Intralot: GDPR and the 4th industrial revolution

Our world is ever changing through the rapid proliferation of technologies that impacts industries, our professional and personal lives. This proliferation has been called the 4th industrial revolution by the World Economic Forum which has recently published its Digital Transformation Initiaive report[1] in collaboration with Accenture. According to the report, digital transformation in businesses and government can unlock an estimated $100 trillion value over the next decade, with Artificial Intelligence (AI), the Internet of Things (IoT), Big Data and the Cloud being at the front of technologies and models that will enable innovation. These results are aligned with ISACA’s Digital Transformation Barometer study[2] in which the potential of these technologies is being identified together with the perceived risks from their adaptation, communicating the importance of managing risk as an integrated element of digital transformation. The criticality of managing risk is validated by the worldwide effect of data breaches which have reached an average cost of $3.62 million per incident[3], as well as the increasing regulatory compliance requirements demonstrated, for example, by the European General Data Protection Regulation (GDPR).

Christos K. DIMITRIADIS PhD, CISA, CISM, CRISC Group Director of Information Security, INTRALOT

GDPR is about protecting personal data but fundamentally requires us to understand the types of data we process, why and how we process them and how we serve the rights of the data subjects.

GDPR in digital Transformation initiatives

GDPR is about protecting personal data but fundamentally requires us to understand the types of data we process, why and how we process them and how we serve the rights of the data subjects. Protection is covered by cyber and information security principles. This is what security is all about: protecting the confidentiality, integrity and availability of data and services, as well as detecting, responding to and recovering from incidents. The rest of the questions asked by GDPR are about data and technology governance and compliance. This is why digital transformation requires a strong data and technology governance model in place for implementing a holistic and correlated study on the organizational, procedural, technical, human and cultural elements of an ecosystem.

Big data can add value if not transform an industry as a whole. Lotteries can gain a better understanding of player, retailer, channel, game behaviors among others and enhance their products and services or provide brand new innovative ones.

The Big Data transformation example

Let’s use the example of a big data analytics initiative in order to briefly understand the dynamics of GDPR implementation. Big data can add value if not transform an industry as a whole. Lotteries can gain a better understanding of player, retailer, channel, game behaviors among others and enhance their products and services or provide brand new innovative ones. Being GDPR compliant with the introduction of big data fundamentally requires the understanding of the notion of privacy (and security) by design. This must be embedded in the transformation framework, while ineffective and silo approaches of considering privacy and data protection as side projects with their own owners, budgets and accountabilities should be abandoned. Instead, privacy and security controls should be embedded, accountabilities should be assigned to all stakeholders of the initiative and budgets should be integrated, also being addressed as investments (vs compliance costs) towards increasing the competitiveness, sustainability and trust of the overall initiative. In other words, privacy by design starts with the development of a holistic business case, identifying both opportunities and risks.

The first step is to create a data register. While this would be implemented as an obvious step in a big data transformation initiative, it is not as obvious when discussing AI, Cloud or IoT. The data register should clearly identify personal data, their owners and processors, their flow between systems and through processes, their processing location (geographically and technically), possible exports and imports between jurisdictions, the purpose and legality of processing and their retention periods. After developing the register, a risk assessment should be conducted towards identifying the impact, risks and controls, together with a data privacy impact assessment that focuses on the data subjects. Controls concern technology, organization, policies and procedures, also taking into account skills, competencies, culture and the human factor as a whole.

Technical controls concern for example the encryption or pseudonymization of personal data at rest and in transit, or the procurement of data leakage prevention tools, or extensions on an existing Security Information and Event Management system for covering the transformed ecosystem. Technology considerations also relate to the big data solution having features in place for serving the rights of the data subjects such as the right to be forgotten, the right to rectify information, or to restrict processing if the data subject did not provide consent for specific types of processing. When designing the solution, the right of not being subject to automated decision-making including profiling, should be considered as well, taking into account the effect of decision making or profiling, as well as the categories of data that are being processed by the big data solution.

Organizational controls may concern the creation of a Data Privacy Office and the appointment of an officer, as well as the change in existing roles for including accountabilities on personal data protection. They may also concern the interactions with third parties involved in the big data solution – subcontractors and partners – and under which contractual clauses they operate for ensuring GDPR compliance.

Policies for informing the data subjects and processes for obtaining clear consent prior to processing, as well as for protecting the rights of the data subjects, are critical as well. The right to object, right to access and generally all requests by data subjects should be supported by a respective process in order for the organization to be able to respond in a timely manner and according to the requirements of the law. The incident response processes should be revisited as well for ensuring timely breach notification, while response capability should be enabled by the big data solution in order to be able to detect and respond to a possible breach. Response plans should be retested in the transformed ecosystem, while agreements on processes with subcontractors of the big data solution should be put in place for jointly responding and managing communications.

Awareness and training programs should be provisioned for all roles involved in the big data operation, minimizing the risk from the human factor and ensuring that appropriate skills are in place for operating the big data solution in a trusted manner. Most importantly the common property of digital transformation and data protection must become part of the organizational culture: they are both continuous initiatives and not one-off projects.

The common property of digital transformation and data protection must become part of the organizational culture: they are both continuous initiatives and not one-off projects.

Conclusion

GDPR is a strict regulation. The message conveyed, however, is much broader than ensuring compliance. It is about respecting the data subjects and also about responsibly and securely creating value out of data, making the products and services that we offer more innovative, competitive and trusted.

GDPR is about respecting the data subjects and also about responsibly and securely creating value out of data, making the products and services that we offer more innovative, competitive and trusted.

[1] http://reports.weforum.org/digital-transformation/

[2] http://www.isaca.org/info/digital-transformation-barometer/index.html

[3] https://www.ibm.com/security/data-breach/index.html

Related Articles

View all

Synopsis

Français

Intralot: Le GDPR et la 4e révolution industrielle

En plus d’être une exigence de conformité, l’intégration de la sécurité et de la vie privée dans les projets de transformation numérique est un moyen important d’accroître la compétitivité et la confiance dans les produits et les services. La transformation numérique des entreprises et des gouvernements peut générer une valeur de plusieurs milliards d’euros au cours de la prochaine décennie, l’intelligence artificielle (IA), l’Internet des objets (IoT), le Big Data et le Cloud étant à la pointe des technologies et des modèles qui permettront l’innovation.

L’exemple d’une réalisation du GDPR dans des initiatives de transformation des Big Data est utilisé pour expliquer la nécessité d’une approche holistique combinant des contrôles techniques, organisationnels, procéduraux et liés aux facteurs humains. La nature du GDPR, qui n’est pas entièrement technique, nous est présentée, soulignant le besoin de comprendre le type de données que nous traitons, comment et pourquoi nous les traitons, et comment nous servons les droits des personnes concernées. Le besoin d’une conformité GDPR continue et non pas basée sur des projets ponctuels est également souligné, transmettant ainsi le message que la protection des données est plus un investissement pour pouvoir créer des produits et des services de grande qualité qu’un simple coût associé à la conformité.

Español

Intralot: El GDPR y la 4.ª revolución industrial

Integrar la seguridad y la privacidad en proyectos de transformación digital es un modo importante de aumentar la competitividad y la confianza que generan productos y servicios, además de ser un requisito que hay que cumplir. La transformación digital en las empresas y el gobierno puede abrir la puerta a valores de miles de billones de euros en la próxima década, con la Inteligencia Artificial (Artificial Intelligence, AI), el Internet de las Cosas (IoT), Big Data y la nube al frente de las tecnologías y los modelos que posibilitarán la innovación.

