Kyanite Blue
Practical Guides

GDPR Breach Notification for iGaming Operators: What You Must Report and When

The GDPR 72-hour breach notification clock starts not when you discover a breach, but when you have sufficient evidence to reasonably determine one has occurred. For iGaming operators holding player KYC documents and financial data, the threshold for "high risk to individuals" — which triggers mandatory player notification — is low. Getting this wrong adds regulatory penalties on top of the breach itself.

The GDPR clock starts when you know. "We didn't know sooner" is not a defence against late notification.

What Triggers a Notification Obligation

  • Any breach of security that results in accidental or unlawful destruction, loss, alteration, or disclosure of personal data
  • This includes ransomware encryption (data unavailable = breach), even if not exfiltrated
  • Unauthorised access to player records by a vendor (Fast Track scenario)
  • Employee sending player data to personal email
  • Credential stuffing that results in account access to player personal data

The Two-Track Notification Requirement

Track 1 — IDPC (Information and Data Protection Commissioner, Malta): always required for notifiable breaches within 72 hours. Track 2 — Direct player notification: required when the breach is "likely to result in high risk to the rights and freedoms" of individuals. For iGaming breaches involving financial data, KYC documents, or payment details, this threshold is almost always met.

Frequently Asked Questions

What if the breach was caused by our vendor?

Your GDPR obligations as data controller are not reduced because a processor caused the breach. You remain responsible for notifying the IDPC and potentially players. You may have claims against the vendor, but your obligations to regulators and players are direct.

What does the IDPC notification need to include?

Nature of the breach; categories and approximate number of individuals and records affected; name and contact of data protection officer; likely consequences; measures taken or proposed. If full information isn't available within 72 hours, submit a partial notification and supplement it.

Prevent the breaches that trigger GDPR notifications

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

BlackFog

Learn more

Related Articles

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides