We build a lot of games for various large brands every month. We notice that there is a significant difference in how each brand's legal department handles the processing of personal data.
For one brand, we only need to sign a standard data processing agreement (DPA), while for another brand, it is essential to scrutinize our entire company with a DPA, a 20-page 'General Information Security Requirements' checklist, a PEN test, and a face-to-face meeting at the office.
No problem for us, but it sometimes feels like overkill. So what is actually the standard procedure for legal in data security and data processing?
We stand for transparency and safety in all our games, but some brands go a bit overboard with their data security documentation. Especially when it comes to a one-time 'play and win' promotion of 2,500 euros, it isn't cost-effective to carry out all the actions imposed by legal. As a result, we regularly see fun and valuable games being canceled due to the interference of the legal department.
The marketer doesn't want to deal with all that hassle, and legal sticks to their guns (rules are rules). The result is 'then just don't collect data' or 'then just run the promotion via socials and ads.' As if Meta and Google would meet the same legal requirements.
We see this 'one size must fit all' attitude of legal as a missed opportunity to properly capture data collection through preferred digital suppliers, such as Ratsibambam. Not every IT project involving the processing of personal data is the same.
You have large IT projects worth millions of euros where all customer data, including bank account numbers, of a brand are managed, and you have a simple 'wheel of fortune' game worth a few thousand euros with 10,000 participants. Both projects now face practically the same security requirements. Yet, a leak in your customer database has much larger consequences (and damage) than a leak in a marketing game.
My advice is to adapt the legal documentation to the complexity and level of personal data collected through the project. This lowers the threshold for the marketer to use games for data collection (or just awarding prizes).
Currently, 'any agency around the corner' can collect personal data for you as a processor or sub-processor. However, not every agency has the right experience, knowledge, and expertise in data security. I fully understand that the legal and security teams want to control the number of processors by having them meet a fixed set of requirements. Therefore, it is important to invest not only broadly (digital partners who build everything; from WordPress and webshops to mobile apps and social videos), but also deeply. In agencies like Ratsibambam, with specific knowledge and experience in gamification and the processing of personal data.
If you want to continue with your brand in collecting personal data and delivering game experiences, an investment in agreements with solid marketing partners in the field of gamification and data collection is a must. For example, we have such an agreement with Vattenfall. We invest annually in PEN tests and reporting. They pay for our security experts who complete their security checklists.
With this assurance, a marketer at Vattenfall can engage us for games at any time of the year without the legal department having to restart the process. This saves a lot of time and frustration in the startup phase of a project. And as a bonus, great results are achieved that would certainly not be possible without games.
If you are looking for a marketing gamification partner as a brand, we would love to hear from you. We are looking for brand partners for the long term, with whom we can strategically and legally work out data collection through gamification so that you are assured of a solid solution for your data processing via marketing for the coming years.
Your message has been sent. We will be in touch within one business day to answer your message.
We are happy to answer all your questions about gamification.