It's all fun and games, and some legalese: data protection implications for increasing cyber-skills of employees through games

Abstract

In order to combat cyberattacks, an organisation can decide to train its employees. Improving cyber-skills of employees through educational games means their personal data will be processed and therefore it falls under the scope of the General Data Protection Regulation (GDPR). The goal of this paper is to address challenges that organisations are likely to face in practice, such as invalidity of employees' consent and over-intrusive monitoring. It argues that in order to approach training lawfully, organisations should (1) choose their external trainer with due diligence, (2) carry out a data protection impact assessment, and under certain circumstances (3) appoint a data protection officer.