Data Protection Impact Assessment

Project Name: Gamban

Date of Assessment: 02/11/2024

Assessor(s): Nick Michalopoulos

This DPIA is necessary due to changes in data handling practices, more specifically client data being classified as Special Category Data. This creates the need for a data protection impact assessment (DPIA) for any type of processing which is likely to be high risk.

What data will be processed?

• Identity data: includes user name;
• Contact data: includes user email address & phone number;
• Device data: includes information about the various devices that our blocking licence covers.
• Marketing data: user preferences with regards to receiving our newsletter.
• Profile data: includes gambling addiction status which includes level of gambling, time of last gambling session, your user name,
• Technical Data: includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices users use to access the Gamban website.
• Transaction data: includes details about payments to and from the user and other details of Services that the user has purchased;
• Usage Data: includes information our website & products usage trends

Purpose of the data processing:

• Software services
• Important notifications regarding the product, helpdesk functions and when the subscription is about to come to an end
• Internal records maintenance
• Statistical analysis for product development reasons

Who will have access to the data:

• Regulatory bodies
• Statutory bodies
• The police
• Any other competent authority that has specific functions stipulated by law
• Third parties where the user has expressly agreed we can share their personal information with
• Business partners and service providers

Data flow:

1. Data Collection: User data is collected when individuals sign up via the Gamban website or app.
2. Data Transmission: Data is securely transmitted over HTTPS to Gamban's servers. Device-specific data is communicated between the user's device and Gamban's system to enable blocking functionality.
3. Data Storage: Collected data is stored in encrypted databases hosted on Azure (Microsoft Corporation).
4. Data Usage: Data is processed as expressed earlier.
5. Data Sharing: Data is not shared with third parties unless explicitly consented to by users or required by law.
6. Data Deletion: Users can request data deletion via the app or support. Deleted data is permanently removed from active servers and backups within 12 months.

Where is the data being processed?

• Primary Data Processing Locations: Data is processed and stored on servers hosted by Azure] in the UK and EU. Localized data processing occurs on user devices to enable blocking functionality.
• Backup and Disaster Recovery Locations: Encrypted backups are stored in the UK & EU.
• Third-Party Services: Limited data (e.g., for email notifications or user support), or platform-specific data may be processed by trusted third-party providers:
  • Zendesk, Inc.
  • Braintree (a PayPal company)
  • Apple Inc.
  • Google LLC,with their location and terms of processing as listed on each of their Data Processing Agreements.

Gamban relies on the following lawful bases for processing user data:

• Consent (Article 6(1)(a) and Article 9(2)(a)): Users provide explicit consent for the processing of their personal and special category data when signing up for the service.
• Performance of a Contract (Article 6(1)(b)): Data processing is necessary to fulfill the contractual obligation of providing a gambling-blocking service.
• Substantial Public Interest (Article 9(2)(g)): Processing special category data supports the public health objective of mitigating gambling-related harm, aligning with national laws.

Data processing is essential to provide Gamban’s core functionality: blocking gambling-related content on users’ devices. For instance:

• Personal Data: Email addresses and device identifiers are required to authenticate users, configure device-specific blocking, and provide support.
• Special Category Data: Behavioral data linked to gambling self-exclusion ensures the service is tailored to address gambling-related harm.

Without this, Gamban cannot deliver its services effectively or support its mission to reduce gambling-related harm.The data collected is minimized to the extent necessary for achieving the service's purpose. Measures include:

• Only essential data: Gamban does not collect excessive personal or sensitive data.
• Anonymization: Aggregated and anonymized data is used for analytics wherever possible.

Gamban ensures compliance with the UK GDPR by implementing robust measures to uphold data subject rights, including:

Right to Access (Article 15):

• Users can request access to their personal data via email or the app.
• Gamban provides a copy of the data, typically within one month, ensuring it is in a clear and commonly used format.

Right to Rectification (Article 16):

• Users can request corrections to inaccurate or incomplete personal data.
• Changes are implemented promptly, and users are notified once rectification is complete.

Right to Erasure (Article 17):

• Users can request the deletion of their data when it is no longer necessary for the purpose it was collected, or if they withdraw consent.
• Upon receipt of a valid request, data is permanently deleted from active systems and backups within [specified timeframe, e.g., 30 days].

Right to Restriction of Processing (Article 18):

• Users can request that Gamban temporarily restrict processing of their data while resolving issues such as accuracy or legal claims.
• Data remains stored but is not actively processed until the restriction is lifted.

Right to Data Portability (Article 20):

• Users can request a copy of their data in a structured, machine-readable format to transfer to another service.

Right to Object (Article 21):

• Users can object to processing based on legitimate interests or direct marketing.
• In cases of objection, Gamban ceases processing unless overriding legitimate grounds exist.

Right to Withdraw Consent (Article 7(3)):

• Users can withdraw their consent at any time via account settings or by contacting support.

Automated Decision-Making (Article 22):

• Gamban does not engage in automated decision-making or profiling that produces legal or similarly significant effects.

In order to facilitate these rights, Gamban has implemented:

• Privacy Policy & Cookie Policy: Clear instructions on how users can exercise their rights.
• User Support: A dedicated support team assists with rights requests and queries.
• Data Protection Policy: Internal processes ensure timely and compliant handling of requests.

• Were stakeholders consulted during the DPIA? Yes
• Who was consulted?
  • Jack Symons: Co-founder
  • Matt Zarb-Cousin: Co-founder
  • Nick Michalopoulos: Data Protection Officer
• Consultation Summary: During the DPIA process, Jack Symons, Matt Zarb-Cousin, and Nick Michalopoulos were consulted to provide insights on Gamban’s data processing activities and the alignment of these processes with the company’s mission to reduce gambling-related harm. Their feedback helped:
  • Identify key risks associated with handling special category data.
  • Validate the necessity of data collection and processing for delivering core services.
  • Review existing data protection measures and propose improvements where necessary.
  • Ensure the DPIA reflects Gamban's commitment to user privacy and compliance with UK GDPR requirements.

Their input has been instrumental in shaping a comprehensive and effective DPIA.

The DPIA has been deemed acceptable with the proposed risk mitigations and has been approved by the management. As of now, there are no high risks remaining that cannot be mitigated through the proposed measures. However, if any risks arise in the future, the following steps will be taken to resolve or mitigate them:

• Enhanced security measures: Implementing additional encryption or more frequent vulnerability scans.
• Regular reviews: Conducting periodic reviews of data processing practices, particularly when new services or features are introduced.
• User notification: If a high-risk situation is identified, users will be notified promptly, and appropriate remediation will be carried out.

Date of completion: 14/11/2024

Reviewed by (management): Jack Symons

Record-keeping: Nick Michalopoulos

• www.gamban.com/privacy
• www.gamban.com/privacy/cookies
• www.gamban.com/terms
• www.gamban.com/eula