If you REALLY need this explaining…

We are in the midst of the “savvy consumer”. This has been proven with the photos of Xbox and PS4 shelves, bereft of all games after Black Friday.

Except for one.

EA Games has really messed up with the “Star Wars: Battlefront II” game.

By all accounts (I haven’t bought it), the game is riddled with micro-transactions, pay-to-play and enforced periods of waiting to move forward in the game (unless you unlock the stopwatch by purchasing additional ‘stuff’).

Apparently, the game will take either $2100 to complete via micro-transactions, or over 4,000 hours of waiting for (seemingly) arbitrary periods of time as a ransom to unlock playing.

People – lots of people – have protested long and loud about this. Paying $60 for a game should provide you with the game, not provide the game manufacturer with the opportunity to entice younger players to innocently abuse their parents’ credit cards.

Possibly worse still, the child may be humiliated in the schoolyard because they are waiting to move onto the next phase of the game, whilst their wealthier friends are moving on because parents have paid the additional fees (anything for a quiet life). Or the child has found how to use their parents’ credit cards and haven’t yet come to the end of the credit card transaction period. The bill will come home and show that EA Games has been using the child as a siphon for their parents’ money, surreptitiously.

Disney, which owns the Star Wars brand, is apparently a little ‘miffed’ that their brand is being sullied, especially in the run-up to the new movie in December.

Various state regulators are looking to strengthen rules around gambling, as “Star Wars: Battlefront II” features random, paid-for, “loot boxes” which give the player tools and collectibles for the game, for a fee. This, to many minds, is gambling.

Let’s remember – “Child + Gambling = No-no!” in most nations. It hasn’t stopped EA from trying…

Perhaps, most heinously, the purchaser of “Star Wars: Battlefront II” unwraps the game, inserts the DVD and finds that the game comes without someone quite significant to the storyline.

That’s right… Darth Vader isn’t in the game as it ships..!

What does this have to do with GDPR, I hear you yawn?

It’s to do with reputation.

Very few people reading this will work for games manufacturers. That’s not the point of this article.

Most people work for an organisation which relies on a good reputation – how else do we retain good business?

EA’s reputation, at the moment, is in the gutter. Share price has fallen, games aren’t selling and those in the know metaphorically spit on the ground whenever the brand is mentioned. The Belgium government is looking into accusations of operating a gambling franchise, rather than a gaming franchise. Whether EA have broken the law or whether the “loot boxes” aren’t illegal is beside the point. It’s bad publicity for EA games.

Imagine, if you will, a data breach. Something like TalkTalk. Now, the TalkTalk breach didn’t massively effect company profits, but this is in a regulatory environment which isn’t as powerful as GDPR and isn’t overseen by other vested interests. The current Data Protection Act (1998) came as the result of an EU directive. In layman’s terms, it means that the EU pretty much said,

“We really need every state to have laws. Here’s some guidelines – sort the rest out yerself…”

The GDPR comes as a regulation which – with very few exceptions, “derogations” – is standard across the EU.

If TalkTalk happened after May 2018 then the ICO would get involved, but Chapter 7 of the regulation talks about ‘consistency’ of application across the EU, so if a German telephony provider had the same breach and was fined €8m there would be a precedent for the ICO to consider in their fining regime. It’s not a rubber-stamp along the lines of “Germany fined €8m, so here’s an €8m fine for you, TalkTalk”, but it is a compelling guide for future fines.

This is wandering into “Negatives”, mister…


Yes it is, however, it’s an ill wind that blows somebody some good.

Imagine you have gone through all of the data mapping, the Data Protection Impact Assessments and written appropriate policies and procedures. Your IT team have put in place state-of-the-art protection for everything from a mobile phone to a server farm. To anyone looking in (if security allows them to!), your business is an exemplar of data privacy and digital protection.

In the past, this has all been “Well, it’s what is expected” and no one mentioned it outside of the IT team and the CIO.

Boasting about IT was almost like saying, “Look! Look here! Our office has walls!”

Will Marks and Spencer put out a Christmas advert about their multi-factor authentication?

Will John Lewis have a snowy, Winter scene of Father Christmas having to run a retina scan to get down a chimney?

Of course not.


If a company has a major data breach, their competitors can use this as justification that they ‘care’ about their customers. Frame any positive you can think of within the parameters of the GDPR and it can and – I’m betting – will be used as evidence that Brand A is more concerned with your well-being than the recently-breached Brand B.

We care for you and your data. That’s why we take it seriously, unlike ‘others’ we could mention…

It won’t be as crass as that. It will be subtle, but it will creep up the advertising. Being a respectable custodian of customer’s data will help retain customers but also attain customers, too.

You might say, “Well, it hasn’t worked so far!” and you would, of course, be right.

The eyes of the Media glaze over when it comes to IT security and data privacy unless there is some salacious element to it, or an embarrassing fine. This sort of breach will come more into focus after May 2018 and I can foresee Jane Hill on the BBC intoning, “Under the new data privacy regulation from Europe, the General Date Protection Regulation…” and then explaining in detail the hows, whys and ‘how muches’ of the data breach.

A tough fine will catch attention.

People will slowly, almost by osmosis, start to appreciate their rights and the responsibilities of the organisations into whose care they entrust their data (and that’s before the ambulance chasing lawyers get involved in suing for data breaches in class actions).

At that point, GDPR will be a positive marketing tool.

A company which appreciates that long-term investment in data privacy will give them the seal of approval of a growing, more educated market will set themselves apart.

Even if that company is breached and the ICO finds that the breach was so specific, so unforeseen and that the organisation had done everything humanly/technically possible to prevent it, the exposure to the public of this “Black Swan” event will only build further trust.

If someone trusts you, they are usually happy to be in your company. They feel safe. The future is predictable around you. You have shown that you have their best interests at heart.

It may be a considerable investment in the near/mid term, but investment in data privacy will pay off in spades under a new regulation and with a new, slowly-becoming-more informed market.

Don’t forget – in four or five years’ time we will be seeing first-time home buyers who will have known no other environment under which their data resides. To be reckless with their data will be to kill off the market of the next, and succeeding, generation.

Investing in the processes, policies and technical elements of data privacy is future-proofing.

It will keep customers happy.

It will drive sales.

As time passes, it will be a considerable determinant of whether a company succeeds.

Do it now. Start beating your organisation’s chest with the news that you are trustworthy, have the customers’ best interests at heart and want to maintain their happiness.

Because? All together now

Happy Customers = Sales

Leave a Reply

Your e-mail address will not be published. Required fields are marked *