“Games force people to make decisions.”

Karl Kapp on the use of games in GDPR training

Posted on Apr 24, 2018

Elearning

Games & gamification

“We know the best way for people to look at data and understand what’s protected and what’s not protected is to actually make decisions. The game forces people to make decisions.”
Karl  Kapp  Still
Professor Karl M Kapp

Professor Karl M Kapp is recognised as a leading world authority on learning games. He’s a professor of instructional technology at Bloomsburg University, a consultant, author and an in-demand speaker at learning events around the world. He’s spent many years researching how technologies can impact on learning in corporate and educational settings.

In this interview, Professor Kapp explains why a well-designed game can be particularly effective for a compliance topic like GDPR.

Areas covered by Karl include:

  • How games embed good decision making on data protection
  • The advantages of using games for compliance learning
  • How games support learning transfer by mimicking real life choices  
  • Incorporating games into a wider learning programme

Ahead of the interview, Karl tried out our game, GDPR – Sorted! which has been designed to help train employees for the General Data Protection Regulations (GDPR) are being introduced by the EU on 25 May. 

How do games work in helping employees learn the new GDPR data protection rules?

In a game situation, you’ve got to make a conscious decision about noticing what’s allowable and what’s not allowable and you’ve got to make a conscious, physical movement. You have to swipe right or swipe left. So, a game forces you to make a critical decision. That’s learning by doing because you’re practising. Then, you get behavioural feedback on whether or not you did it correctly. That gives you an overall sense of decision-making.

A lot of times when we learn this kind of information, it’s a lecture about ‘do this, don’t do this’, but that isn’t the learner making a decision, it’s just the learner being told what decision should be made. In this particular case, the game forces the learner to make a conscious decision. And the process of consciously thinking through whether the data should be protected or not, is really a higher-level thinking skill and learning skill, as compared to just sitting there and listening to someone lecture about what you should and shouldn’t do. It forces the learner to act with the content, which is a really good thing to do.

In this game, there’s a fantasy office where the action takes place. What role does that context play?

Fantasy versions in this game, and indeed in many games, plays a very important role. Sometimes, where something is too realistic, but not quite the real thing, people put up their defences and say: “This isn’t like our office,” or “this isn’t the data we deal with,” or “this has nothing to do with me.”

Therefore, you don’t want to be too close to reality. You want the game to be more on the fantasy level. By having a fantasy office where you start in the basement and work your way up to the penthouse in the building, that fantasy allows you to step back and really think through the concepts, rather than think “oh yeah, this is like my work or not like my work.” Instead, it allows you to focus on “is this protected data or not protected data?”

Fantasy lets you step away from your own pre-conceived notions and lets you be more open to the learning because you see it’s a fantasy environment with all sorts of neat elements. But at the same time, it’s still an office where you need to protect this data or that data.  It’s provides a nice distance, yet the concepts that apply in this fantasy world also apply in the real world – and that’s where the transfer of learning comes. Where the cognitive processes to make the decision in the fantasy world are the same as in the real world, then the learning is highly transferable. So, it’s nice to have this kind of fantasy game, that’s like a real office but isn’t really like your office, and where fun things happen. But it is also a learning experience for the learner.

This game has a free play element at the end after the player has worked through all the levels. What is the theory behind having free play in an instructional setting?

A free play allows you to extend the learning and to extend it to different places. Games don’t appeal to absolutely every single person – but neither do lectures or discussions. But there will be some people who will go into the free play and try and get the highest possible score. The good thing about a game designed like this is that they’re getting that same content over and over again, so it’s reinforcing what they know. In fact, the better they reinforce the rules about data privacy, the better they’re going to be at playing the game. Having that free play allows people to build on their knowledge, reinforce their knowledge and expand their knowledge. And it gives people the opportunity to go onto their phone at any time and go into the free play mode. So, it gives people that extra opportunity to practice and apply the skills and gives them the chance to go beyond the game. There are always a certain number of people that like to go beyond what’s required, and this gives them the freedom to do that. It also gives people the chance to go back and reinforce something if they didn’t completely get it the first time. It adds an extra level and allows that extra learning to occur.

What are the advantages of applying this game approach to a compliance topic such as GDPR?

There are a couple of advantages. One, you play the game over time. We know from research that learning things a little bit over time is the best way to learn something, the best way to reinforce content. Sitting people down and lecturing them for two hours about what they can and cannot do, and then going off and hoping they remember it all forever is not realistic. Having a game that you can play a little bit over time is a really good way to do it. And we know the best way for people to look at data and understand what’s protected and what’s not protected is to actually make decisions. The game forces people to make decisions.

Second, it’s about the learning environment. The fines can be quite severe for GDPR non-compliance. You want people to automatically be making decisions on what needs to be protected and what doesn’t need to be protected. In a game, if you play it enough, it almost becomes automatic. The game provides a nice, motivational environment for that reinforcement to happen over and over again, and it’s not intimidating.

Because rules and regulations, especially when handed down by the government, can seem very intimidating, it’s understandable for people to feel: “I don’t know how we’re going to learn all this, I don’t know how we’re going to enforce all this.”  A game takes a little bit of the edge off. People might say: “This is a very serious subject, you shouldn’t be playing games.” But if you look at the history of games, we have war games – well, war is very serious. We have games for health, and health is very serious. With environments where we have serious life and death issues, games are introduced to take the edge off. And GDPR is a very serious issue for organisations, so the game can take the edge off a little bit, but has elements of reinforcement, of transfer, of decision-making, and all of this forces the learner to do the right thing and ultimately, that’s what you want to do – you want to change the behaviour of the employees to do the right thing when they are handling the data. And this game reinforces that behaviour.

How do you think firms would use a game like this? Would it be part of a wider learning programme?

In my research and experience, any kind of learning intervention should be part of a larger learning curriculum, so it makes a lot of sense to provide this game in this way. I always think it might be a good idea to have people, after they’ve played for a while, to get together and talk about it and ask questions, like: “Do you think that was the right decision? How did you do?” Just get some discussions going about the information. Have some reinforcing training here and there, interspersed with the game. If you’re not reinforcing the behaviour over time, behaviours tend to decay, especially when they’re not natural behaviours. So, having a game to reinforce it, having a larger learning process, having managers challenge their group, having leader-boards across the organisation, having those kind of elements and experiences really provide a deeper learning experience. And maybe have a campaign. Put posters up with the spider or some of the other elements of the game, just as a trigger to remind people what they should or shouldn’t do. There’s a lot of value of using the game as a jumping off point for further and continual instructional campaigns to make sure that everybody stays within the guidelines.

You’ve had a go at GDPR – Sorted! What are your thoughts, particularly in consideration to the topic of data protection?

I enjoyed playing the game! It was very engaging, I liked the sense of progress through the levels and trying to get the right answers. And I liked the little ‘Easter Eggs’ that were inside of the game. It really made me think about what data privacy involves, what’s protected and what isn’t protected.  And it showed me this with regard to different methods of communications, for example, email versus messages. So, it really gave me a sense of what I had to protect and what didn’t have to be protected.

Stay up to date with games in learning at Karl's website: karlkapp.com.

GDPR - Sorted!

Introducing a fast-paced engaging game designed specifically to embed core GDPR principles to reduce the risk of data breach by employees.

You may also be interested in