Giving through charitable gaming

Why Data Security Is Non-Negotiable in Lottery Management

By Sterling Lotteries ,

By Phillip Gerrish, Marketing Services Manager | July 2025 |

For any charity running a lottery data security isn't just a compliance box to tick. It’s a core pillar of trust, reputation, and operational integrity.

Lottery players don’t just give money for a chance to win, they give personal data, and they expect it to be handled with care. In a world of increasing cyber threats, evolving regulations, and more informed supporters, charities must prioritise data protection.

Here’s why data security in lottery management matters more than ever, and what to do about it.

Lottery Data Is Confidential and Personal

When someone enters a charity lottery, they typically share:

Name
Address
Bank details (for Direct Debit or card payments)
Date of birth (age verification)
Contact preferences

This is exactly the kind of data cybercriminals seek. Even a small charity lottery database can be a target for phishing, identity theft, or financial fraud.

Charities must treat this data as a valuable asset not only to protect players, but also to preserve trust.

You're Legally Responsible Under Data Protection Laws and Gambling Regulations

Under UK GDPR Article 5 you may only process personal data under the condition of the six data protection principles:

Lawfulness, fairness and transparency – you must ensure that all processing is lawful, meaning it relies on a valid legal basis such as consent, contract, or legitimate interest; it must be fair, ensuring supporters are not misled or surprised about how their data is used; and it must be transparent, providing a clear privacy notice that explains what data is collected, the purpose for which it is used, how long it will be retained, who it will be shared with (such as External Lottery Manager, canvassing agencies), and the rights available to supporters under data protection law.
Purpose limitation – you must collect and use personal data only for clear, specific, and legitimate purposes related to running the lottery, and must not use it for any other unrelated purpose unless supporters have given their explicit consent.
Data minimisation – You may only collect the personal data necessary to manage the lottery and avoid holding information that is excessive or irrelevant to that purpose.
Accuracy – Personal data must be accurate, kept up to date, and corrected or deleted promptly if found to be incorrect.
Storage limitation – You may retain personal data only for as long as necessary to fulfil the purposes for which it was collected and must securely delete or anonymise in once no longer required.
Integrity and confidentiality – You must protect personal data with appropriate technical and organisational measures to prevent unauthorised access, alteration, loss, or disclosure.

Reporting obligations in the event of a data breach:

You must report certain personal data breaches to the ICO within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay. You must also keep a record of any personal data breaches, regardless of whether you are required to notify.

Gambling Commission LCCP licence condition 15.2.1 requires you to inform the Gambling Commission about any security breach to your environment that could harm the confidentiality of customer data or prevent legitimate users from accessing personal data for longer than 12 hours .

Trust Is the Foundation of Long-Term Giving

Supporters don’t just support a charity’s mission, they support its values.

If a data breach were to expose supporter information (names, payment details, or contact data), in addition to possible regulatory fines, the reputational damage could be catastrophic. It would:

Undermine player confidence
Lead to complaints and negative press
Risk mass cancellations and attrition
Damage donor and public trust more broadly

In the digital age, data handling directly shapes brand credibility.

Secure Lottery Operations Require the Right Systems and Partners

Whether you run your lottery in-house or engage an External Lottery Manager (ELM), data security must be built into every layer of your operation.

Core best practices include:

Security by design – Design systems with security in mind from day one, assessing risks early and collecting only the data you truly need.
Strong authentication and access control – protect all systems with MFA/ 2FA and strict, role-based access so legitimate users only have access to what is necessary to perform their job functions.
Secure payment processing – encrypt payment data, never store card details.
Rigorous testing and vulnerability management – carry out regular penetration testing, vulnerability scans, and prompt patching to stay ahead of threats.
Ongoing security assurance and auditing – audit systems, suppliers, and access logs regularly to ensure controls remain effective.
Incident response and business continuity – have a tested incident response plan, secure backups and clear procedures for reporting and managing breaches.
Staff awareness and governance – train staff at onboarding and at least annually, enforce confidentiality, assign clear responsibility for data protection and information security.

If you work with an ELM, make sure they:

Are using PCI DSS compliant systems and provide secure data transfer facilities
Enforce MFA/ 2FA, role-based access, and regular access reviews for all systems handling supporter data
Complete regular penetration tests, vulnerability scans, and undertake independent security audits.
Maintain up-to-date incident response and business continuity plans, with clear reporting procedures.
Provide staff security and data protection training and ensure all personnel follow confidentiality obligations.
Implement secure data retention and deletion practices in line with UK GDPR and your own policies.

A professional ELM should treat your players’ data as if it were their own, and be happy to show you how. They should be able to prove how your player data is protected.

It’s Not Just About Technology, It’s Also About Culture

Even the most secure system can be undermined by human error. Many breaches result from:

Phishing emails
Weak passwords
Misplaced hard drives or printed data
Untrained staff handling personal data

Charities must create a culture of data awareness and accountability especially among fundraising, supporter services, and volunteer teams who may access lottery information.

Provide regular training. Have clear policies. Test your team’s understanding. Empower people to spot risks before they become problems.

Secure Data is Smarter Fundraising

The better you protect and manage your lottery data, the more useful and insightful it becomes for fundraising.

With well-structured, compliant data, you can:

Understand supporter behaviour
Segment by loyalty, giving level, or age
Test legacy messaging and appeals
Nurture deeper relationships
Improve retention and reduce cancellations

In other words, data security fuels strategic growth.

What Every Charity Should Do

Whether you manage your lottery internally or outsource to a partner, ask yourself:

Are we informing supporters about how we use their personal data?
Are we storing lottery data securely and compliantly?
Do we understand where and how our players’ data is processed?
Are our systems tested and updated regularly?
Do our staff and volunteers receive proper data training?
Are we working with a provider who meets high security standards?

If the answer to any of those is “I’m not sure,” it’s time to take a closer look.

Final Thought: Security Is Trust in Action

In charity lotteries, the stakes go far beyond prizes. They include people’s trust, their personal details, and the reputation of your cause.

Strong data security isn’t just about avoiding fines or ticking boxes, it’s about showing supporters that you care about protecting them.

In an age of increasing digital scrutiny, that care will set the most trusted charities apart.

Need Help?

At Sterling Lotteries, we work with charities to ensure every aspect of lottery management from data security to player communications is handled with professionalism, integrity, and compliance.

enquiries@sterlinglotteries.co.uk

---------------------------

About Sterling Lotteries

Sterling Lotteries partners with over 800 charities, providing leading prize-led expertise through responsible, innovative, and engaging weekly lotteries and raffles.

We power seamless player experiences, compliance peace of mind, and support charities running creative campaigns that bring prize-led fundraising to life.

www.sterlinglotteries.co.uk

enquiries@sterlinglotteries.co.uk

Archive (Our Latest)

2025

2024

2023

September

Back to:

Join our community for industry news, company announcements and our latest innovations.

Your details

By signing up you agree that we can process your information in accordance with our Privacy Policy.

We are

Sterling Lotteries Furness Gate, Furness Business Park, Barrow-in-Furness, Cumbria, United Kingdom. LA14 2PE. Telephone: 01229 871380 Email: enquiries@sterlinglotteries.co.uk

Sterling Management Centre Limited is licensed and regulated in Great Britain by The Gambling Commission under account number 3137.
© Sterling Lotteries 2018 - 2025. All rights reserved. Website by The Creative Branch

Accept Cookies

This website or its third-party tools use cookies which are necessary to its functioning and required to achieve the purposes illustrated in the cookie policy. If you want to know more please refer to the cookie policy.