GDPR: How to play yourself into action
Orkla Credit has chosen a different approach to GDPR. See how this company is playing its way to readiness for the new data protection rules.
"Remember the civil status! And account number!"
The comments hail down on Astrid Hoston, head of production at Orkla Credit in Orkanger in Sør-Trøndelag. She has been given the task of writing down all of the personal data that is processed by the company. And that is no small quantity.
They soon have more than fifty notes down on the game board. Astrid and five of her colleagues have set aside the day to get ready for GDPR, the new data protection rules to be introduced in May 2018, with the aid of Serious Game GDPR.
Stress tests and mapping
The notes on the game board form the basis of Serious Game GDPR. The game has been developed by Sticos in partnership with House of Knowledge and is a new and fun way to approach the regulations.
“We could have sat with a law book each and learned the regulations on our own, but that takes a lot of time and effort. This is an incredibly effective way of learning and everyone is included in the process,” says Oddbjørn Botnan, General Manager of Orkla Credit.
The discussion goes around the table. Suddenly it becomes quiet. One of the employees has drawn a card: A stress test! On the card it says:
“Lars has never had an eye for detail. Now he has sent an e-mail to the wrong person. The recipient is outside the company and the e-mail contained a list of customer receivables that was to be sent to a debt collection company.”
Cards are moved on the table and data protection expert and supervisor Fjellheim Tunaal from Sticos watches. She is one of the regular game supervisors and guides participants through the day.
“Think about who must be involved in such a situation. What are the problems and risks in this scenario?” she asks while the eager participants discuss it among themselves.
From theory to practice
Using 44 playing cards, the participants are taken through 10 steps that will get them ready for GDPR, explains Ranveig:
“The complex subject area is made simple by linking examples to the theory and by challenging players with tasks directly related to what they have just learned.”
General Manager Oddbjørn Botnan recognises several of the scenarios:
“Sending an e-mail to the wrong recipient is something that can easily happen. We are already very concerned about following security routines, but we can always tighten them up. And from May onwards the consequences of failure are much worse.”
The work continues
After the game is finished, the nationwide debt collection agency Orkla Credit has mapped out all the personal data that they process and what purpose and reason for processing each type of data has or lacks.
“We also assist in mapping out risk areas, existing routines and roles. All the time we keep the mapping consistent with the regulations. When have finished, you’re left with a concrete action plan for your company,” says Ranveig Fjellheim Tunaal.
Oddbjørn Botnan and the rest of the company employees are looking forward to embarking on further work:
“For many people, GDPR is something big and scary. For us it is now understandable. We now know what the challenges are and what we shall be working on, and we have the tools we need to get started. We wouldn’t have done it as well without playing the game.”
The game takes a total of 7 hours and there is an introduction to the regulations worked into the programme. You can find out more here.