Paysafe’s Elliott Wiseman, General Counsel and Chief Compliance Officer, Paysafe, discuses GDPR, PSD2, and what they mean for the gaming industry.
In today’s digitally connected world, data is being produced in huge volumes, at an incredible pace. This has certainly been evident in the gaming space, where the rise of apps and websites have contributed to the sector becoming one of the earlier digital adopters. Recent findings suggest the UK online gambling sector will grow by nine per cent to reach a value of £5.95bn by 2019. Clearly, data growth is inevitable with each mouse click and every app log-in creating a data footprint.
For gaming operators today, harnessing these data flows is no longer an optional exercise – it is a necessity. 2018 has been billed as ‘the year of regulation’, in which legislative pressures will peak at the deadline for the General Data Protection Regulation (GDPR) on 25th May, following the rollout of the second Payment Services Directive (PSD2) in January this year. While the specific requirements of each piece of regulation differ considerably, the realities of non-compliance are significant. Failure to comply will put operators at risk of heavy fines – not to mention a loss in consumer trust and reputation – which means data protection and customer privacy should be at the very core of everything gaming operators do going forward. But although it’s easy to view these new regulations as a burden, both PSD2 and GDPR offer a platform for competitive advantage, and an opportunity for operators to get their house in order for longer-term gain.
The changing regulatory landscape
PSD2 came into effect on 13th January, representing an evolution of the existing directive. Aside from enhancing consumer protection within payments, and boosting security, a side benefit of the directive is the improvement it will drive in terms of new and innovative services. PSD2 aims to make it simpler for technology start-ups, payment processors and banks to communicate with each other; share feedback and information gathering. By requiring banks to make their data available to these third-party companies through open technology development tools – Application Programming Interfaces (APIs) – ‘open banking’ becomes a genuine option. In essence, with every company in the payments chain benefitting from mutual information and technologies, competition can prosper and new services can be developed at the benefit of the consumer.
In addition, gaming companies should note the security implications of PSD2. It insists operators implement stronger (i.e. multi-factor) customer authentication methods. Ultimately, the updated directive is designed to make digital payments easier for consumers, while guaranteeing them greater security over the transactions related to their accounts.
The forthcoming GDPR builds on the existing Data Protection Directive, which has been in place since 1995, and is out-of-touch with the data-heavy online world operators function in. It impacts all gaming operators worldwide that have interests, holdings, customers and other touch points within the European Union (EU). This means all gaming operators processing data that belongs to or relates to EU residents are under its jurisdiction. The cost of non-compliance with the new legislation has severe penalties, and failure to meet the mandate can incur fines of up to €20 million or 4% of global annual turnover, whichever is greater.
The main factors for gaming operators to consider within GDPR are:
- The right to be informed: Gaming operators must be transparent and provide fair processing information around data
- The right of access: Individuals must be able to access their data upon request
- The right to rectification: Operators must make corrections to customer data upon request
- The right to erase: Individuals can request their data to be deleted where there is no compelling reason for its continued processing
- The right to restrict processing: Individuals can suppress processing of their data, without requiring operators to delete it altogether
- The right to data portability: Individuals can obtain and re-use their data for their own purposes across different services
- The right to object: Individuals can object to their data being processed in the interest of official authorities, for purposes of direct marketing, or for purposes of scientific/historical research
- Rights in relation to automated decision-making and profiling: Individuals can object to their data being used as part of an automated decision-making process or for profiling exercises
‘The year of regulation’ effectively signals an era of consumer empowerment, in which gamers have more control than ever before over the payments they make and how operators can handle their data. Under the threat of significant penalties, it is essential that operators take measures to meet both pieces of regulation, while also turning the regulations into a source of competitive advantage.
Three considerations for operators
Under GDPR and PSD2, the first big consideration for operators is striking a balance between privacy and security. Make no mistake, one does not necessitate the other, and focusing on security without factoring privacy into the mix would be like building a house made entirely of bulletproof glass – no one will get inside, but your personal life will be on display to all. Under PSD2 and GDPR, the key for operators is factoring both considerations into all business components and decisions, in order to create a system that manages security and customer data privacy holistically.
Operators should also be mindful of malicious hackers looking to leverage GDPR to their advantage. In theory, one day after the GDPR deadline, a hacker could locate not-yet-compliant data sets held by an organisation and hold them to ransom over the information. In other words – pay a ransom or be reported to the Information Commissioner’s Office.
Such a scenario serves to highlight that in the new regulatory landscape, compliance is worthless without evidence. Your business could have a systematic and sustainable model for processing payments, protecting customer data, and responding to data-related requests, but if you can’t prove it then you run the same risks as those who are non-compliant. Gaming operators need to establish and maintain comprehensive evidence logs, which are ready to submit to regulators in the event that a complaint is made against them.
Nonetheless, compliance is not a static process and regulators will not accept excuses grounded in ignorance. Operators need to keep one eye on the future at all times. That means predicting how the rollout of new technologies, services and processes affect the way that data is collected and used, and therefore, their compliance status. Today, the emergence of biometrics as a means of authentication for digital gaming payments is one such example, which is especially pertinent this year given that all operators are required to offer two-factor authentication under PSD2. Biometric technologies bring with them the challenge of special category data, and operators must pay careful consideration to the implications of a data breach where the very essence of an individual, their uniquely personal identifiers, are lost or in some way compromised.
How can your business benefit?
The challenges posed by the regulations are all-encompassing and inevitable, and the gaming industry will be required to meet them whether it wants to or not. This leaves operators with two choices: endure them or embrace them. Although the regulations do place hurdles for operators to overcome, there are also opportunities in equal measure, and operators should be working to put themselves in the best possible position to take advantage.
The first opportunity comes from a change in perspective. The regulations may be designed to empower the consumer, but this doesn’t mean operators need to suffer as a result. Going forward, the most successful operators will be those who can adapt their services with the user front-of-mind for an optimised customer experience. For instance, by striving to comply with PSD2 offer heightened security through measures including two-factor authentication. Ensuring the security of services is a huge advantage in an era where increasing volumes of fraud have caused consumers to desire a more secure payments process – Paysafe’s Lost in Transaction research shows more than half (58%) of consumers would accept any necessary security measures to eradicate fraud.
Regulations like PSD2 and GDPR present significant obstacles to a gaming industry that is becoming more digitally connected every day, and test gaming operators’ capacities to manage the data being generated through their online platforms. But for all of the challenges, GDPR and PSD2 can represent opportunities to those willing to take them. Operators should be looking to optimise their internal processes now to ensure compliance and put themselves in the best possible position to benefit in the long-term.