Ya se usa el ejemplo de la implementación del GDPR en iniciativas de transformación de grandes bases de datos para explicar la necesidad de un enfoque holístico que combine controles técnicos, organizativos, de procedimiento y de factor humano. Se presenta la naturaleza no solo técnica del GDPR, remarcando la necesidad de entender los tipos de datos que procesamos, por qué lo hacemos y cómo, y cómo satisfacemos los derechos de los interesados. También se subraya la necesidad del cumplimiento constante del GDPR en contraposición con proyectos únicos de este tipo, transmitiendo el mensaje de que la protección de datos es más bien una inversión para crear grandes productos y servicios, en lugar de un coste con el que hay que cumplir.

 
Deutsch

Intralot: DSGVO und die vierte industrielle Revolution

Sicherheit und Privatsphäre als integrale Bestandteile digitaler Transformationsprojekte sind nicht nur behördlich vorgeschrieben, sondern steigern auch die Wettbewerbsfähigkeit und das Vertrauen, das Kunden Produkten und Dienstleistungen entgegenbringen. Die digitale Transformation bei Unternehmen und Behörden kann Gewinnpotentiale in Höhe mehrerer Billionen freisetzen. Dabei sind künstliche Intelligenz (KI), das Internet der Dinge, Big Data und die Cloud an vorderster Front der Technologien und Modelle, die Innovationen den Weg ebnen.

DSGVO-Implementationen bei Big-Data-Transformationsinitiativen werden als Beispiel herangezogen, um die Notwendigkeit einer ganzheitlichen Methodik zu illustrieren, die technische, organisatorische, verfahrenstechnische und von Mitarbeitern verantwortete Kontrollen kombiniert. Die DSGVO ist dementsprechend keine ausschließlich technische Angelegenheit. Wir müssen vielmehr verstehen, welche Datenarten wir warum und wie verarbeiten und wie wir dabei die Rechte der betroffenen Personen wahren. Die DSGVO muss zudem kontinuierlich und nicht im Rahmen punktueller Projekte umgesetzt werden. Datenschutz ist also vielmehr als Investition in exzellente Produkte und Dienstleistungen zu betrachten denn als Quelle von Compliance-Kosten.

Other Articles

View all

Successful EL/WLA seminar highlights value of responsibility

Hosted by EL Member Hrvaska Lutrija, this year’s successful seminar provided an excellent opportunity to hear from experts in RG and CSR, understand how other lotteries are implementing their progra......

Read more Synopsis: fr / es / de

EL elects new Executive Committee & adopts Antwerp Resolution

Hansjörg Höltkemeier re-elected as EL President for the period 2019-2021 Re-elected EL President Hansjörg Höltkemeier (right) said, ‘‘We have had three fantastic days at the special 10th edi......

Read more Synopsis: fr / es / de

EL publishes first-ever Annual Report

Looking back at a successful 2018, EL has presented its first ever Annual Report. The Annual Report provides an overview of activities from the past year, which would not have been achieved without the ongoing support of EL members. By continuing to provide best practices, content and enthusiasm, they pave the way for the work of the Association....

Read more Synopsis: fr / es / de

EL’s Responsible Gaming Certification continues to reap benefits for members

Peter Simoner, CEO of Loteria Kombetare received his Commitment certificate from EL President Hansjörg Höltkemeier Benefits of the Commitment Level Loteria Kombëtare in Albania was the first-eve......

Read more Synopsis: fr / es / de

European Standard on reporting in support of online gambling supervision notes considerable progress

On 12 and 13 September the CEN Working Group drafting the Standard held its two-day meeting in Brussels. The Standard is expected to be put for public comment and a vote by the end of November 2019....

Read more Synopsis: fr / es / de

European Commission Sport Unit Breakfast welcomes EL

At the fourth European Commission Sport Unit Breakfast EL was invited to present how lotteries are supporting and using sport. EL President Hansjörg Höltkemeier highlighted the importance of promoting the values of sport and the sustainable financing from national lotteries....

Read more Synopsis: fr / es / de

2020 EL Innovation Awards are now open for submission!

For EL lottery members only, the awards are another key initiative led by the EL Innovation Working Group (ELIG), which was set up to inspire, connect and engage the EL community in innovation. The aw......

