Dr Domink Micallef, Chief Investigations and Enforcement Officer, MGA spoke at our last conference, Compliance Briefing: Malta. Here's his advice for gaming companies on the EU Forth AML Directive. The next Compliance Briefing will take place in London which will provide attendees with an in- depth, industry-specific overview of new regulations.
Essential compliance knowledge for iGaming professionals. Conference: Compliance Briefing London, 12 October 2017 Courses: igacademy.com/courses
0 Comments
The 25th of May 2018. For many, that date will have registered little interest when the first official draft of the EU General Data Protection Regulation was published back in 2012. The date, and what it would bring, was something to be aware of but too far away to interfere with other, more pressing concerns. Fast-forward to 2016, when the final draft was approved by the EU Parliament, and the speck on the horizon had grown to a more sizeable blob. There was a sudden shift in attitude and the date became a concern for all businesses in all sectors and of all sizes. Today, with under a year to go, the date is all-consuming. GDPR dominates the headlines and has bulldozed its way into the everyday vocabulary of both employers and employees alike. And is it any wonder when typing ‘GDPR’ into your Google search bar greets you with a never-ending stream of websites and news articles offering advice and guidance to complement, or in some cases override, your own preparations for the regulation? Much of this advice takes the shape of bullet-point lists, detailing the five, ten, sometimes even 15 or more steps that you must take “immediately’’ or else succumb to the financial and legal consequences that lie in wait for businesses who fail to achieve compliance in time. The doom, gloom and sense of urgency surrounding the upcoming regulation has created a new type of ‘expert’, offering the tantalising promise that a dose of their sage wisdom will make your GDPR compliance simple and immediate. But who are these people? And how can they possibly know what total compliance looks like at this moment in time? Surprise, surprise they are typically vendors, jumping on GDPR as the latest bandwagon offering opportunities for a quick sell. The truth is that they can’t know. Not yet anyway. GDPR, as it currently stands, is not a destination that you can just ‘arrive’ at by clicking a button or buying a single product. There’s too much uncertainty about what it looks like at the moment. Even the Information Commissioner’s Office website is being updated each month with new information around the regulation, what it is and how to comply. We should think of GDPR compliance as an ongoing journey that all businesses must undertake, including security vendors. I don’t have all the answers and can’t give you a simple and concise bullet-point list of 5 steps to make you 100% GDPR compliant. But I can give you an idea of things as they stand from my perspective, as the CEO of a security company. Over the years, I’ve seen a noticeable shift in the way that both IT and technology are regarded within businesses. The challenges of network security, digital infrastructure and what to do with the reams and reams of data produced – these are no longer just problems for IT teams and legal departments to deal with. Likewise, the implementation of GDPR is not something that can just be glanced at and signed-off, or passed along by board members. Every single person in the business is responsible for and must play an active role in implementing and complying to GDPR. As such, collaboration between all departments and the leadership team is key during the transition process. As a CEO preparing for GDPR within my own organisation, creating an environment that encourages that collaboration has certainly been at the forefront of my mind. And so has reviewing all our existing data management practices. As the legislation will change the way that organisations collect, store and use personal information, it’s all about understanding what data you have and where it is. Let’s face it – this can be an overwhelming task when we consider just how much data is produced in today’s digital world. What’s even more overwhelming is how to keep this data secure – a task that the new regulation reinforces will be the company’s responsibility. I guess, for some, this is where security vendors come in. The truth is that, for the time being, security vendors can’t wave a magic wand and automatically make your organisation GDPR compliant. It’s not a matter of buying a single product and being ‘ready’ to face GDPR head on. Speaking as part of the security vendor industry, we shouldn’t be promising that our products will make any organisation 100% compliant until all the facts are known. The most that we can do is ensure that our products themselves are compliant and that, by buying them, your organisation does not become any less so. We, like everyone else, are taking a step into the unknown and so, let’s face it, if GDPR compliance is a journey, it’s one that we must all take together. Essential compliance knowledge for iGaming professionals. Conference: Compliance Briefing London, 12 October 2017 Courses: igacademy.com/courses By Ed Macnair, CEO at CensorNet Originally published by GDPR.Report We have only just started to reap the benefits of “Big Data” – from foreseeing deadly infections to fraud detection. It is a key source of value for many industry sectors: profiling, spotting market trends, product performance analysis and forecasting future outcomes.
