The Risk And Reward Of Data

iGaming guru Alex Henderson continues his fascinating series on the importance of Compliance in the betting industry. This week Alex focusses on the power, risk and reward of data.

As iGaming continues to grow, with more and more new markets becoming available every year and regulations continuing to evolve, one indubitable truth shines out: Data, with all its risks and rewards, is the lifeblood of the gambling industry.

From customer profiles and transaction records, to gaming outcomes, data fuels every aspect of operations.

Under some regulations–before a customer has even made their first deposit–, operators need to gather data from a range of sources to establish if the customer meets requirements. Outside of the regulations, data is also being obtained for the purpose of marketing and improved user experience.

It is not just the gambling industry of course, but with the rate of growth, it is important that risk management evolves at the same pace. Operators need data; whether this comes directly from the customer, or from a range of other sources. They are dependent on data to conduct their business.

But this reliance on data also exposes gambling operators to significant security risks.

Financial penalties, as well as the erosion of trust, are just some of the consequences of data breaches. Public trust in the gambling industry is not the best, so any additional situations that further enhance this negative perception are detrimental to the operator involved — and the industry as a whole.

In this article, I explore the importance of data security, backed by financial data, research findings, and actionable guidance for gambling operators.

Data breaches are not merely hypothetical risks. They come at a staggering cost. The highest GDPR fine of 2022, for example, was levied against Meta-owned social networking platform Instagram by the Irish Data Protection Commission. The €405 million sum was also the second-highest fine to date under GDPR, after Amazon’s €746 million penalty in 2021.

For the gambling industry, where personal and financial data is highly sensitive, these breaches can be especially costly.

All of us in the industry know that these costs go beyond the immediate financial impact. Reputational damage can be far more enduring. While customers are the key factor for an operator, customer trust is easily eroded when sensitive information is compromised. When trust is lost, so are customers. Commercial impact is inevitable, as is a loss in market share and, potentially, there’s also a serious risk of impact on any future licence applications, or even the sale of a business.

The penalties around data are far greater than those being levied by gambling regulators. Data protection laws have become increasingly stringent. In Europe, for instance, the General Data Protection Regulation (GDPR) imposes substantial fines for non-compliance.

Gambling operators are not exempt from these regulations. In 2019, for example, a UK-based online casino was fined £600,000 by the Information Commissioner’s Office (ICO) for serious security failings that led to the exposure of almost 28 million customer records. Such cases serve as stark reminders of the financial penalties operators can face.

So what can we do to manage and reduce the risks?

Throughout my career I have been fortunate enough to work with experts in GDPR and Cyber Security. One thing that I have learnt is that to manage the risks around data, rule number one is to implement Robust Cybersecurity Measures: Invest in state-of-the-art cybersecurity technologies and practices. Without adequate security measures, everything fails. Even with a strong team of individuals, nothing can plug the whole of inadequate security.

As important as the cybersecurity measures, is the need to regularly update–and test–your systems for vulnerabilities.

When speaking with a DPO, one who I consider to be the leading expert in his field, I learned that Data Mapping and Internal Audits are paramount to the success of keeping data safe and secure.

One thing that is very clear amongst most employees within a regulated business, is that GDPR, Compliance and anything generally involving regulations and law are not seen as the sexiest of subjects to discuss. There is a stigma that comes with working in this field, the consensus being that overall it’s a boring subject.

But, outside of cybersecurity systems and technology, employing the right people can help change an organisation’s approach, culture and focus towards this crucial business area.

In a previous article for iGF, I wrote that Compliance is a key part of our job in the gambling industry so that colleagues and business partners keep Compliance ever to the fore.

Thus, employing the right DPO, CSO and other key members can bring the positive perspective every business needs.

I have had the pleasure of working with passionate and knowledgeable DPOs — and the displeasure of also working with DPOs who have the enthusiasm and energy of a sloth on a Monday morning.

I have seen the difference having the right people can have. Enthusiasm is contagious, so companies should put extra effort into hiring people who share the same business values. Making Compliance attractive and appealing for all employees is not an easy achievement.

Here is some final guidance:

Compliance is non-negotiable. This is why operators must ensure strict Compliance with data protection regulations. Regularly audit your data handling processes to identify and rectify any gaps in compliance.

Encrypt sensitive data. Encryption is an essential layer of defence against data breaches.

Employee Training. Train your employees in data security best practices. Human error is a significant factor in data breaches, so educate and raise awareness among your staff.

Develop a comprehensive incident response plan. In the event of a breach, a well-prepared response can minimise damage and legal repercussions. Usually a breach itself might be insignificant. But the steps taken after a breach is identified can make a huge difference in the outcomes.

Regularly assess the security measures of third-party vendors who have access to your data. Ensure they meet the same high standards of data security as yourself.

To conclude, data security is a necessity in the gambling industry.

The impact of data breaches is not limited to financial penalties, but also regulatory scrutiny. And damaged reputations are the steep costs of data breaches.

Gambling operators must invest in the right people, robust cybersecurity measures, adhere to compliance regulations and, most importantly, educate employees about the profound implications of data security.

Alex Henderson is Group Head of Compliance at GIMO (Global Interactive Marketing Online)

Published on: