INTRALOT | The challenge of privacy and security in a modern gaming world


In our heavily-loaded-information era, global players deal with a large amount of information in their daily lives; they produce, process and share personal data and they gradually seem to be getting used to it, even enjoy it, most of the times. In a world of constant digitalization, sharing personal information is inevitable. The more people are interconnected and the more customized the information they receive is, the more they value their personal privacy.

One of the most common concern for the “digital” players is that personal information can be easily shared (intentional or unintentional) via digital channels. This is more than a fair concern, since the need for personal data protection goes together with multi-channeling of the digital experience. People globally prefer to conduct any task digitally, such as through websites, mobile apps, social networks and emails, if possible (in fact, this percentage has 50%-60% increase rate based on the latest events with Covid-19 pandemic) and they tend to use multiple different electronic devices daily, to do so. Most common digital tasks are not confined to passive ‘reception’ of information, but, also, expands to content consumption, task scheduling (e.g. remote working), financial management and, of course, online payments or purchases.


Even though data protection and privacy are of paramount importance to all, global gaming industries (e.g. lotteries, sports betting, etc.) seem to adopt different attitudes and ‘intensity’ of concern. An important factor of such differentiation is the deviation of company’s maturity level in terms of data privacy but also the complexity as a perceived barrier to implement concrete data protection controls.

Complexity issue is very much linked to the companies’ efforts to pursue digital transformation strategies (as sustainable growth pillars), but often lack to adopting internationally recognized standards and governance frameworks. Missing the adoption of appropriate standards concerning data privacy and information security, could be devastating nowadays during the implementation of an organization digital transformation. Recent studies shown that data breach incidents costs are on the rise, and the risk for an organization could costing remarkable rates of their annual revenue or even seriously damage on its own reputation.

In the digital transformation era of the gaming market, the challenge of collecting and processing players’ personal data is higher than ever. Players themselves appreciate it when targeting occurs on an almost personal level since it offers the opportunity for a truly personalized, expanded, richer and more intense gaming experience, across channels, devices and preferred games. However, even players, who tend to be quite open-minded and ready to adopt innovation, value their personal privacy and avoid unscrupulous exposure.

In INTRALOT it has become clear that protecting personal information requires from one hand the understanding of potential risks (e.g. financial, regulatory, reputational, etc.) and from the other hand deep knowledge of technologies that used and the types of data that processed. Also, the purpose and the way of process them and how to serve the rights of any natural person whose personal data is being collected, is an important fact that should be considered. Therefore, a strong data and technology governance model that follows the principles of security and privacy by design, should be one of the top priorities nowadays into the gaming market.


In the modern gaming industry, privacy should build into the product by default or included during the design phase of the solution. So, even if players do not change anything in an application or service, their privacy should remain intact (e.g. encryption in transit, at rest, etc.). Furthermore, the approach of privacy by design and by default in a product, could empower the data minimization principle by preventing the processing of original personal data by the using of alternative mechanisms (e.g. pseudonymized, anonymized data, etc.). Either way, could maintain players privacy, by ensuring the processing to the minimum data depending on each specific purpose and at the same time building trust between data controller (Gaming Company) and data subject (players).

From the other side, gaming solutions should include by default or during the design phase of the solution, assurance mechanisms concerning cybersecurity as well as anti-fraud capabilities. Nowadays, digital transformation strategies are imperative and involve the players mobility via multiple channels (e.g. Desktop, Mobile, Apps, etc.). However, this fact increases the risk exposure of the organization and required efficient measures that should protect company based on its risk appetite. Nevertheless, the efficiency of these measures implies that should be transparent from the player (to avoid user experience impact) and should addresses holistically cybersecurity needs by following a dedicated strategy based on the five fundamental elements: Identify, Protect, Detect, Respond and Recover.


