An AI-Powered Web based Serious Game Platform for GDPR Compliance
Empowering developers with adaptive learning to build privacy-aware software.
Abstraction
This research project introduces an AI-powered, web-based serious game platform designed to enhance software developers' understanding of the General Data Protection Regulation (GDPR). By integrating adaptive difficulty and real-time feedback mechanisms through reinforcement learning and ChatGPT, the platform bridges the gap between theoretical knowledge and practical implementation. A study among software developers showed improved GDPR knowledge, engagement, and motivation to adopt privacy-preserving practices.
Introduction
In the rapidly evolving digital landscape, data breaches
continue to pose significant threats, exposing users to
privacy risks and causing substantial financial losses to
organizations. In 2023, the United States witnessed 3,205 data
compromises affecting over 353 million individuals, marking a
78% increase from the previous year. The global average cost
of a data breach in 2024 reached $4.88 million.
These incidents highlight the urgent need for implementing
robust privacy-preserving mechanisms. Although methodologies
such as Data Minimization (DM), Fair Information Practices
(FIP), Privacy by Design (PbD), and regulatory frameworks like
the General Data Protection Regulation (GDPR) have been
introduced, the lack of awareness and training among
developers has resulted in insecure coding practices.
Developers often prioritize functionality over security due to
time constraints and limited knowledge of privacy techniques.
To address these challenges, researchers have emphasized the
need for comprehensive privacy training for developers.
However, traditional training methods such as lectures and
documentation often fail to engage learners, leading to poor
knowledge retention and limited real-world application.
Consequently, there is growing interest in exploring more
engaging educational approaches. Serious games are
increasingly used to improve knowledge retention. Although
prior frameworks, such as the serious game model by
Arachchilage and Hameed, and its extension by Alhazmi,
introduced GDPR-focused game-based learning tools, they lacked
mechanisms to sustain player engagement, such as adaptive
feedback and dynamic difficulty adjustment.
Building on this foundation, our study enhances the existing
framework by introducing two key mechanisms: adaptive
difficulty and interactive feedback. Adaptive difficulty is
achieved through Reinforcement Learning (Q-learning), which
adjusts question levels based on player performance to
maintain an optimal challenge. Interactive feedback is
delivered through Large Language Models (LLMs), such as
ChatGPT, providing real-time, personalized responses to
improve understanding and motivation.
The proposed game framework integrates GDPR principles with
adaptive learning and real-time AI support to enhance
developers' engagement, knowledge retention, and motivation to
implement privacy-preserving software practices.
Methodology
The project followed a structured methodology designed to evaluate the impact of adaptive learning in a serious game environment:
-
Development: Two game versions were
developed using the MERN stack (MongoDB, Express.js,
React, Node.js) and deployed on AWS EC2:
- Non-adaptive game – Baseline version without adaptive features.
- Adaptive game – Integrated Q-learning for dynamic difficulty and ChatGPT for personalized feedback.

-
Pilot Study: 20 undergraduate students
with programming knowledge but no prior GDPR training were
split into two groups:
- Group A – Played the non-adaptive version.
- Group B – Played the adaptive version.
- Assessment: Pre- and post-tests measured knowledge gain. A 5-point Likert scale was used to evaluate engagement, usability, and realism.
- Analysis: Paired and independent t-tests were conducted to compare learning outcomes and effectiveness between the two groups.
Results
- Knowledge Gain: Both adaptive and non-adaptive versions significantly improved GDPR knowledge (p < 0.05), confirming the educational effectiveness of serious games.
- Effectiveness of Adaptability: The adaptive game showed a higher mean improvement in knowledge gain than the non-adaptive one (p < 0.05), validating the impact of personalized difficulty.
- Subjective Satisfaction (Likert Scale Averages): Participants rated their experiences across multiple dimensions using a 5-point Likert scale. The adaptive version consistently outperformed the non-adaptive version across all categories.
Dimension | Non-Adaptive | Adaptive |
---|---|---|
Gaming Experience & Engagement | 3.80 | 4.33 |
Learning Experience | 3.92 | 4.60 |
Adaptive Difficulty Mechanism | 2.90 | 4.75 |
Feedback Mechanism | 3.47 | 4.67 |
Usability and Interface | 4.10 | 4.37 |
Scenario Realism | 4.60 | 4.65 |
Impact and Takeaway | 4.65 | 4.90 |
Conclusion
Our AI-powered serious game effectively improves GDPR knowledge, user engagement, and developer motivation. Adaptive difficulty and personalized feedback mechanisms were especially impactful in enhancing learning outcomes and retention.
Publication
Publications will be added here once the research has been published.
Team Members

Fahman M.H.M.
E/19/105
Faheeh M.F.M
E/19/106
Musthaq S.M.
E/19/247
Prof. Roshan G. Ragel
Supervisor