The use of large data sets that are collated and analysed to discern patterns and make optimal decisions is an exciting journey many companies are only just starting to explore. There is, however, a potential darker side to the perceived benefits of big data: the effect on personal privacy. In this regard, is the GDPR a welcome guiding light to the benefits of Big Data, or will it strike a fatal blow to the utility of it, in an attempt to protect our privacy? What is Big Data? “Big Data” is a blanket term for collections of data sets that are enormous in size and complex, such that their processing using traditional data management means, such as relational database management systems, is problematic. Big Data is regarded as meeting the following characteristics (often called the “Four V’s”): 1. Sheer Volume of data; 2. A large Variety of data (in terms of types and structure); 3. Veracity of data, in that the data is, on the whole, representatively accurate and trustworthy (as opposed to exactly so); and 4. The data needs to be analysed at a high Velocity in order to derive value from it. So why does Big Data cause problems in the context of the GDPR? Big Data sets will often include personal data, and in many cases, it is not possible to separate the personal data from the non-personal data. The aim of Big Data is to uncover relationships within and amongst the information, through analytics and processing. Given the accuracy and trustworthiness of any particular data set may not be exact, but rather directionally representative, the starting point of Big Data itself runs contrary to a fundamental principle of the GDPR – that the accuracy of the personal data of a particular data subject in the possession of an organisation must be maintained and protected. Furthermore, Article 22 of the GDPR prohibits automatic processing, including profiling, where such processing has a legal effect on a data subject, or similarly significantly affects the data subject. In this regard, profiling is defined as: “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”. Some of the privacy risks particularly pronounced in the context of Big Data profiling therefore include: 1. Processing of personal data outside of the purpose for which it was collected; 2. Use of incorrect and/or outdated information; 3. Discrimination or bias against certain individuals or groups resulting from the application of certain profiling algorithms; and 4. Processing of personal data in excess of what is needed in order to process it. Because automatic processing involves such high risks on privacy, it is prohibited in principle under the GDPR, except where:
Note that organisations have already accumulated large amounts of data – and the GDPR applies not just to data sets created going forward – but also to those already in existence today, insofar as such that pre-existing data sets would be the subject of processing after the GDPR comes into force. It will undoubtedly prove problematic in practice to obtain the required explicit consent for specific uses of a data set that already exists (and is, in fact, already in use). So how can Big Data be used in practice under the GDPR? It is imperative that businesses review their current use of profiling and automated processing practices and processes, to:
Is the GDPR the death knell of Big Data? There are clearly some specific challenges in reconciling data protection principles set out in the GDPR with the characteristics of Big Data analytics. However, these are not insurmountable, nor incongruous with the aims of the GDPR. Organisations should, however, think through the why and the how in respect of Big Data profiling, and ensuring transparency and privacy by design are at the heart of their “Big Data journey”. With the EU’s 2015 Digital Single Market Strategy targeting Big Data as a “catalyst for economic growth, innovation and digitisation across all economic sectors […] and for society as a whole,” it is imperative that Big Data is seen as an opportunity to be actively nurtured and better understood, including through the prism of privacy compliance, so that its potential may be fully realised. Essential compliance knowledge for iGaming professionals. Conference: Compliance Briefing London, 12 October 2017 Courses: igacademy.com/courses By Akber Datoo, Managing Partner, D2 Legal Originally published by GDPR.Report Panic over fourth anti-money laundering directive only highlights a flawed approach to compliance5/9/2017 The recent passing (26 June 2017) of the European Union’s (EU) fourth Money Laundering Directive (MLD4) has caused much consternation within the gambling industry. Operators now face significant regulatory changes and need to remain on top of the changes to comply with licencing conditions and regulations.
MLD4 was introduced because the EU felt that parts of the gambling sector was being used to launder the proceeds of criminal activity and has resulted in widespread confusion about what exactly the implications and requirements are for those within the gambling industry. This confusion has resulted in 17 EU member countries failing to put the rules in place on time. Essentially, gambling operators must now: • have a money laundering / terrorism financing risk assessment in place. This must be reviewed annually and whenever a ‘trigger event’ occurs. • establish policies, procedures and controls to prevent money laundering and terrorism financing. • ensure that these policies, procedures and controls are implemented effectively, regularly reviewed and revised appropriately. An outdated approach to compliance But this is the fourth incarnation of the Money Laundering Directive – it has been debated and discussed at length, and the requirements are clearly laid out for any interested party to see. So the unnecessary furore and confusion around MLD4 has only really served to highlight the inadequacies of traditional approaches to compliance. While digitisation has improved many business functions, compliance is still managed and monitored in many organisations using Excel. Given the complexity of compliance in modern business – especially so in heavily regulated industries such as gambling - it’s an approach that is outdated and wholly inadequate. Compliance is a highly involved process, requiring lots of information and knowledge to be input into a certain format. Furthermore, it is a task that requires demands absolute attention to detail. But for many organisations compliance has not been seen as a priority, and there has subsequently been a reluctance to invest in the right tools to manage it effectively. The rise of digitisation But for most firms now, irrespective of size or industry, compliance has become increasingly important, with severe penalties for those that are not compliant. So using Excel to manage risk in such an environment is not fit for purpose and leaves organisations vulnerable to compliance requirement failure. The consequences of this are vast and potentially wide-ranging, so a modern and more digital approach to compliance is required. For effective compliance, you need precision, to be systematic and you need to be up to date. This can be done using a spreadsheet, database or SharePoint, but they all require human input, and humans are fallible. But if you have an automated tool that takes away the