UKGC: No Data Impact Study for Remote Audits
Regulator confirms no formal data protection assessment was conducted for its remote operator inspection policy, a Freedom of Information request reveals.
A Freedom of Information request has revealed the UK Gambling Commission did not conduct a specific Data Protection Impact Assessment (DPIA) for its policy on remote compliance assessments. The regulator stated it viewed the policy as an extension of existing practices and not a high-risk activity requiring a new assessment.
Article Content
The UK Gambling Commission (UKGC) did not conduct a specific Data Protection Impact Assessment (DPIA) before formalising its policy to carry out remote compliance assessments on all licensed operators, a Freedom of Information (FOI) disclosure has confirmed.
The response, published following a request on 6 December 2022, reveals that the regulator holds no formal review, assessment, or board minutes specifically evaluating the data protection implications of extending remote audits to all licensees.
What are Remote Compliance Assessments?
Compliance assessments are how the UKGC checks if a gambling operator is following the rules set out in its licence, particularly concerning social responsibility and anti-money laundering. Traditionally, these could involve on-site visits.
Remote assessments allow the Commission to conduct these checks from a distance, requiring operators to produce records and information electronically. This process can involve the regulator accessing systems that hold sensitive customer data. A DPIA is a process designed to help organisations identify and minimise the data protection risks of a project or policy.
The FOI Disclosure
The FOI request asked for a copy of the DPIA or any equivalent review related to the policy change. The UKGC's response was unequivocal: "I can confirm that no information is held falling within the scope of your request."
The Commission explained its reasoning, stating that it has conducted remote assessments on online-only operators since 2015. It said that when this process was first designed, it "considered how to effectively identify data protection risks and introduced the necessary controls to minimise them."
According to the UKGC, the expansion of this practice to include land-based operators—a move accelerated by the Covid-19 pandemic—was considered a "clarification of our already established approach" rather than a new form of data processing. Therefore, the regulator concluded that a new impact assessment was not required.
The UKGC also stated its view that the process does not meet the Information Commissioner's Office (ICO) threshold for processing that is "likely to result in a high risk to individuals," which would make a DPIA mandatory.
Why This Matters for Consumer Data
This disclosure provides insight into the regulatory process behind a significant compliance tool. While the UKGC asserts it has appropriate data protection controls in place from its earlier work with remote operators, the absence of a formal, documented assessment for the policy's expansion to all sectors means there is no public record of how risks to consumer data were evaluated for this wider application.
For consumers, it highlights the procedures governing how their data is handled not just by operators, but by the regulator during inspections. Remote assessments are a key part of the UKGC's enforcement strategy, and understanding the data protection safeguards that underpin them is crucial for transparency and trust in the regulatory framework.