As the EU General Data Protection Regulation (GDPR) was written into law on May 25, 2018, many organizations such as Amazon, Facebook, Google, and Microsoft were quick to provide updated privacy policies, SCC contracts and data processing addendums to customers and users in the U.S. and abroad in an effort to conform.
Large organizations on the whole were aware and enacted plans to conform to the GDPR long before the May 25, 2018 deadline, but some smaller entities may have and still maybe been left with questions regarding how to properly put in place measures to comply to the new data privacy requirements.
The focal point of this article concerns the smaller organisation entity of Independent video game developers, sometimes referred to as indie game developers, who will almost always collect and process data from users to improve their games, add/remove features, or release new game enhancements. Therefore we will first cover some features of the GDPR that are relevant to indie game developers.
The GDPR sets out seven key principles that should be at the heart of every organisation’s data privacy strategy.
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
What is the reach of the GDPR who is affected
The current Article 3 states that the GDPR applies:
- “to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, whether or not the processing takes place in the Union;
- to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union where the processing relates to the offering of goods or services (whether free or paid for) or the monitoring of behaviour which takes place within the EU; and
- to the processing of any personal data by a controller outside the EU but in a jurisdiction where Member State law applies by virtue of international law (e.g. a diplomatic mission or consular post).”
Business Issues faced by Indie Game Developers
A video game developer and/or designer, such as an indie game developer, may struggle with compliance of the GDPR as it attempts to collect data from players interacting with its game in an effort to improve or add new features to said game. Having a GDPR strategy at the beginning of the development lifecycle can mitigate the risk of post development Data Privacy remediation work, and in doing so a proactive organisation can move ahead of the competition whilst at the same time enhance their brand.
As such, the developer may be wary or unsure of how to collect such data while still conforming to the GDPR. There are a number of examples where the indie game developer may legitimately collect store and process data such as:
- To fulfil a contract of membership to the game or game developer
- Payment data for the purchase of in-game store items
- Anti game hacking and rule breaking
- Anti-fraud measures to protect fraudulent payments.
- Measure game utilisations
- Forums, In-game chat
To name a few
Indie game developers and developers in general should take heed of the guidance provided by the European Commission by adopting privacy by design
What is data protection by design?
Data protection by design is ultimately an approach that ensures you consider privacy and data protection issues at the design phase of any system, service, product or process and then throughout the lifecycle. DPIA ( Data Protection Impact Assessments ) are the best tool to use.
As expressed by the GDPR, it requires you to:
- put in place appropriate technical and organisational measures designed to implement the data protection principles; and
- integrate safeguards into your processing so that you meet the GDPR requirements and protect the individual rights.
In essence this means you have to integrate or ‘cement in’ data protection into your processing activities and business practices.
Data protection by design has broad application. Examples include:
- developing new IT systems, services, products and processes that involve processing personal data;
- developing organisational policies, processes, business practices and/or strategies that have privacy implications;
- physical design;
- embarking on data sharing initiatives; or
- using personal data for new purposes.
Map out the objectives of the Game
Put another way, will the video game be offered via a digital publisher like Valve’s Steam platform to an international or worldwide audience?
A interesting source of good gaming advisory articles at gizmofusion are worth following.
The developer should ensure that it has identified the legal basis for processing the players data as covered by Article 6
Article 6. Lawfulness of processing
- Processing shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Regardless of which avenue developers decide to utilize when collecting in-game data, indie game developers in particular, should attempt to adhere to the GDPR by at least documenting the data it processes that it subject to the GDPR in accordance with Article 30 of the GDPR, providing
Each controller and, where applicable, the controller‘s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
- the name and contact details of the controller and, where applicable, the joint controller, the controller‘s representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
GDPR is here to stay and therefore should be seen as powerful tool to protect the data subjects , players and developer staff alike, but also be seen as a powerful way to gather data and use that data for the good of all those associated with the game.
Relentless Data Privacy and Compliance have implemented GDPR frameworks for some of the largest gaming developers on the planet. Whether your a small indie developer of a large publisher we are here to help.