hassle of managing compliance, it mitigates the risk of failure much more effectively. This combination of automation, with input from industry experts and thought leaders, that can help map the compliance requirements faced by an organisation, is a far more effective approach and provides security that compliance will be achieved. It also allows an organisation to manage compliance on an on-going basis, rather than as a project to be begun and completed within a certain time. Modern compliance is on-going so it stands to reason the management of it must be so too. Digitisation is assisting organisations all over the world in a myriad of different ways, and compliance is an area of business that is ripe for digitisation. If organisations in the gambling sector has utilised a digital approach to compliance, then much of the confusion over MLD4 could have been avoided, with requirements picked up and addressed in good time ahead of the deadline. Essential compliance knowledge for iGaming professionals. Conference: Compliance Briefing London, 12 October 2017 Courses: igacademy.com/courses By Eric Berdeaux, CEO of new generation GRC solutions provider OXIAL As we know, The EU’s GDPR (General Data Protection Regulation) comes into force on 28th May 2018, an unprecedented regulatory move which will affect every business to some extent. The UK Information Commissioner Christopher Graham has called GDPR “the biggest shake up for consumers’ data protection rights for three decades” and it has been well reported in the media how unprepared UK firms are for this change. Organisations should resist viewing GDPR simply as a box-ticking exercise for the regulators and auditors; it is not just about compliance. Instead, it presents an opportunity for businesses to address data protection within their organisation and allows them to re-evaluate and strengthen their overall business model and strategy. GDPR can encourage a dialogue about the importance of data privacy and protection within an organisation, not just at the executive levels, but so that it is viewed as a matter of collective responsibility. By changing day to day behaviours and driving a cultural change, organisations can proactively manage compliance and reduce the risk of data breaches. There are three steps to achieving this: first you need to raise awareness throughout your organisation, secondly you need to educate the people that process and store personal data and third you need to engage your executive team. Raise awareness If you want people to change their behaviour, you need to motivate them to want to do so; they need to understand why it is important. It is therefore key to diversify the way you present this message by using highly visible, consistent and engaging communications. One of our clients is a fast-moving company, with multiple change programmes and different messages being cascaded. In this situation, people can have short attention spans. Success in this environment means motivating people to start changing their behaviour. To do this, we related the importance of protecting personal data back to the organisation’s customer-centric values. We used relatable real-life examples and created an engaging awareness campaign using a multi-media and multi-channel communication approach. As well as putting senior executives in charge of cascading company-wide communications, we created an engaging online employee hub with videos, links to real news stories and examples of how other companies are approaching GDPR. This helped to keep it relevant and generate some discussion on the topic. Educate your staff After people understand the importance of changing behaviour, and are willing to do so, the next step is to educate them on how to behave. This change is challenging if they can’t connect data privacy risks to their own roles and private lives. Tailored training to roles or personas and the use of relevant examples is therefore good practice. To effectively educate your staff, work closely and connect with internal teams – people like HR, L&D and internal communications teams. They understand your staff and can support you in developing training that works for them. Collaborating with them can also prevent them from becoming blockers and feeling bypassed. With our client mentioned above, we worked closely with the learning and development department to understand how the organisation’s employees prefer to learn. In this case, the majority of the workforce were millennials, who favour working digitally and tend to like learning on the job. Therefore, we opted for a micro learning approach which meant creating short, focused modules on specific topics. The tools used to do this were interactive, multi-media and engaging (e.g. click throughs, video, and quizzes). This blended approach gave us flexibility and ensured we could target specific training ‘mini modules’ to different roles. Engage your Execs GDPR readiness is enabled by an effectively engaged executive group. As discussed, the benefits of investing in GDPR go beyond the avoidance of large fines; highlighting these to your senior stakeholders can help you achieve investment in internal and external privacy awareness initiatives. At one of our clients, we found the most effective approach to gain executive buy-in was to relate the objectives of the programme back to the organisation’s core customer centric values. We used creative and diverse ways to regularly engage and update them – creating short snappy updates via a newsletter, using videos and sharing relevant news articles to generate discussion. By successfully and consistently engaging the senior leadership team, we were able to cascade some of our privacy awareness messages into their regular communications and gain approval for further phases of the programme. Executive-level buy-in enables a “lead by example” approach and helps to embed the data privacy culture – staff look to leaders within their workplace. Endorsement at an executive level enables sustainable change by making data privacy part of the corporate culture. With GDPR introducing serious consequences for data-breaches, ensuring organisational awareness of cybersecurity practices is essential. Executives are also at risk and are attractive targets for cybercriminals; the number of attacks at c-suite level has significantly increased. They have the high levels of access within organisations, but are usually too busy (or disengaged) to partake in security training. By working closely with the cybersecurity team, we were able to plan tailored training sessions targeted specifically for the senior leadership team. Now that you’ve built your data privacy culture, you need to embed it and sustain it To do this, you will need to:
It is clear that GDPR is not just about technical compliance – it’s also about organisational compliance and the changing the culture of the organisation. By focusing on awareness, education and engagement early and often, you are more likely to create the culture needed to successfully make GDPR part of your business as usual. Essential compliance knowledge for iGaming professionals. Conference: Compliance Briefing London, 12 October 2017 Courses: igacademy.com/courses By Rob Hoyle, Transformation Lead at North Highland UK. |
COMPLIANCE BRIEFING: LONDON
12 OCTOBER 2017 COUNTY HALL, LONDON |