In the latest entry to the SMP Snack series, SMP eGaming Regulatory Compliance Manager Phil Knox takes a look at the GDPR requirements of an affiliate marketer.

Data protection and privacy laws are being tightened on a global scale, with GDPR being the most prominent example. Affiliates need to be aware of this and the implications it can have on their business.

On 25 May 2018, the EU General Data Protection Regulation (GDPR) came into force. Under the GDPR, any individuals and organisations that process personal data need to register and pay a data protection fee to the applicable Information Commissioner. As an affiliate collecting and processing players’ personal data, this law is applicable to you.

If you’re an affiliate domiciled in the UK and unsure, the UK Information Commissioner’s Office (ICO) provides a useful ‘Registration Self-Assessment’ that can be used to determine whether you need to register to the ICO. Failure to do so is a civil offence.

The registration process is straightforward and should only take around 15 minutes to complete. Affiliates are required to disclose certain information such as the name of the business, whether you’re processing as a controller or processor (don’t worry – we’ll cover this in next week’s snack article), nature of the business (affiliate marketer), registered office etc. In addition, the ICO now requests the details of either a contact person or designated Data Protection Officer (DPO).

The size of the registration fee will vary depending on the size and complexity of the business. In the UK for example, a controller can expect to pay between £40 and £2,900.

The applicable Information Commissioner is usually determined by the country in which you are processing the personal data, for example an affiliate in the UK will need to register with the UK ICO. In certain cases, you’ll also be required to register for data protection in the country you are targeting – for instance if you market to individuals in specific EU countries and they have self-imposed registration requirements. In any case, you should review the regulation in your target jurisdictions.

Each Information Commissioner has a slightly different approach to registration, but the purpose remains the same – to apply for the inclusion in a public register of both controllers and processors.

Once registered, an affiliate will be actively monitored by the Information Commissioner, so it is imperative you remain transparent with customers on the processing of personal data and have in place a robust framework to ensure compliance with GDPR. Registration is just the beginning – so watch this space for more advice on how to comply over the longer term.