GDPR: One year in | Opinion
Too many games businesses remain complacent about complying with GDPR, says Keywords Studios' Andrew Brown
This week marks the first anniversary of the introduction of General Data Protection Regulation (GDPR) in the EU, but what process changes have video game developers and publishers made? Very few is the unfortunate truth.
At the time, you probably received a stream of emails, asking if you were happy for companies to keep your personal details on file. Fast forward 12 months and GDPR has become a subject most people are bored talking about. However, the fact remains that the law is here to stay.
EU citizens now understand their rights better and have more control over the information that companies hold about them. Also, non-EU countries are using GDPR as a template to design their own data privacy laws, with data protection and privacy laws being strengthened globally.
"All studios, developers and publishers should be aware of the risks associated with overconfidence or lethargy"
Despite the publicity that GDPR generated prior to its introduction, too many businesses are still complacent about the regulations -- even with the many high-profile cases of data breaches and subsequent fines seen since.
These issues also apply to the gaming sector. All studios, developers and publishers should be aware of the risks associated with overconfidence or lethargy. Having a 'we won't be caught' mentality is the wrong approach.
That's because the regulatory authorities will pursue all types and sizes of organisations and not just the "big guys." Every organisation holding personal data has to take responsibility for data management.
There are still huge risks for the games industry when it comes to data privacy management, and much of the preparation and spending hasn't ensured that developers or publishers are compliant. The new laws caught everyone unaware, despite the fact that most people knew they were coming.
There are no exclusions under the data privacy and all organisations must comply. This includes large global games developers and publishers, as well as the smaller indie studios. Some of the questions these organisations need to ask themselves include:
- Do we all know what data we hold on our gamers?
- What types of data?
- Where is it stored?
- Who has access to it?
- Is it transferred across geographical borders?
- Do we hold children's data?
- Do we have consent to hold this data?
- Do our suppliers, and any other third parties, have security measures in place?
David Clarke, CTO at The Trust Bridge, Keywords Studios' data management and protection services partner, explains: "These are all critical questions for every studio and publisher to ask.
"It is now a legal requirement but that does not mean it should be left to the legal department"
"Step one is to know what data you hold and where it is. Then you can start to design processes and policies to mitigate the risk of data breach and non-compliance."
Clarke is correct when he says there are still many gaps in understanding the requirements for data protection, and many apps remain non-compliant and the approach to data privacy must start at the very top of an organisation.
Data protection, privacy, and security must be the default mode of every studio and its staff. It requires the adoption of a studio-wide approach to data protection, treating the data subject (aka the gamer) with respect.
Therefore, studios should adopt policies and embrace data ethics as a business mantra. Effectively it means that, when processing data from a game or app about a gamer, the data should be subject to security and privacy protection. This protection should be embedded into any organisation's processes, policies and business practices throughout the life cycle of operations.
This also means that all employees, from games developers to QA, studio owners and publishers, need to understand the data privacy implications and requirements of their roles within the organisation.
Data protection is an essential component of the core functionality of any system and service, and is one that games studios and publishers must adopt when designing and implementing security measures into their products.
It is now a legal requirement but that does not mean it should be left to the legal department. Designing compliance into a game is the way forward, as trust is the driving force behind the major shift that is taking place in the world of private data. Also, there is the legal consideration, as Privacy Compliance by Design has been defined under Article 25 of the GDPR and adopted in all EU countries.
The data economy of the future demands a higher level of trust between the consumer and the organisations with which they interact, requiring greater transparency, responsibility and accountability from these organisations and their senior management. In this information age, success requires investment in data as a core business asset, but it is a valuable asset that must be handled with care.
Rather than harvesting massive amounts of personal data, it is the intelligent use of permissioned data that is key to success.
Andrew Brown is CMO and Director of Strategic Operations at Keywords Studios, the go-to international services platform for the global video games industry and was previously SVP Americas at Activision Blizzard.