This article was produced by Olswang LLP, which joined with CMS on 1 May 2017.
In the third of a series of articles by Olswang relating to data in the gambling sector, we explore the issue of ‘big data’ and consider how gambling businesses can use it to benefit themselves and their customers while still remaining compliant. If you would like to speak to anyone in relation to any of the topics covered in this series, please contact Anna Soilleux.
What is big data and how can it be used?
Big data is often explained by reference to the three ‘V’s – volume, variety and velocity. Essentially, it describes the processing of massive datasets, collected from both the business itself and other sources (so-called first party and third-party data), at high speed and often in real time, in order to find correlations. These insights can then be applied to new and existing data for a variety of purposes.
Big data analytics can be used to identify at what point customers are most likely to stop using a service and why, enabling the improvement of the customer experience and resulting in more efficient and cheaper customer acquisition and retention. It can be used to target the offering of products or services to an individual based on personal characteristics such as their age or their previous behaviour and use of the services, giving customers a more tailored experience and leading to increased revenue. It could also be used to aid the identification of problem gamblers or underage customers.
New games, same rules
In their guidance on the use of big data, the ICO is very clear that the complexity of big data analytics is no excuse for failing to adhere to the eight data protection principles. It is therefore critical that gambling businesses tailor their processes in order to stay compliant if the big data in question is personal data. As mentioned in previous articles in this series, any investigation of a gambling business by the ICO would need to be reported to the Gambling Commission, and could potentially lead to a licence review in the event of a serious breach.
It can prove tempting to simply collect as much data as possible without being clear about why it is needed, and analyse it with the broad aim of finding something useful or interesting. The key to avoiding this trap is to approach each big data project individually, and ascertain the purpose from the start. Carrying out a Privacy Impact Assessment (PIA) is the best way to understand how the processing will affect customers (and is likely to be compulsory under the new General Data Protection Regulation). Transparency when collecting data is essential and a privacy policy should clearly explain what purposes the data will be used for. Understanding the goal of the project is also essential for evaluating whether the appropriate consents have been obtained and in cases where the project involves re-purposing of data, then customers will need to be made aware of this.
Customer profiling
Customer profiling is the natural extension of big data analytics. Understanding each customer and being able to make accurate predictions about their behaviour enables effective personalisation, leading to a better customer experience. However, there is a distinction between using this knowledge to enhance the service which the customer is already receiving and using it for purposes which are not directly related to that service. While a customer may appreciate ‘free bet’ or bonus offers on their favourite games, they may be alarmed to find that information about their spending behaviour was being sold on to third parties who use it to, for example, market loans. It is also worth bearing in mind that any profiling information may be disclosable should the customer make a data subject access request.
Businesses need to tread a fine line between being clever and being ‘creepy’ – if a customer doesn’t feel that the benefit they receive from an initiative overrides any ’creepiness’ factor, then it could backfire. However clearly the privacy policy may be drafted, the reality is that many customers will not read this, and will simply work on the assumption that their data will only be used within certain limits. On a practical level, those customers who are surprised by the way their data is used are often the source of complaints to the ICO. Big data may therefore be an area where a business needs to make an ethical assessment of how the data is used – just because big data analytics enable a business to use information to act in a certain way doesn't automatically mean that they should do so.
What should businesses be doing?
Businesses can ensure they stay compliant while collecting and using big data by fully considering the following:
- Determine your purpose. Without clearly identifying the aim of the big data project, you will be unable to assess the risks.
- Carry out a PIA. Are you using personal data to identify general trends or to make decisions that affect individuals?
- Evaluate your consents. Are you using the data for a different purpose than the one for which it was originally collected? If so, have you obtained consent? Are you comfortable that the necessary consents are in place if personal data has been bought in from third parties?
- Evaluate your privacy policy. Is it broad enough to cover all the purposes for which you are collecting and using the data including profiling? Does it set these out clearly for the customer?
- Do you need all the data? The principle of data minimisation still applies – don’t stockpile data or retain it for longer than necessary, just in case it might be useful. Long term uses must be articulated or justifiable, even if all the detail of the future use is not known.
- Can the data be anonymised? For some analytics the data may be just as valuable if it doesn’t identify the underlying individual. If done correctly, the information being analysed will no longer be considered personal data, thereby reducing risk.
- How are you using the results? Does it pass the ‘creepiness test’? Would your customer expect you to use their data in this way, or would they be surprised?
- Plan for subject access requests. Will it be easy to disclose data about individual customers if required? Would you be willing for the customer to see all the information you hold about them?
- Evaluate your data security. How are you protecting your ‘data lakes’? Is it secured? If there’s a hack or a breach – and you should assume that there will be – have you stored the data in a way to minimise harm, such as encrypting it?