An end-to-end approach regarding privacy and security, should include except the appropriate technical measures, and the organizational measures that needs to be implemented. So, organizational issues should be approached structured by following international standards. It is obvious that the Information Security topic is more understandable as concept because of its maturity for long time into the industry and due to the international standards, that have been followed by several years now, such as ISO 27001:2013 and ISO 27002:2013.

However, the newly in most cases data protection regulations and laws around the globe, have defines several developments in the field of personal data and has made an urgent need for similar international standards into the field of privacy. So, recently have been implementing and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO 27001 and ISO 27002 for privacy management within the context of the organization, ISO 27701:2019.

Οn the same topic has been observed recently constructive activity by the World Lottery Association, that is in a preparatory phase to upgrade within the year the current WLA Security Control Standard (WLA SCS:2016), to a new one which will cover the increasing needs of modern gaming environments.

So, Privacy and Security topics should not be approached only as compliance requirements in the industry, rather than an opportunity for embedded competitive advantage in modern gaming solutions that works as business enabler.

By Karakasiliotis Athanasios, Group Information Security Director, INTRALOT

Related Articles

View all



Le défi de la confidentialité et de la sécurité dans l’univers du jeu moderne

Dans notre époque fortement chargée d’informations, les acteurs mondiaux sont confrontés à une grande quantité d’informations dans leur vie quotidienne ; ils produisent, traitent et partagent des données personnelles, et ils semblent progressivement s’y habituer, voire même y prendre goût, la plupart du temps. L’une des préoccupations les plus courantes pour les joueurs « numériques » est que les informations personnelles peuvent être facilement partagées (de manière intentionnelle ou non) via les canaux numériques. C’est une préoccupation plus que raisonnable, car la nécessité de protéger les données personnelles va de pair avec l’approche multicanal de l’expérience numérique. Plus les personnes sont interconnectées et plus les informations qu’elles reçoivent sont personnalisées, plus la protection de leur vie privée est importante.

Dans un monde de numérisation constante, le partage des informations personnelles est inévitable, mais le défi du marché des jeux de recueillir et de traiter les données personnelles des joueurs est plus élevé que jamais. Même si la protection des données et de la vie privée sont primordiales pour tous, les industries mondiales semblent adopter différentes attitudes et « intensité » de préoccupations. Un facteur important de cette différenciation est l’écart de niveau de maturité d’une entreprise en termes de confidentialité des données, mais également la complexité perçue comme une barrière pour mettre en œuvre une protection des données et des contrôles de sécurité concrets.

Pour INTRALOT, il est devenu évident que la protection des informations personnelles nécessite d’une part une compréhension des risques potentiels (p. ex. financiers, réglementaires, réputation, etc.) et de l’autre, une connaissance approfondie des technologies utilisées et des types de données traitées. Pour que cet objectif soit atteint dans l’industrie du jeu moderne, la confidentialité et la sécurité doivent être intégrées au produit par défaut ou être incluses pendant la phase de conception de la solution. Ainsi, même si les joueurs ne changent rien dans une application ou un service fourni, leur confidentialité et la garantie de leur sécurité doivent rester intactes comme éléments fondamentaux. Toutefois, une approche de bout en bout concernant la confidentialité et la sécurité doit inclure, outre les mesures techniques appropriées, des mesures organisationnelles qui doivent être mises en œuvre par l’industrie du jeu en adoptant des normes internationales de confidentialité et de sécurité.


El reto de la privacidad y la seguridad en el mundo moderno de los juegos

En esta era de información repleta de datos por todas partes, los jugadores de todo el mundo se encuentran con una gran cantidad de información en sus vidas diarias; producen, procesan y comparten datos personales y parece que se van acostumbrando a ello, o incluso que lo disfrutan en muchos casos. Una de las preocupaciones más comunes de los jugadores “digitales” es que la información personal puede compartirse fácilmente (de forma intencional o involuntaria) a través de canales digitales. Esto es algo más que una preocupación válida, ya que la necesidad de proteger los datos personales va acompañada de una multicanalización de la experiencia digital. Cuanto más interconectadas están las personas y más personalizada es la información que reciben, más valoran su privacidad personal.

