An AI-Powered Web based Serious Game Platform for GDPR Compliance

Empowering developers with adaptive learning to build privacy-aware software.

Abstraction

This research project introduces an AI-powered, web-based serious game platform designed to enhance software developers' understanding of the General Data Protection Regulation (GDPR). By integrating adaptive difficulty and real-time feedback mechanisms through reinforcement learning and ChatGPT, the platform bridges the gap between theoretical knowledge and practical implementation. A study among software developers showed improved GDPR knowledge, engagement, and motivation to adopt privacy-preserving practices.

Introduction

In the rapidly evolving digital landscape, data breaches continue to pose significant threats, exposing users to privacy risks and causing substantial financial losses to organizations. In 2023, the United States witnessed 3,205 data compromises affecting over 353 million individuals, marking a 78% increase from the previous year. The global average cost of a data breach in 2024 reached $4.88 million.

These incidents highlight the urgent need for implementing robust privacy-preserving mechanisms. Although methodologies such as Data Minimization (DM), Fair Information Practices (FIP), Privacy by Design (PbD), and regulatory frameworks like the General Data Protection Regulation (GDPR) have been introduced, the lack of awareness and training among developers has resulted in insecure coding practices. Developers often prioritize functionality over security due to time constraints and limited knowledge of privacy techniques.

To address these challenges, researchers have emphasized the need for comprehensive privacy training for developers. However, traditional training methods such as lectures and documentation often fail to engage learners, leading to poor knowledge retention and limited real-world application.

Consequently, there is growing interest in exploring more engaging educational approaches. Serious games are increasingly used to improve knowledge retention. Although prior frameworks, such as the serious game model by Arachchilage and Hameed, and its extension by Alhazmi, introduced GDPR-focused game-based learning tools, they lacked mechanisms to sustain player engagement, such as adaptive feedback and dynamic difficulty adjustment.

Building on this foundation, our study enhances the existing framework by introducing two key mechanisms: adaptive difficulty and interactive feedback. Adaptive difficulty is achieved through Reinforcement Learning (Q-learning), which adjusts question levels based on player performance to maintain an optimal challenge. Interactive feedback is delivered through Large Language Models (LLMs), such as ChatGPT, providing real-time, personalized responses to improve understanding and motivation.

The proposed game framework integrates GDPR principles with adaptive learning and real-time AI support to enhance developers' engagement, knowledge retention, and motivation to implement privacy-preserving software practices.

Methodology

The project followed a structured methodology designed to evaluate the impact of adaptive learning in a serious game environment:

  • Development: Two game versions were developed using the MERN stack (MongoDB, Express.js, React, Node.js) and deployed on AWS EC2:
    • Non-adaptive game – Baseline version without adaptive features.
    • Adaptive game – Integrated Q-learning for dynamic difficulty and ChatGPT for personalized feedback.
Game Architecture
Figure 3: High level architecture of game framework
  • Pilot Study: 20 undergraduate students with programming knowledge but no prior GDPR training were split into two groups:
    • Group A – Played the non-adaptive version.
    • Group B – Played the adaptive version.
  • Assessment: Pre- and post-tests measured knowledge gain. A 5-point Likert scale was used to evaluate engagement, usability, and realism.
  • Analysis: Paired and independent t-tests were conducted to compare learning outcomes and effectiveness between the two groups.

Results

  1. Knowledge Gain: Both adaptive and non-adaptive versions significantly improved GDPR knowledge (p < 0.05), confirming the educational effectiveness of serious games.
  2. Effectiveness of Adaptability: The adaptive game showed a higher mean improvement in knowledge gain than the non-adaptive one (p < 0.05), validating the impact of personalized difficulty.
  3. Subjective Satisfaction (Likert Scale Averages): Participants rated their experiences across multiple dimensions using a 5-point Likert scale. The adaptive version consistently outperformed the non-adaptive version across all categories.
Dimension Non-Adaptive Adaptive
Gaming Experience & Engagement 3.80 4.33
Learning Experience 3.92 4.60
Adaptive Difficulty Mechanism 2.90 4.75
Feedback Mechanism 3.47 4.67
Usability and Interface 4.10 4.37
Scenario Realism 4.60 4.65
Impact and Takeaway 4.65 4.90

Conclusion

Our AI-powered serious game effectively improves GDPR knowledge, user engagement, and developer motivation. Adaptive difficulty and personalized feedback mechanisms were especially impactful in enhancing learning outcomes and retention.

Publication

Publications will be added here once the research has been published.

Team Members

Fahman M.H.M.

E/19/105

Faheeh M.F.M

E/19/106

Musthaq S.M.

E/19/247

Prof. Roshan G. Ragel

Supervisor

Dr. Nalin Arachchilage

Supervisor