An AI-Powered Web based Serious Game Platform for GDPR Compliance
Empowering developers with adaptive learning to build privacy-aware software.
Abstraction
The General Data Protection Regulation (GDPR) establishes comprehensive rules governing how personal data is collected, stored, and handled, placing legal and ethical respon sibilities on software developers. Despite its importance, privacy education remains insufficiently addressed in conventional devel oper training. This paper presents the design and development of an AI-powered, gamified web-based application aimed at motivating software developers to adopt secure coding practices through experiential learning of GDPR principles. Building upon a previously designed game framework for GDPR compliance and grounded in a serious game design conceptual framework, the game integrates pedagogical elements such as challenge based learning, adaptive difficulty, and personalized feedback to enhance engagement and learning outcomes. A reinforcement learning-based mechanism adjusts question complexity based on player performance, while a Large Language Model (LLM) provides interactive, contextualized feedback following incorrect responses. To evaluate the effectiveness of the proposed serious game platform, a pilot study was conducted via pre- and post assessments, and subjective feedback forms. The results indicate a notable improvement in developers’ understanding of GDPR concepts and their practical application in privacy-conscious software development, demonstrating the value of adaptive serious games in advancing developer-oriented privacy education.
Introduction
In the rapidly changing digital world, data breaches remain a
persistent threat, exposing users to privacy risks and causing
financial losses for software development organizations. In
2023, the United States experienced 3,205 data compromises,
affecting over 353 million individuals, marking a 78% increase
from the previous year. The global average cost of a data
breach in 2024 reached $4.88 million, a 10% increase from the
previous year.
These incidents highlight the critical need for robust
privacy-preserving mechanisms. Approaches such as Data
Minimization, Fair Information Practice, Privacy by Design,
and regulatory frameworks like GDPR have been introduced.
However, the lack of awareness, training, and education on
privacy techniques among developers has led to reduced privacy
for end users. Developers often prioritize functionality over
security due to time constraints and limited security
awareness, leading to insecure coding practices. Comprehensive
privacy training has been emphasized, yet traditional methods
like lectures and static documentation often fail to engage
learners effectively, resulting in poor knowledge retention
and limited real-world application.
Consequently, there is growing interest in exploring more
engaging training approaches. Both industry and academia
increasingly adopt Gamification, Games for Learning, and
Game-Based Learning to improve trainee engagement and
retention. Arachchilage and Hameed proposed a serious game
framework to improve secure coding behavior, integrating
motivational elements, Bloom’s Taxonomy, and a data
minimization model. This framework was later extended to cover
all GDPR principles and implemented as a browser-based
gamified platform to train developers on GDPR compliance.
While these approaches enhance awareness and motivation, they
lack concrete mechanisms to sustain engagement. Features such
as dynamic feedback, adaptability to individual learners, and
alignment with intended learning outcomes are missing.
Adaptive difficulty helps maintain engagement, as games that
are too easy can be boring and overly difficult can be
frustrating. Reinforcement Learning, specifically Q-learning,
has proven effective in adjusting game difficulty based on
user interactions. Feedback mechanisms further sustain
interest by providing real-time responses, improving
motivation, knowledge retention, and skill acquisition. Large
Language Models offer opportunities for personalized, adaptive
feedback in programming education.
To ensure serious games are both pedagogically sound and
engaging, integrating adaptive difficulty and interactive
feedback strengthens the framework, keeping learners motivated
while achieving the intended educational outcomes.
Methodology
The project followed a structured methodology designed to evaluate the impact of adaptive learning in a serious game environment:
-
Development: Two game versions were
developed using the MERN stack (MongoDB, Express.js,
React, Node.js) and deployed on AWS EC2:
- Non-adaptive game – Baseline version without adaptive features.
- Adaptive game – Integrated Q-learning for dynamic difficulty and ChatGPT for personalized feedback.

-
Pilot Study: 20 undergraduate students
with programming knowledge but no prior GDPR training were
split into two groups:
- Group A – Played the non-adaptive version.
- Group B – Played the adaptive version.
- Assessment: Pre- and post-tests measured knowledge gain. A 5-point Likert scale was used to evaluate engagement, usability, and realism.
- Analysis: Paired and independent t-tests were conducted to compare learning outcomes and effectiveness between the two groups.
Results
- Knowledge Gain: Both adaptive and non-adaptive versions significantly improved GDPR knowledge (p < 0.05), confirming the educational effectiveness of serious games.
- Effectiveness of Adaptability: The adaptive game showed a higher mean improvement in knowledge gain than the non-adaptive one (p < 0.05), validating the impact of personalized difficulty.
- Subjective Satisfaction (Likert Scale Averages): Participants rated their experiences across multiple dimensions using a 5-point Likert scale. The adaptive version consistently outperformed the non-adaptive version across all categories.
Dimension | Non-Adaptive | Adaptive |
---|---|---|
Gaming Experience & Engagement | 3.80 | 4.33 |
Learning Experience | 3.92 | 4.60 |
Adaptive Difficulty Mechanism | 2.90 | 4.75 |
Feedback Mechanism | 3.47 | 4.67 |
Usability and Interface | 4.10 | 4.37 |
Scenario Realism | 4.60 | 4.65 |
Impact and Takeaway | 4.65 | 4.90 |
Conclusion
Our AI-powered serious game effectively improves GDPR knowledge, user engagement, and developer motivation. Adaptive difficulty and personalized feedback mechanisms were especially impactful in enhancing learning outcomes and retention.
Publication
Publications will be added here once the research has been published.
Team Members

Fahman M.H.M.
E/19/105
Faheeh M.F.M
E/19/106
Musthaq S.M.
E/19/247
Prof. Roshan G. Ragel
Supervisor