An AI-Powered Web based Serious Game Platform for GDPR Compliance

Empowering developers with adaptive learning to build privacy-aware software.

Abstraction

The General Data Protection Regulation (GDPR) establishes comprehensive rules governing how personal data is collected, stored, and handled, placing legal and ethical respon sibilities on software developers. Despite its importance, privacy education remains insufficiently addressed in conventional devel oper training. This paper presents the design and development of an AI-powered, gamified web-based application aimed at motivating software developers to adopt secure coding practices through experiential learning of GDPR principles. Building upon a previously designed game framework for GDPR compliance and grounded in a serious game design conceptual framework, the game integrates pedagogical elements such as challenge based learning, adaptive difficulty, and personalized feedback to enhance engagement and learning outcomes. A reinforcement learning-based mechanism adjusts question complexity based on player performance, while a Large Language Model (LLM) provides interactive, contextualized feedback following incorrect responses. To evaluate the effectiveness of the proposed serious game platform, a pilot study was conducted via pre- and post assessments, and subjective feedback forms. The results indicate a notable improvement in developers’ understanding of GDPR concepts and their practical application in privacy-conscious software development, demonstrating the value of adaptive serious games in advancing developer-oriented privacy education.

Introduction

In the rapidly changing digital world, data breaches remain a persistent threat, exposing users to privacy risks and causing financial losses for software development organizations. In 2023, the United States experienced 3,205 data compromises, affecting over 353 million individuals, marking a 78% increase from the previous year. The global average cost of a data breach in 2024 reached $4.88 million, a 10% increase from the previous year.

These incidents highlight the critical need for robust privacy-preserving mechanisms. Approaches such as Data Minimization, Fair Information Practice, Privacy by Design, and regulatory frameworks like GDPR have been introduced. However, the lack of awareness, training, and education on privacy techniques among developers has led to reduced privacy for end users. Developers often prioritize functionality over security due to time constraints and limited security awareness, leading to insecure coding practices. Comprehensive privacy training has been emphasized, yet traditional methods like lectures and static documentation often fail to engage learners effectively, resulting in poor knowledge retention and limited real-world application.

Consequently, there is growing interest in exploring more engaging training approaches. Both industry and academia increasingly adopt Gamification, Games for Learning, and Game-Based Learning to improve trainee engagement and retention. Arachchilage and Hameed proposed a serious game framework to improve secure coding behavior, integrating motivational elements, Bloom’s Taxonomy, and a data minimization model. This framework was later extended to cover all GDPR principles and implemented as a browser-based gamified platform to train developers on GDPR compliance.

While these approaches enhance awareness and motivation, they lack concrete mechanisms to sustain engagement. Features such as dynamic feedback, adaptability to individual learners, and alignment with intended learning outcomes are missing. Adaptive difficulty helps maintain engagement, as games that are too easy can be boring and overly difficult can be frustrating. Reinforcement Learning, specifically Q-learning, has proven effective in adjusting game difficulty based on user interactions. Feedback mechanisms further sustain interest by providing real-time responses, improving motivation, knowledge retention, and skill acquisition. Large Language Models offer opportunities for personalized, adaptive feedback in programming education.

To ensure serious games are both pedagogically sound and engaging, integrating adaptive difficulty and interactive feedback strengthens the framework, keeping learners motivated while achieving the intended educational outcomes.

Methodology

The project followed a structured methodology designed to evaluate the impact of adaptive learning in a serious game environment:

  • Development: Two game versions were developed using the MERN stack (MongoDB, Express.js, React, Node.js) and deployed on AWS EC2:
    • Non-adaptive game – Baseline version without adaptive features.
    • Adaptive game – Integrated Q-learning for dynamic difficulty and ChatGPT for personalized feedback.
Game Architecture
Figure 3: High level architecture of game framework
  • Pilot Study: 20 undergraduate students with programming knowledge but no prior GDPR training were split into two groups:
    • Group A – Played the non-adaptive version.
    • Group B – Played the adaptive version.
  • Assessment: Pre- and post-tests measured knowledge gain. A 5-point Likert scale was used to evaluate engagement, usability, and realism.
  • Analysis: Paired and independent t-tests were conducted to compare learning outcomes and effectiveness between the two groups.

Results

  1. Knowledge Gain: Both adaptive and non-adaptive versions significantly improved GDPR knowledge (p < 0.05), confirming the educational effectiveness of serious games.
  2. Effectiveness of Adaptability: The adaptive game showed a higher mean improvement in knowledge gain than the non-adaptive one (p < 0.05), validating the impact of personalized difficulty.
  3. Subjective Satisfaction (Likert Scale Averages): Participants rated their experiences across multiple dimensions using a 5-point Likert scale. The adaptive version consistently outperformed the non-adaptive version across all categories.
Dimension Non-Adaptive Adaptive
Gaming Experience & Engagement 3.80 4.33
Learning Experience 3.92 4.60
Adaptive Difficulty Mechanism 2.90 4.75
Feedback Mechanism 3.47 4.67
Usability and Interface 4.10 4.37
Scenario Realism 4.60 4.65
Impact and Takeaway 4.65 4.90

Conclusion

Our AI-powered serious game effectively improves GDPR knowledge, user engagement, and developer motivation. Adaptive difficulty and personalized feedback mechanisms were especially impactful in enhancing learning outcomes and retention.

Publication

Publications will be added here once the research has been published.

Team Members

Fahman M.H.M.

E/19/105

Faheeh M.F.M

E/19/106

Musthaq S.M.

E/19/247

Prof. Roshan G. Ragel

Supervisor

Dr. Nalin Arachchilage

Supervisor