From the 25th May, games businesses operating in the European Union will need to be compliant with the incoming General Data Protection Regulation (GDPR) directive.

Built upon existing directives, GDPR strengthens the rights of the individual over their data while placing a heavier regulatory burden on data controllers and processors. This means that games businesses of all shapes and sizes must be ready for the incoming changes and adapting their practices to fit the law.

But while there are some great summaries of the incoming legal changes, it can be hard to turn changes in the legal landscape – such as the emergence of the principle of ‘privacy by design’ – into day-to-day business practice. This is particularly worrisome because GDPR breaches can lead to multi-million euro fines.

One person who has had to ensure that his team is GDPR compliant is Robbie Cooke, Head of Marketing at Rebellion. So we caught up with him to find out how he has helped the publisher’s marketing team meet the new standards.

Gamesforum: For most companies, the arrival of GDPR has been seen as a large – potentially inconvenient – change to working practices. How challenging, or otherwise, has Rebellion found adapting to it?

Robbie Cooke (RC): As game developers, we’re already experienced at delivering big projects across different teams and disciplines, so it’s been less a challenge than an exercise in making sure that teams across Rebellion made GDPR a part of their work.

The incoming regulation makes a number of demands on businesses, such as forcing companies to document their data protection processes and in some cases making a member of staff a data protection officer. What practical steps has the company taken to make it GDPR compliant?

RC: We formed a small team of staff from each department suited to leading GDPR efforts. Crucially we made the decision to hire in legal support which helped answer some scary questions and bust a few big myths. Then as teams, we went about mapping out how data is gathered, moved and used and cross-referenced this with other teams.

Right now we’re doing the important bit – identifying what practices we need to change, and communicating clearly to everyone how we should be doing things in the future.

One of the important new principles for GDPR is "privacy by design", which forces data controllers to consider the best way to ensure that companies are set up to only gather, use and transmit the individual data that they really need. How has the introduction of this principle affected the way that Rebellion works across the company?

RC: A couple of years ago when the dev team added analytics to Sniper Elite 4 (the first time we’d ever done this in our biggest game series) it was made clear by Chris and Jason (Rebellion’s owners and founders) that we shouldn’t force or trick anyone into providing this data and also keep it anonymous, so as a company position we already had a strong lead.

At a more rudimentary level for the future I think it’s changing “could we collect data here?” into “should we”? Will our players benefit? Will it make the game better? Will it make our marketing more relevant to them? And if that’s all true, can we do so in a way that protects their privacy rights?

The arrival of GDPR will allow individuals to have a clearer idea of what data a company has stored on them and what they're being used for. How is Rebellion adapting to this need?

RC: This idea of asking for people’s consent to use their data, to store it securely and delete it when they ask is not really new – it’s been best practice in marketing for a while now.

Fortunately, we’ve already found that we’re not going to have to make any drastic changes on the marketing side. It’ll mainly be back ended stuff – like the way we store lots of different data sources and keep them safe, for example.

We’re also going to take a look at older data we have from when we started out publishing and marketing our own games and ask whether it’s compliant and whether we really need to keep it, and this will then discipline us to regularly review the data we have!

On the whole, do you believe GDPR to be good or bad for the industry? And for either answer, why is that the case?

RC: Again, speaking from a marketing perspective, anything that’s good for our players tends to be good for us. I think lots of games people know that scraping data anywhere and everywhere isn’t the way to success. It’s not about finding the biggest audience but finding the right audience and building trust. In this way, GDPR doesn’t change much to our approach as an industry, but it will help firm up some practices and ditch others for good.

I’m aware though, that I’m lucky enough to be at a studio that has the resource to tackle this from many angles. If you’re an indie dev, there might be more uncertainty and stress around this. I’m far (far!) from an expert, but if anyone wants to reach out to me privately to sense check something, they can find me on twitter: @cookie_vonster

Find out more about the latest developments in the games industry by signing up to our GDPR compliant newsletter here.