Data protection - it's no game!
The gaming sector has moved forward in leaps and bounds since gaming culture first hit back in the 1980s and early 1990s. Many games are available through a variety of different models, however there is a common theme across most of these models in that there is an element of personal data that is captured from the user.
This could range from a basic registration point or user information when an app is downloaded, through to premium content when a more comprehensive registration is required and greater personal information is captured. This could be data relating to the user or the person downloading the game.
No doubt that many game providers will be looking to focus their resource and creativity on the game and commercial success of the game itself. However there is an element of risk that is created if resource and thinking is not applied towards managing data protection risks. The degree to which that risk is significant will depend on a variety of factors including the amount and richness of data gathered from the users.
Given the nature of games today and the variety of media and platforms upon which games may be played and made available from, it may come as no surprise to learn that the sheer volume and depth of data which may be captured can be extensive. Examples of data which may be captured include name, address, date of birth, registration and password details, images, videos, duration of game-play and location data to name but a few. As the definitions under data protection legislation are interpreted quite widely, it is inevitable that information that is captured will be considered as personal data governed by applicable data protection legislation. Gaming companies should therefore consider as a fundamental part of their gaming strategy what steps should be taken in order to proactively address the data protection risks. As an outline some of these risks are listed below.
- Fair and lawful processing – users must be told very clearly about what data is being captured from them, the purpose for which that data will be processed, other important aspects around that data processing activity such as any third parties that the data might be shared with and the purposes for which data will be shared with third parties, for example advertising, marketing or service providers.
- Data minimisation – gaming companies should resist the temptation to capture as much information as possible from their users and conduct a privacy impact assessment on the data that is captured to ensure that the amount, and extent of data captured, is adequate, relevant and not excessive against the purposes for which the data is originally captured.
- Consider the grounds under which the use and capture of the users' data is legitimised and considered lawful under data protection law. In some cases that may involve capturing the consent from the user before the data is used for those purposes. An additional feature for gaming companies is to be aware of particular rules that apply to the capture of data from children and that the specific rules in this regard will vary from one country to another.
- Consider how the gaming company will ensure that data security is paramount. This is a fundamental obligation under the data protection legislation to make sure that personal data risks are assessed and appropriately matched with measured controls to minimise those risks. Failure to address data security risks are attracting harsher penalties and there are some recent high profile examples such as the Sony data breach incident, where not only is the company at risk in terms of financial and reputational risk, there are now key corporate governance issues to consider given that major breach incidents can also impact on share prices.
- The law around data protection and capturing information is rapidly changing and so gaming companies should be looking to stay on top of these changes. For example, compliance with the new law on cookies and e-privacy and also the proposals to overhaul EU data protection laws will inevitably impact on the gaming industry.
As outlined above, protection of your users' data is probably one of the most fundamental areas of data protection risk that a gaming company will need to address. A recent example includes an online bingo platform provider, where its member of staff was convicted for the criminal offence of unlawfully obtaining and selling personal data relating to over 65,000 online bingo players. Whilst the individual member of staff was personally prosecuted, there is still a reputational issue for the gaming platform provider and it is inevitable that the corporate name and the brand will be impacted when such incidents arise. What policies, controls, training and checks do you have in place?
Where the gaming platform provider is processing payment related information where its games and applications are sold to users, it is important to remember that any business which has a connection with payment card or cardholder related information must comply with the PCI-DSS rules and standards in relation to protection payment related information. Breaches of these standards can lead to fines and jeopardising the ability for that gaming platform to have any direct or indirect involvement with payment card or cardholder information.
Gaming companies which have not paid as much attention to data protection as they should have done would be advised to consider the following five steps.
- Carry out a data protection audit to evaluate the gap and then analyse the gap between the requirements of applicable data protection law and the data capture environment.
- Put into place a remediation plan and implement the appropriate controls and training of staff to ensure that a controlled environment is alive and genuinely persuasive throughout the organisation.
- Test the levels of maturity and conformance against that of a remediation and data protection action plan to ensure that the goals outlined in the plan are being achieved.
- Ensure that the data protection governance environment is sufficiently robust so that there is meaningful and effective reporting to a senior position within the company.
- Keep a watching brief on changes to the law and ensure that new technologies and routes to market are subject to a robust privacy impact assessment so that data protection risks are addressed by both default and by design into the product itself.
"Protection of your users data is probably one of the most fundamental areas of data protection risk that a gaming company will need to address"