An AI-driven serious game for GDPR compliance

---

Table of content

1. Introduction
2. Related works
3. Methodology
4. Team Members
5. Supervisors
6. Links

Introduction

In today’s digital world, data breaches are more common than ever, putting users’ privacy at risk and causing major financial losses for organizations. In 2023 alone, over 353 million individuals were affected by data compromises in the U.S., with the global cost of data breaches reaching $4.88 million on average. These incidents highlight the urgent need for strong privacy-preserving practices in software development.

To address this, various privacy principles and regulations—such as Privacy by Design (PbD) and the General Data Protection Regulation (GDPR)—have been introduced. However, many software developers still lack the training and awareness needed to apply these privacy techniques effectively. Traditional training methods often fail to engage learners, leading to poor knowledge retention.

Our research project focuses on creating a more effective and engaging way to teach privacy concepts to developers. Inspired by the success of game-based learning, we build upon an existing serious game framework that teaches GDPR principles through interactive gameplay. While the original game helped developers understand privacy better, it lacked features to keep players continuously motivated and engaged.

To improve this, our enhanced game framework introduces two key elements:

• Adaptive Difficulty: Powered by Reinforcement Learning (Q-learning), the game adjusts its challenges based on the player’s skill level, making it neither too easy nor too hard.

• Interactive Feedback: Using Large Language Models (LLMs), the game provides personalized feedback to guide and motivate players as they learn.

By integrating these features, our project aims to boost player engagement, enhance learning outcomes, and help developers confidently build privacy-aware software systems.

Related works

As privacy concerns grow in the digital age, regulatory frameworks like the General Data Protection Regulation (GDPR) have been introduced to protect user data. However, implementing these principles effectively depends largely on software developers, who often face challenges in translating abstract regulations into concrete coding practices.

Several studies have highlighted that developers struggle with:

• Interpreting vague privacy guidelines

• Assessing privacy risks from a user perspective

• Lacking structured frameworks to guide privacy-aware development

Despite these challenges, there is a notable lack of educational interventions focused on equipping developers with the necessary skills and motivation to embed privacy from the ground up.

Game-Based Learning in Privacy Education

To address this gap, researchers such as Arachchilage et al. have proposed serious game frameworks that teach data minimization and GDPR principles using game-based learning approaches. These games integrate learning models like Bloom’s Taxonomy to promote better understanding. While promising, these early frameworks lacked adaptive feedback and personalization mechanisms, which are crucial for maintaining learner engagement.

Adaptive and Intelligent Learning Enhancements

Recent studies in related domains like cybersecurity training and secure coding have shown the effectiveness of:

• Reinforcement Learning (RL) techniques (e.g., Q-learning) to dynamically adjust game difficulty

• Large Language Models (LLMs) to provide personalized, context-aware feedback in real-time

These advancements open new possibilities for intelligent, personalized learning systems that respond to user skill level and performance—ensuring a more effective and engaging learning experience.

Methodology

This study adopts a mixed-methods approach, combining both quantitative and qualitative research methodologies to evaluate the effectiveness of the proposed AI-powered serious game framework for GDPR education.

Design and Development

• The core of the research is the development of an AI-driven serious game framework that integrates:

  • Reinforcement Learning (Q-Learning) to dynamically personalize privacy training content based on player interactions.

  • Large Language Models (LLMs), specifically GPT-4, to provide real-time, interactive feedback when players answer questions incorrectly.

• The framework is built upon established game-based learning models that incorporate GDPR principles, particularly the Data Minimization Model.

• The game structure alternates between instructional content and assessment questions to reinforce learning.

• The RL agent continuously monitors user performance to adjust difficulty levels and content complexity, ensuring a personalized learning experience.

• The LLM (GPT-4) acts as an intelligent tutor, offering contextual explanations and guiding learners toward a better understanding of GDPR concepts.

Sample and Participants

• The study will involve 20 participants, selected from:

  • Undergraduate students in software engineering and computer science programs.

  • Early-career software developers with varying levels of experience in privacy-aware development and GDPR knowledge.

• Participants will be recruited through university networks and professional forums related to software development.

• A think-aloud protocol will be used during gameplay to capture real-time cognitive processes and behavioral responses.

• Each participant will complete a pre-assessment and post-assessment to measure knowledge improvement and behavioral change.

Data Collection Procedure

• All participants will receive a Participant Information Sheet explaining the study’s purpose, procedures, benefits, and their rights (including the voluntary nature of participation).

• Informed consent will be obtained through a signed consent form before participation begins.

• The data collection process will follow these steps:

  1. Pre-assessment questionnaire to evaluate baseline understanding of GDPR and secure coding practices.

  2. Gameplay session with the serious game framework.

  3. System Usability Scale (SUS) survey to assess user satisfaction and the usability of the system.

  4. Post-assessment questionnaire to measure learning gains, awareness of GDPR principles, and changes in coding behavior.

  5. Optional open-ended feedback at the end of the session for collecting qualitative insights and user suggestions.

Team Members

• E/19/105 – M.H.M. Fahman – e19105@eng.pdn.ac.lk
• E/19/106 – M.F.M. Faseeh – e19106@eng.pdn.ac.lk
• E/19/247 – S.M. Musthak – e19247@eng.pdn.ac.lk

Supervisors

• Dr. Nalin Arachchilage – nalin.arachchilage@rmit.edu.au
• Prof. Roshan G. Ragel – roshanr@eng.pdn.ac.lk

Links

🔗 Project Repository 🔗 Project Page 🏛️ Department of Computer Engineering 🎓 University of Peradeniya