En un mundo en constante digitalización, compartir información personal es inevitable, pero también es cierto que el desafío que representa la recopilación y el procesamiento de datos personales de los jugadores en el mercado de los juegos es mayor que nunca. A pesar de que la protección de datos y la privacidad son de primordial importancia para todos, las industrias globales parecen adoptar diferentes actitudes y niveles de “intensidad” en cuanto a su preocupación. Un factor importante de dicha diferenciación es el distinto grado de madurez de una empresa en términos de privacidad de datos, pero también el hecho de que la complejidad se percibe como una barrera para implementar los controles de seguridad y protección de datos concretos.

En INTRALOT ha quedado claro que proteger la información personal requiere por un lado la comprensión de los posibles riesgos (p. ej., financieros, normativos, de reputación, etc.) y por otro lado un conocimiento profundo de las tecnologías utilizadas y los tipos de datos procesados. Para que dicho objetivo se pueda alcanzar en el sector de juegos moderno, la privacidad y la seguridad deben introducirse en el producto de forma predeterminada o incluirse durante la fase de diseño de la solución. Por lo tanto, aunque los jugadores no cambien nada en una aplicación o servicio prestado, su privacidad y garantía de seguridad deben permanecer intactas como elementos fundamentales. No obstante, un enfoque integral con respecto a la privacidad y la seguridad debe incluir las medidas técnicas apropiadas, además de las medidas organizativas necesarias en la industria de los juegos, adoptando las normas internacionales en cuanto a privacidad y seguridad.


Datenschutz und Sicherheit als Herausforderung in der modernen Welt der Glücksspiele

In unserem Zeitalter der Informationsflut kommen Spieler weltweit täglich mit einer großen Menge an Informationen in Berührung. Sie produzieren, verarbeiten und teilen personenbezogene Daten, und sie scheinen sich allmählich an diesen Zustand zu gewöhnen und ihn meistens sogar zu genießen. Eine der häufigsten Sorgen der „digitalen“ Spieler ist, dass personenbezogene Informationen – gewollt oder ungewollt – über digitale Kanäle weitergegeben werden können. Vor dem Hintergrund der digitalen Multikanalisierung und der daraus resultierenden Notwendigkeit, personenbezogene Daten zu schützen, ist diese Sorge ist mehr als berechtigt. Je mehr Menschen miteinander vernetzt sind und je individueller die Informationen sind, die sie erhalten, desto wichtiger ist ihnen ihre Privatsphäre.

In einer Welt ständiger Digitalisierung ist der Austausch persönlicher Informationen unvermeidlich. Für den Spielemarkt jedoch stellt die Erhebung und Verarbeitung personenbezogener Daten von Spielern eine nie dagewesene Herausforderung dar. Auch wenn Datenschutz und Privatsphäre von allen Beteiligten als äußerst wichtig erachtet werden, scheinen die Branchen weltweit hinsichtlich der „Dringlichkeit“ dieser Besorgnis unterschiedliche Haltungen einzunehmen. Wichtige Faktoren einer solchen Differenzierung sind zum einen die unterschiedlichen Reifegrade, die bei den Unternehmen in Bezug auf Datenschutz vorherrschen, und zum anderen die Komplexität, die als Hindernis für die Umsetzung konkreter Datenschutz- und Sicherheitskontrollen wahrgenommen wird.

