Editor’s note: ISACA Belgium Chapter President Marc Vael, CISA, CISM, CGEIT, CRISC, recently took a creative approach to spread awareness about General Data Protection Regulation (GDPR), spearheading a game about the coming regulations that will affect enterprises worldwide. Competitors can win the game by answering GDPR questions correctly and with a little luck with the dice. ISACA Now recently visited with Vael about the game, which will be available on a limited basis at the ISACA chapter leadership event, this weekend in Munich, Germany, prior to EuroCACS. The following is an edited transcript.
ISACA Now: How did this GDPR game come about, and who was primarily involved with its development?
Basically, at my IT company, Smals, we were looking to bring the content of the EU GDPR to this group of IT developers, IT analysts, IT project managers and even management differently, avoiding PowerPoint or brochures or self-assessment questionnaires.
Initially, my colleague Nathalie Dewancker and myself started building “the journey to become EU GDPR compliant,” but that journey was too simple, and we started adding gaming effects, and before we knew it ourselves, we had a full-blown EU GDPR game. We loved the reactions so much that we didn’t want to keep it within our company or for ourselves, and thus we decided to ask ISACA Belgium for support, which the board of ISACA Belgium did by funding the professional look and feel of the EU GDPR game.
ISACA Now: ‘Game’ is probably not the first word that comes to mind when people think about GDPR. Why did you think this format would be a good fit?
True. Most of the messaging happens via PowerPoints, brochures and information on websites. Here and there we discover some apps with the searchable EU GPDR text in different languages or some EU GDPR self-assessment questionnaires. We found out that up to today, we are the only ones with a proper EU GDPR game box. Gamification is a well-known concept, but it is not used enough, in our humble opinion. Moreover, we notice huge discussions between the players, and that is just what we want to achieve: not just “acquiring” knowledge, but critically looking at this knowledge.
ISACA Now: Did it really only take a few weeks to put the game together? How were you able to execute the idea so swiftly?
Yes, we build from initial journey to full game in three weeks, with some tryouts. Then, molding it into a professional looking game box took another three weeks, thanks to the help of our external PR agency that we use here in Belgium. So, six weeks in all. And we were just in time to bring our game boxes for the main Belgian INFOSECURITY exhibition in Brussels, where over 3,000 attendees came in the end of March this year. Thus, it was plain teamwork.
ISACA Now: What has been the preliminary response to the game’s release?
Initially, skepticism that participants would learn about “such a complex matter as EU GDPR” via a game. But then, when playing, a lot of discussions happen between the participants and between participants and observers (since there can only be a maximum four participants, more people can join as observers of the game). It is great fun to see how some people really want to win.
We only made 300 EU GDPR game boxes and almost all are sold now. We initially wanted to give them away for free as marketing, but since we only had 300 game boxes, we did not want to have people take them and throw them away, so we ask only 5 Euro per game box as a token of appreciation and eagerness to have the box.
When we launched the game box at INFOSECURITY BELGIUM, our stand was very popular and people bought all 100 game boxes we brought over there in two days. We were surprised.
ISACA Now: What was the most remarkable reaction you got on the game?
Actually, some players asked why we did not include more information about the EU GDPR in the game box (like a manual on EU GDPR or some form of brochure or leaflet). We did not do that on purpose, and we responded by saying to them “If you play Monopoly, do you first have to follow a real estate course? No. If you play Stratego or Risk, do you first have to follow a military course? No.” So, if you play the EU GPDR game, we believe you do not have to follow some privacy course before playing either since the objective is to learn about EU GDPR during the game. People truly liked our reaction very much.
ISACA Now: What are some of the biggest implications GDPR could have on organizations that are affected by it?
The need to review and update the inventory of processes and suppliers, execute the privacy risk assessments on the core processes and suppliers, execute privacy awareness amongst employees and external personnel, and test the incident escalation process (to check if they can make it within 72 hours).
ISACA Now: What are a few misconceptions that technology professionals have about GDPR?
Very good question; here are some of the misconceptions I hear frequently by IT experts:
- Some organisations believe they are too small for EU GDPR so they pretend not to fall under the regulation
- Believing EU GDPR is merely an information security issue which can be solved by encrypting all data
- Stating that May 2018 is still far away to handle such compliance topic
- Believing EU GDPR is a legal topic so legal counsel will handle it
- IT is mainly a data processor so the responsibility for EU GDPR is for the data controller (which is not IT)
ISACA Now: What is the best way for someone to purchase a copy of the game?
When living in Belgium (since the game is in Dutch/French combined), people can come and collect game boxes in our office (if they warn us upfront). When living outside of Belgium, we try to arrange for the cheapest way to get a game box shipped (I can be reached by email at email@example.com). We will also bring some game boxes to the ISACA European chapter leadership meeting this weekend since some ISACA chapter leaders have asked to bring a box over there.