To be or not to be compliant….that’s a good question

The General Data Protection Regulation (GDPR) is looming large in the headlights for companies conducting business in or with the EU. With barely 3 months to go before this beefy regulation from the EU is actually put into force, the scare mongering is in full swing. The regulation does come with a maximum penalty of 20 million Euros or 4% of global revenue, whichever is more. But nobody is clear on exactly what threshold of transgression severity is required to get a fine at all, let alone the maximum.   

The GDPR articles clearly state that each national Supervisory Authority will be in charge of determining how best to police compliance within their national borders. And the Supervisory Authority in the UK, the Information Commissioner’s Office (ICO), has been a bit sluggish off the mark when it comes to explaining what exactly is going to get them excited and in the mood to deliver fines and what they will consider to be less interesting.

This has left many companies in the UK taking a “wait and see” attitude. Counting on the idea that they won’t be the first to get audited, they feel they’ll have plenty of time to look at published cases of how the ICO plans to measure out its fines and other punitive steps and make adjustments accordingly. But these companies are not in the online gaming industry.

In fact, the online gaming industry is exactly the type of industry that these “wait and see” companies are expecting to draw the ICO’s attention first. And it’s not an outlandish bet. Why? Well, because the combination of collecting player account information and the common practice of profiling players to more effectively manage their account is exactly the type of business practice that has caught the EU regulators’ attention. It’s not that these practices are wrong or unethical per se. But it is absolutely the intent of the GDPR to ensure that any such collection, storage and processing of EU citizen’s personal data is  handled in a manner that is clear, transparent and secure.

At Y2X we have developed a track record of successfully serving clients in the gaming industry with regulatory compliance issues. Our approach has been to help companies establish a prioritised risk register and to support them in making progress toward remediating top risks. This positions our clients to be ready to demonstrate progress, organisation and a good faith effort to improve compliance in the event that a GDPR audit comes early on in the game. But it stops short of selling the idea that a dramatic amount of money should be spent now on becoming fully compliant with a regulation which has yet to be fully clarified.

If you’d like a free GDPR readiness assessment, we’re happy to help you better understand your risks and to understand what it will take to make you confident of meeting a GDPR audit successfully. From gap analysis to programme design to programme execution support, we can help. Call or e-mail us today.