Tote isn’t taking any chances with privacy compliance

• The UK Tote Group is the proud owner and steward of the Tote, the UK’s leading pool betting operator.
• The company holds a great deal of sensitive financial information, particularly through its online business
• The Privacy Compliance Hub has been a one-stop solution that has been very simple to understand and logical to follow

More about the Tote

The Tote has been a core part of British horseracing since 1928 when it was established by Parliament under Winston Churchill as Chancellor of the Exchequer, to provide the public with a safe way to bet and vital funding for the sport.

The UK Tote Group is committed to fulfilling the Tote’s founding mission through revitalising the 95-year old British company to ensure it provides better value and an improved experience to customers, as well as increased funding for British horseracing. The UK Tote Group is backed by racehorse owners and breeders from around the world who believe a stronger UK and Irish host pool is an essential component in the successful future of the sport, as is the case in other successful racing jurisdictions.

The Tote is the pool partner to all 85 British and Irish racecourses, and the UK Tote Group is proud to be able to work with them and all of its media rights and bookmaker partners to bring innovations and improvements to all of its customer channels, including those within its digital business, through the Tote website (tote.co.uk/tote.ie) and the Tote App.

The UK Tote Group is a founding member of the World Tote Association and will co-chair the organisation between 2022-24. The UK Tote Group is committed to working with international partners to grow pool betting in a sustainable manner, while showcasing the benefits of the sector to stakeholders, including customers, regulators, national governments, the racing industry and society as a whole. The Tote employs 200 people who are based in the Tote’s main office in Wigan and its satellite office in London.

How does the Tote operate?

Unlike a bookmaker, pool betting operates like a sweepstake with everyone’s bets collected together in one central pool. When the result is declared, the entire pool, minus the Tote’s commission, is shared between all of the winning bets.   

“I wanted to try and dispel the myth that risk and compliance are just a necessary evil but are instead a core part of a successful and sustainable business”

Bruce Duncan
Director of Risk & DPO

The privacy challenge for Tote

The company holds a great deal of sensitive financial information, particularly through its online business. When purchasing the Tote in 2019 the UK Tote Group had a relatively small workforce, with a number of people who had some knowledge of GDPR. With the subsequent and ongoing expansion of the Tote’s business model, the engineering team did an initial audit and compiled an information asset register as part of phase one. Phase two then  involved hiring a DPO. 

Bruce Duncan was appointed as Head of Risk and DPO in December 2020. “When I joined the company, I did a few months’ worth of risk assessments,” Bruce, who is now the Director of Risk and DPO at Tote, says. “GDPR came up as one of them because we needed to establish robust processes as we grew the business.” 

He also recognised the need to educate the wider business about what privacy and compliance actually are and why they’re important. “Sometimes the heavy lifting – putting standards in place – is the easy part. It’s the engagement and buy in that can be more difficult. But I wanted to try and dispel the myth that risk and compliance are just a necessary evil, but are instead a core part of a successful and sustainable business.” 

How the Privacy Compliance Hub has helped Tote succeed

Duncan’s legal colleagues suggested the Privacy Compliance Hub. “They thought it looked like a one-stop solution and I felt very encouraged by what was being offered: particularly the simplicity of it and the depth of knowledge that Karima and Nigel have. I felt convinced the Route Map would enable us to raise awareness, get buy-in from the wider business, and build a culture of ongoing compliance.” 

Together with a preceding third-party gap analysis and subsequent prioritised remediation to create an initial defensible position, PCH wasn’t a difficult sell to the executive team, he adds: “considering the consequences in terms of fines and reputational damage if something went wrong.” 

“It gives you a very clear indication of what needs to be done … and is building a good base of understanding within the wider business”

Bruce Duncan
Director of Risk & DPO

The successful privacy outcome

The Tote now has 12 internal Privacy Champions, including a risk and compliance apprentice who Duncan says is “adding great value”. The other champions are aligned with each operational and support function, giving the business good insight across all departments as they’re working through the Route Map.

He says he’s been impressed by the level of client service, and that the Privacy Compliance Hub itself has been “very simple to understand and very logical to follow. It gives you a very clear indication of what needs to be done.” And the training has been well received: “the Privacy Guy is very relatable and it’s building a good base of understanding within the wider business”. The Tote has also been able to make use of the array of documents and templates in the Hub to write bespoke protocols and policies. “At the end of the day, we want people to be GDPR compliant as part of their day job. It shouldn’t be a separate task but something they understand, engage with, and do.”