customers and that lenders can share people’s personal information as long as it is done “transparently and proportionately”.
This means it is the ICO’s view that credit reference agencies should share personal information with gambling operators. The data that can be shared will be limited in accordance with General Data Protection Regulation (GDPR).
Tim Miller, an executive director at the Gambling Commission, welcomed the “clear support” from the ICO.
“It’s also a further example of the importance of regulators working together to better protect consumers from harm,” Miller said on social media on July 13.
In the letter, the ICO said it understands that the Gambling Commission will consult on two forms of financial risk checks to be undertaken by gambling operators.
One form will be “basic checks” for online gamblers incurring “moderate levels of spend, to check for financial vulnerability indicators such as County Court judgments. These would take place at £125 net loss within a month or £500 within a year.”
An “enhanced check” will also be consulted on gamblers incurring “high levels of spend which may indicate harmful binge gambling or sustained unaffordable losses”. These high losses are £1,000 net loss in 24 hours or £2,000 within 90 days.
These triggers for enhanced checks would be halved for people aged 18-24.
The ICO expects gambling operators to have “robust safeguards” to ensure the data they receive from credit reference agencies is analysed correctly and stored securely.
It also notes that it expects financial risk checks will only be necessary for 20 percent of accounts that meet the basic threshold and 3 percent of accounts that meet the enhanced check threshold.
Operators using the data for financial gain would be “strictly” outside the purpose of this data sharing, according to the ICO.
Lenders and other affected agencies should review their General Data Protection Regulation (GDPR) accountability frameworks, including their data sharing agreements with credit rating agencies (CRA) and existing data protection impact assessments (DPIA), to “ensure these reflected the personal data processing required by the financial risk checks”.
The letter from the ICO was in response to UK Finance asking for more clarity about allowing gambling firms to undertake financial risk checks in December 2022.
Additionally, the ICO published a report on the Betting and Gaming Council’s (BGC) participation in its “Regulatory Sandbox” to explore data-sharing across gambling operators where there are markers of harm, referred to as SCV or GamProtect.
“This sandbox participation has demonstrated that organisations can work together collaboratively and positively to consider and overcome the perceived challenges posed by data protection law,” according to the report.
Operators Entain, William Hill, 888, Gamesys, bet365 and Flutter supported the sandbox, co-designing and trialling the SCV solution.
In a blog post on July 13, Helen Rhodes, policy director at the Gambling Commission, said: “Now that the Sandbox is complete, and a solution is in place, we look forward to the swift development of GamProtect, which will include the onboarding of more gambling businesses and the expansion of the markers of harm applied to identify those at serious risk of serious harm."