GDPR: Navigating incoming regulation

As the industry is called on to comply with greater levels of regulation, Paul Marcantonio assesses the challenges posed by GDPR and PSD2

As European igaming has matured, regulatory bodies have begun to contend with the challenge of encouraging business development while ensuring consumers are protected from unscrupulous industry practices.

Making up around 51% of the igaming industry’s total market share, Europe is not only the largest igaming market in the world but also the most mature.

Global igaming revenues are estimated to be between €34bn and €38bn annually, predicted to rise to €50-60bn by 2020.

The European market will continue to occupy roughly the same market share, bringing it in between €25-€30bn annually, according to the European Gaming & Betting Association.

Of all internet users, 17% are based in Europe, with 84% or roughly 353 million resident in Western European.

The popularity of igaming in the region, paired with the high rate of internet penetration and widespread use of smart devices, suggests that despite the market’s maturity, there remains immense potential for innovative igaming companies to establish highly profitable operations.

Introducing legislation to establish best practice principles and penalise unethical behaviour, the licences provided by particular regulatory bodies have become recognised as the gold standard within the igaming industry.

Generally speaking, the most popular licences for businesses hoping to demonstrate their commitment to transparency and ethical operations are issued by the UK’s Gambling Commission, as well as regulatory bodies within Malta, Gibraltar, and the Isle of Man.

Operators working within the European Union (EU) and European Economic Area will often become licensed in the aforementioned jurisdictions as testament to their willingness to uphold industry standards.

However, payment service provider and international bank card acquirer ECommPay foresees a potential collision course between two of the regulations set to come into force in early 2018.

European regulation updated
Regulating igaming activities is the responsibility of individual European jurisdictions. However, two EU initiatives contending with the challenge of user confidentiality, the revised payment services directive (PSD2) and the general data protection regulation (GDPR), will apply to all EU member states.

The potential collision course between the two regulatory legislations arises when considering confidential customer data.

PSD2 promotes data dissemination (within a stringent data protection framework) in the hope of encouraging technological innovation, while GDPR is categorically opposed to sharing personal data, regardless of channel.

GDPR was initially conceived to revise the existing data protection laws, which were drafted before the rapid technological advancement of recent years.

As technologies are developed and introduced, more personal information is required to authenticate user identities and negate fraudulent activity.

Consequently, conflict arises between the fast-moving tech industry on the one hand, and data protection, privacy, and anonymity on the other.

In order to engineer innovative products, services, and solutions, the tech industry requires intimate information on consumers; their preferences, and their requirements.

To protect confidential user data from being shared freely, GDPR seeks to return this commodity into the possession of individual consumers.

Between GDPR and PSD2
Fully licensed igaming operators are compliant to existing data protection measures and are therefore in a strong position to seamlessly transition to becoming GDPR compliant.

The changes to legislation will feature a number of new pro-consumer laws, transgression against which will result in severe sanctions.

To ensure full compliance and mitigate any potential issues, the igaming industry as a whole will need to become more stringent in its handling of consumer data.

Neither GDPR nor PSD2 make any allowances for the other. Whereas GDPR seeks to protect consumer data, including payment details, PSD2 intends to permit payment service providers access.

Though PSD2 equally intends to protect consumers, it does so through alternative means, promoting the development and widespread usage of innovative online and mobile payments.

The initiative’s original purpose is to make cross-European payment services safer, increasing pan-European competition by opening the playing field to non-banking institutions and uniting consumer protection regulation with the obligations of payment service providers.

While both regulations address similar concerns, they propose incongruent solutions. The question remains: how will payment service providers and igaming operators manage the potential disharmony between the two?

One potential solution is to use card payments as an additional layer of player verification. Sensitive customer data would not be disseminated to payment service providers, but would be used to authenticate user details in order to facilitate a payment transaction.

Payment technologies, therefore, would not only comply with PSD2, but also address the challenges posed by GDPR.

Paul Marcantonio is head of UK and Western Europe at ECommPay, establishing the payment service provider as a trusted partner to e-commerce merchants throughout the region. He has more than 17 years of experience working within interactive technology and online commerce, driving success for various well-known brands across the diverse landscapes of digital payments and fintech.