Read more Synopsis: fr / es / de

EL organises Corporate University Modules for the second year running

The Induction Module, aimed at new entrants in the lottery world (up to 3 years experience), allowed for an extensive introduction to the sector and an insight into the many complex activities. Over t......

Read more Synopsis: fr / es / de

First-ever EL seminar on Instant Games

In 2017 the overall sales of Instant Games (or sometimes called Scratch Cards) in Europe was 25.9 billion EUR. This made Instant Games the second most important game in the portfolio of EL members. Th......

Read more Synopsis: fr / es / de

Upcoming EL Seminars & Events

8-10 October: EL/WLA Security & Integrity Seminar. 5-7 November: Innovation Seminar. 20-22 November: EL/WLA Sports Betting Seminar. 27-29 November: Legal and Regulatory Affairs....

Read more

New appointments for EL members

From left to right: Kerstin Kosanke, Managing Director, Lotto Brandenburg, Alexandru-Mircea Croitoru, General Manager, Loteria Romania, Bekir Yunus Uçar, General Director, Turkish National Lottery Administration & Gábor Czepek, CEO, Hungarian National Lottery...

Read more

10th EL Congress – Lotteries, democracy and the European political landscape

Brett Henning  Brett Henning, Co-founder and Director at Sortition Foundation analysed the results of the elections, looking closely at the rise in European populism. In the past months and years,......

Read more Synopsis: fr / es / de

EL Congress Antwerp – Day 1: The Corporate Success of Chance

The Black Swan with keynote speaker: Mr. Nassim Nicholas Taleb  International bestselling author Nassim Nicholas Taleb focused his keynote presentation on the Black Swan, his book which looks at th......

Read more Synopsis: fr / es / de

EL Congress Antwerp – Day 2: Give Chance a Chance

Talent Vs Luck After a lively performance by mentalist Gili, three inspiring keynote speakers highlighted the role of randomness in success and failure, bringing with them their own personal expertis......

Read more Synopsis: fr / es / de

Call for global action as Macolin Convention enters into force

The Convention entered into force thanks to its ratification by Italy, Moldova, Norway, Portugal, Switzerland and Ukraine. Another 32 countries, including Australia, have also signed it. Within 12 mon......

Read more Synopsis: fr / es / de

New Managing Director at Germany’s Lotto Brandenburg

Kerstin Kosanke, Managing Director of Land Brandenburg Lotto GmbH After finishing her law studies in Potsdam, Ms. Kosanke worked for 15 years as an independent lawyer with a focus on tax law and man......

Read more Synopsis: fr / es / de

Loteria Romania appoints new General Manager

Honoured in his new role Alexandru-Mircea Croitoru as General Manager, he will continue to work on the implementation of projects that will drive the development of the lottery. The Romanian Lottery is one of the oldest institutions in the country, established in 1906 in order to improve the health system, especially in rural areas....

Read more Synopsis: fr / es / de

Interview with Gábor Czepek, new CEO of the Hungarian National Lottery

Gábor Czepek, CEO, Hungarian National Lottery Szerencsejáték Zrt. is one of Hungary’s largest, dynamically developing state-owned enterprises: What were the most pressing tasks in this initial......

Read more Synopsis: fr / es / de

Introduction to new General Director at the Turkish National Lottery Administration

Following a career in journalism, Bekir Yunus Uçar spent over 20 years in public service. He worked in several roles at Türk Telekom before joining the Turkish National Lottery Administration. He was appointed General Director by the Minister of Treasury and Finance....

Read more Synopsis: fr / es / de

Chance is a part of Lotteries. Chance is a part of Success. Chance is also a part of Life.

Hansjörg Höltkemeier, EL President & Jannie Haek, CEO of the National Lottery Belgium open the Trade Show at the 10th EL Congress in Antwerp ‘‘The Success of Chance’’ was the theme for......

Read more Synopsis: fr / es / de