UKGC: ICO is Lead on Operator GDPR Rules
FOI response clarifies regulatory roles and reveals joint work on a Single Customer View for player data.
A Freedom of Information request has revealed the UK's Information Commissioner's Office (ICO) is the lead regulator for GDPR compliance in gambling, not the Gambling Commission. The response also confirmed the two bodies are collaborating on a 'Single Customer View' to share player data in a compliant manner.
Article Content
A Freedom of Information (FOI) request has revealed that the UK's Information Commissioner's Office (ICO) is the primary body responsible for policing how gambling operators comply with data protection laws, not the Gambling Commission (UKGC).
The disclosure, dated 8 June 2023, clarifies the division of regulatory responsibility and provides insight into the ongoing development of a cross-operator 'Single Customer View' (SCV).
Regulatory Responsibilities Clarified
The request asked the UKGC how it polices bookmaker compliance with the General Data Protection Regulation (GDPR). In its response, the Commission stated that while it licenses and regulates the gambling industry through its Licence Conditions and Codes of Practice (LCCP), the ICO is the independent authority for data protection.
The UKGC confirmed it carries out assessments to ensure operators follow its own rules, but it is the ICO's role to "uphold information rights in the public interest" and ensure organisations meet their obligations under the Data Protection Act 2018 and UK GDPR.
For consumers, this means that while the UKGC handles complaints about gambling practices, concerns specifically related to data protection and GDPR should be directed to the Information Commissioner's Office.
The Single Customer View Project
The FOI request also questioned whether the proposed Single Customer View—a system designed to share customer data between different gambling companies—would break GDPR rules.
The UKGC noted that under FOI law, it is not required to provide opinions. However, it voluntarily disclosed significant details about its work on the project.
The response reveals that the UKGC has been actively working alongside the ICO to find a GDPR-compliant solution for the SCV. Key details include:
- ICO Collaboration: In November 2020, the UKGC was accepted into the ICO's 'Regulatory Sandbox', a service designed to help organisations develop innovative services using personal data in a safe and lawful way.
- Project Aims: The goal of the SCV Sandbox project was to determine a lawful basis under UK GDPR for sharing player behavioural data between operators. It also examined how to handle 'special category' personal data, which receives extra protection under the law.
What This Means for Consumers
The disclosure confirms that the Single Customer View is not a rogue industry initiative but a formal project being developed under the supervision of both the gambling and data protection regulators. The collaboration aims to ensure that any system for sharing player data—likely for the purpose of identifying and protecting vulnerable customers across different brands—is built on a solid legal and data-protection footing from the outset.
The UKGC pointed to the ICO's published 'Regulatory Sandbox Phase 1 outcomes report' and its own website for further updates on the SCV industry challenge.