Training your staff for GDPR:

It’s game on!

Posted on Aug 29, 2017

Games & gamification

Getting ready for GPPR is proving a challenge for L&D and compliance.

In an earlier blog, we highlighted how many organisations are struggling to audit and update their existing data protection policies to meet the GDPR deadline. And when it comes to training, L&D have the task of ensuring staff know about the changes and how these changes will affect their work.

GDPR: 10 key points

  • The EU’s General Data Protection Regulation comes into effect on 25 May 2018
  • GDPR has global impact: All organisations in the EU must comply, while those based outside the EU but who offer goods and services to individuals within the EU, must also comply
  • In the UK, GDPR replaces the Data Protection Act of 1998
  • Measures must be taken to ensure complete confidentiality of personal data, both in how that data is stored and used
  • Consent to use people’s personal data (for email-shots, for example) has to be explicit
  • Individuals have a right to know if their data is being used
  • Sharing information with colleagues or forwarding emails might constitute a breach
  • Internet identifiers such as IP addresses and cookies will be regarded as containing personally identifiable information
  • Some organisations will have to employ a Data Protection Officer
  • A serious breach carries a penalty of up to 4% of global turnover or €20 million, whichever is higher, and failure to notify a breach could cost up to 2% of global turnover or €10 million 


Clearly, those in compliance and HR will feel the greatest impact. And any organisation that uses digital or e-marketing will also have to review the way they do business. But the fact is that whatever the organisation, most jobs will be affected by GDPR to a greater or lesser extent.

Non-compliance will be taken extremely seriously, especially in cases where organisations are unable to show that they’ve done all they can to avoid breaches taking place.

Put bluntly, if you don’t train your staff you’re at risk of wilful non-compliance. 

Play the GDPR game

This poses another challenge: how on earth can GDPR training be made engaging so everyone not only does the learning but takes it all in?

Traditional learning methods won’t work for GDPR. Check out how many sections and pages there are on the UK’s official GDPR website, the independent Information Commissioner’s Office. Words, words, words. Very important words, yes, but don’t expect your staff to sit there and read it, let alone absorb it!

Delivering a condensed version in a one-off classroom setting won’t be much use, either. The information will soon be forgotten, even if staff do manage to stay awake through it.

A game or gamification approach, based on the knowledge needed is much more likely to be engaging and memorable for GDPR training. It can be rolled out organisation-wide and it will always be there for staff to turn to as ‘reminders’.

Research has repeatedly shown that game-based learning works.  Here are 8 reasons why:

  • Games are engaging and therefore more memorable and effective
  • They are experiential: learners aren’t told the learning, they do the learning
  • The learning is applied within the experience
  • They are intuitive
  • They use scenarios with consequences within the game setting
  • The learning is more in line with a work setting as it involves systems thinking and critical thinking. Traditional learning is linear thinking, yet jobs aren’t linear.
  • They can be re-played in part or in full; practice makes perfect
  • Games and gamification don’t feel like training
"A game or gamification approach, based on the knowledge needed is much more likely to be engaging and memorable for GDPR training."

The renowned authority on games for learning, Karl Kapp, says that what happens after game-based learning is also valuable. Because the game/gamification is tracked, a full evaluation of the learning outcomes is possible. And an immediate performance evaluation with the learner can feedback precisely where strong and weak points lie.

He also says we shouldn’t under-estimate the social aspect of games and gamification, where learners compare how well they did.

Kapp has produced this simple explanation of how games and gamification ‘fit’ learning that involves regulations and compliance.

Sponge is working with clients on game-based learning for GDPR. In this instance, making the training as much fun as possible makes complete sense.

7 of the most important things to do now on GDPR

A workforce training guide

You may also be interested in