Overview of Data Protection status in European Lotteries and Recommendations towards a Better Practice

Abstract

Denne masteroppgaven presenterer en omfattende studie av personvern i europeiske spillselskaper.

Oppgaven bruker eksisterende teori og datamateriale for å foreslå hvordan åpenhet mht. personvern for både registrerte personer og behandlere av persondata kan forbedres. Viktige problemstillinger som vil bli analysert, er hvordan GDPR-rammeverket forstås og er implementert i Europa samt identifisering av mulige kulturelle/sosiale forskjeller . Grunnlag for studien vil være både forståelse og presentasjon av viktige lover/rammeverk for personvern og innsamlede data

Gjennom bruk av spørreskjemaer, automatisert datainnsamling og fokusgruppe intervjuer vil vi samle inn et omfattende datagrunnlag knyttet til fundamentale personvernrettigheter i Europa

Dette datagrunnlaget vil så bli analysert for å foreslå forbedringer og anbefalinger for personvern og åpenhet mht. behandling av personopplysninger.

In this master thesis we present a comprehensive study of practice related to privacy and handling of personal data in European lotteries. The study aims to document how the GDPR framework is understood and implemented across lotteries in Europe and identify differences between status and expectations in important laws and standards.

In addition to GDPR, Important Information Security Standards like the ISO 27000 series will be presented together with important EU regulations, lottery specific security standards and privacy concepts.

Using questionnaires, inspection of web sites and automated analysis we collect a substantial amount of data related to important fundamental data protection rights in European lotteries.

By analysing the collected material important techniques for data protection and data transparency is identified. Presented research material documents how they are implemented in European lotteries and shows significant variations between the different Lotteries. The thesis discuss the findings in the collected material and suggests how the described techniques can be implemented to be both GDPR compliant and support a healthy company reputation.

Anonymous gambling products will not be a part of this study, and I will not make any attempt to investigate identification of anonymous ticket holders or prize winners. From a security and compliance perspective this could be very interesting since these products are known to be closely related to money laundry and criminal activity, but the scope of this thesis is related to data protection and use of personal data and the understanding of GDPR.