The challenge of privacy and security in a modern gaming world

by Karakasiliotis Athanasios, Group Information Security Director, INTRALOT

THE INCREASING SIGNIFICANCE OF PERSONAL DATA PROTECTION

In our heavily-loaded-information era, global players deal with a large amount of information in their daily lives; they produce, process and share personal data and they gradually seem to be getting used to it, even enjoy it, most of the times. In a world of constant digitalization, sharing personal information is inevitable. The more people are interconnected and the more customized the information they receive is, the more they value their personal privacy.

One of the most common concern for the “digital” players is that personal information can be easily shared (intentional or unintentional) via digital channels. This is more than a fair concern, since the need for personal data protection goes together with multi-channeling of the digital experience. People globally prefer to conduct any task digitally, such as through websites, mobile apps, social networks and emails, if possible (in fact, this percentage has 50%-60% increase rate based on the latest events with Covid-19 pandemic) and they tend to use multiple different electronic devices daily, to do so. Most common digital tasks are not confined to passive ‘reception’ of information, but, also, expands to content consumption, task scheduling (e.g. remote working), financial management and, of course, online payments or purchases.

DIFFERENTIATED UNDERSTANDING ON PRIVACY AND NEED OF TRUSTWORTHY TECHNOLOGIES

Even though data protection and privacy are of paramount importance to all, global gaming industries (e.g. lotteries, sports betting, etc.) seem to adopt different attitudes and ‘intensity’ of concern. An important factor of such differentiation is the deviation of company’s maturity level in terms of data privacy but also the complexity as a perceived barrier to implement concrete data protection controls.

Complexity issue is very much linked to the companies' efforts to pursue digital transformation strategies (as sustainable growth pillars), but often lack to adopting internationally recognized standards and governance frameworks. Missing the adoption of appropriate standards concerning data privacy and information security, could be devastating nowadays during the implementation of an organization digital transformation. Recent studies shown that data breach incidents costs are on the rise, and the risk for an organization could costing remarkable rates of their annual revenue or even seriously damage on its own reputation.

In the digital transformation era of the gaming market, the challenge of collecting and processing players’ personal data is higher than ever. Players themselves appreciate it when targeting occurs on an almost personal level since it offers the opportunity for a truly personalized, expanded, richer and more intense gaming experience, across channels, devices and preferred games. However, even players, who tend to be quite open-minded and ready to adopt innovation, value their personal privacy and avoid unscrupulous exposure.

In INTRALOT has become clear that protecting personal information requires from one hand the understanding of potential risks (e.g. financial, regulatory, reputational, etc.) and from the other hand deep knowledge of technologies that used and the types of data that processed. Also, the purpose and the way of process them and how to serve the rights of any natural person whose personal data is being collected, is an important fact that should be considered. Therefore, a strong data and technology governance model that follows the principles of security and privacy by design, should be one of the top priorities nowadays into the gaming market.

PRIVACY AND SECURITY BY DESIGN AND BY DEFAULT

In the modern gaming industry, privacy should build into the product by default or included during the design phase of the solution. So, even if players do not change anything in an application or service, their privacy should remain intact (e.g. encryption in transit, at rest, etc.). Furthermore, the approach of privacy by design and by default in a product, could empower the data minimization principle by preventing the processing of original personal data by the using of alternative mechanisms (e.g. pseudonymized, anonymized data, etc.). Either way, could maintain players privacy, by ensuring the processing to the minimum data depending on each specific purpose and at the same time building trust between data controller (Gaming Company) and data subject (players).

From the other side, gaming solutions should include by default or during the design phase of the solution, assurance mechanisms concerning cybersecurity as well as anti-fraud capabilities. Nowadays, digital transformation strategies are imperative and involve the players mobility via multiple channels (e.g. Desktop, Mobile, Apps, etc.). However, this fact increases the risk exposure of the organization and required efficient measures that should protect company based on its risk appetite. Nevertheless, the efficiency of these measures implies that should be transparent from the player (to avoid user experience impact) and should addresses holistically cybersecurity needs by following a dedicated strategy based on the five fundamental elements: Identify, Protect, Detect, Respond and Recover.

THE NEED FOR THE STANDARDISATION

An end-to-end approach regarding privacy and security, should include except the appropriate technical measures, and the organizational measures that needs to be implemented. So, organizational issues should be approached structured by following international standards. It is obvious that the Information Security topic is more understandable as concept because of its maturity for long time into the industry and due to the international standards, that have been followed by several years now, such as ISO 27001:2013 and ISO 27002:2013.

However, the newly in most cases data protection regulations and laws around the globe, have defines several developments in the field of personal data and has made an urgent need for similar international standards into the field of privacy. So, recently have been implementing and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO 27001 and ISO 27002 for privacy management within the context of the organization, ISO 27701:2019.

Οn the same topic has been observed recently constructive activity by the World Lottery Association, that is in a preparatory phase to upgrade within the year the current WLA Security Control Standard (WLA SCS:2016), to a new one which will cover the increasing needs of modern gaming environments.

So, Privacy and Security topics should not be approached only as compliance requirements in the industry, rather than an opportunity for embedded competitive advantage in modern gaming solutions that works as business enabler.

The article is originally published at the EL Magazine here.