INTRALOT machte deutlich, dass der Schutz personenbezogener Daten einerseits das Verständnis potenzieller Risiken (wie z. B. finanzielle, behördliche oder Reputationsrisiken usw.) und andererseits ein tiefgreifendes Wissen darüber erfordert, welche Technologien verwendet und welche Art von Daten verarbeitet werden. Um dieses Ziel in der modernen Glücksspielbranche zu erreichen, sollten Datenschutz und Sicherheit standardmäßig in das Produkt integriert oder in die Entwurfsphase der Lösung einbezogen werden. Selbst dann, wenn Spieler an einer Anwendung oder einem bereitgestellten Dienst keine Änderungen vornehmen, sollten ihre Datenschutz- und Sicherheitsgarantie als grundlegende Elemente erhalten bleiben. Ein durchgehender Ansatz in Bezug auf Datenschutz und Sicherheit sollte jedoch außer den geeigneten technischen Maßnahmen auch die organisatorischen Maßnahmen umfassen, die von der Glücksspielindustrie durch die Übernahme internationaler Datenschutz- und Sicherheitsstandards umgesetzt werden müssen.

Other Articles

View all

Webinar 23 April – Lotteries In COVID-19 Lockdown

In a webinar on Thursday 23 April (14:00 GMT, 15:00 CET), conducted in association with EL, VIXIO GamblingCompliance brings together lottery industry experts and executives. Register here =>>......

Read more

EL/WLA Marketing Seminar: “It’s all about the Player”

The 2020 Annual EL/WLA Marketing Seminar, held in London, saw a vibrant mix of senior industry figures and speakers from leading-edge agencies and consultancies combine to create a dynamic event for the assembled international delegates....

Read more Synopsis: fr / es / de

Lotteries and COVID-19: From tactical to strategic continuity

As the COVID-19 outbreak continues to have a dramatic impact worldwide, EL has produced an overview of operational continuity elements that could be – and many of them already are – implemented by individual lotteries to enhance their capability of an effective response....

Read more Synopsis: fr / es / de

“Reflecting on 11 years at the European Lotteries’’ | An interview with former EL Deputy Secretary General Jutta Buyse

Since 2016 Jutta Buyse was the Deputy Secretary General of EL and represented the Association in the Brussels office since 2009. During this time, Jutta led the public affairs for EL and experienced historic moments for the Association at European level....

Read more Synopsis: fr / es / de

EL Communications Seminar: The Good, The Bad and The Ugly!

At a time when digital communication is rapidly evolving and social media is one of the biggest sources of new, it is increasingly important to distinguish fact from fiction. The objective of this year’s EL Seminar was to focus on ‘‘the good, bad and the ugly’’ sides of communications....

Read more Synopsis: fr / es / de

Introduction to the new General Manager of Loteria Romana

Since 10 January 2020 Sebastian – Iacob Moga is the new General Manager of the C.N.  "Loteria Română" S.A., being appointed to this position by the Board of Administrators....

Read more Synopsis: fr / es / de

EL Report on the Lottery Sector in Europe

Every year EL members provide an overview of how they work and demonstrate the importance of lotteries for the benefit of society....

Read more Synopsis: fr / es / de

EL supports ENGSO-led Erasmus+ Sport project launched to foster mental well-being in sport

EL has become a reliable and invaluable advocate for the role of sport in society and it has lent its backing as a ‘Supporting Partner’ to the SPIRIT project, co-funded by the Erasmus+ Programme....

Read more Synopsis: fr / es / de

A partnership for society: EL and ENGSO commit to enhancing the role of grassroots sport in 2020–2021

EL and ENGSO, the European Sports NGO are further extending their partnership with a new two-year agreement (2020-21)....

Read more Synopsis: fr / es / de

EL Statement: Postponement of Seminars & Events until 1 July due to COVID-19

Due to the recent outbreak and rapid spread of the Coronavirus COVID-19, the EL Executive Committee has taken the decision to postpone all EL seminars and events until 1 July 2020. It is further decided that the EL Industry Days will not take place this year due to the uncertain situation....

Read more Synopsis: fr / es / de

100 days of the von der Leyen Commission

March 2020 marked 100 days since the current College of the European Commission took office. Commission President Ursula von der Leyen looked back at the achievements, but also ahead at the expected next steps in line with the agenda outlined in her Political Guidelines back in July last year. This agenda was in the meantime hit hard the last weeks by the rapid spread of COVID-19....

Read more Synopsis: fr / es / de