1. EXCERPT of ISSUE #13 | APRIL 5TH, 2017
TECH RADAR
by David Bowden
Tech Radar is an ongoing column about all things technology, both at Riot and within the tech
industry. In this issue, David Bowden talks about GDPR, including what it is, why it’s relevant,
and how Compliance is working with teams to meet regulations. Below is an excerpt.
GDPR: What the heck is it and why do we care…?
It’s rare that Riot Compliance is in the critical path of many teams’ ongoing development
initiatives. Usually new champions, art, functionality, or other things rank far higher in the
prioritization bucket than compliance. Let’s face it, compliance isn’t “sexy” by any means, but
it is a very necessary function in providing value to players and Rioters. Often times,
compliance functions or initiatives are bound by laws, regulations, and some serious fines if
not adhered to by Riot. So while not sexy, these initiatives or requirements are important for
all of us to be aware of and to help resolve.
The General Data Protection Regulation (GDPR) is one of these pieces of legislation that
has serious teeth, and is proving to be a very large project across teams at Riot. Because this
new law will impact Riot in a big way, the Riot Compliance Team was asked to share with
Rioter’s the lowdown on this new law. We also want to let you know what is being done and
what to expect.
2. The GDPR is all about personal data in Europe: how to use it, how protect it, and how to
let people control the use of their personal information (consent). Basically, the European
Union wants to give people more control over how their personal data is used. By
strengthening data protection legislation and introducing tougher penalties, the EU hopes to
provide better protections for its citizens and foster greater trust in companies and countries
that have access to this data. The GDPR requirements apply to each member state of the EU
(plus the UK after Brexit), and since we have Rioters and players in Europe, this new law
applies 100% to us too.
SOME OF THE KEY PRIVACY AND DATA PROTECTION REQUIREMENTS OF THE GDPR
INCLUDE:
1. The right to be informed of a data breach
2. The right of access to their personal information (Data Access Requests)
3. Consent to how their data is being used or to restrict certain type of process by
consent
4. The right to be forgotten or to have their personal information removed from our
systems
5. Data is processed for only legitimate purposes
Without getting into all 262 pages of the legislation’s requirements (you’re welcome), it’s
simpler to say that the GDPR sets a baseline of standards for companies to handle EU
citizens’ information. These standards better safeguard the processing and movement of
citizens’ personal data.
One of the questions Compliance and Legal get all the time when discussing the GDPR is,
“What is Personal Information?” The GDPR defines “Personal Information” as:
“any information relating to an identified or identifiable natural person ‘data subject’; an
identifiable person is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location data, online
identifier or to one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that person.”
To better define what this means to Riot, Compliance conducted a Privacy Impact Assessment
where teams across the organization identified their systems and the
Personal Information they currently collect. We then took this information and created a data
matrix that shows what we are collecting from players and Rioters, and what that data’s
associated risk and sensitivity level are. We then provide guidance on how to handle these
data types based on the GDPR controls. This guidance provides the Riot teams specific
suggestions for what kinds of security actions might be considered “appropriate to the risk,”
including:
3. The pseudonymization and/or encryption of personal data.
The ability to ensure the ongoing confidentiality, integrity, availability, and resilience
of systems and services processing personal data.
The ability to restore the availability and access to data in a timely manner in the
event of a physical or technical incident.
A process for regularly testing, assessing, and evaluating the effectiveness of technical
and organizational measures for ensuring the security of the processing.
SO, WHAT’S NEXT..?
Compliance has surveyed and identified the teams and systems across Riot that fall under
the GDPR regulation. We have prioritized these systems and are partnering with all
the teams, either directly or via self-assessment to create guidance on how to make the
systems compliant. Don’t worry, we will come to you and let ya know what we need and by
when.
After the guidance is created, Compliance will work with those groups as they plan
their sprints for becoming compliant. The goal isn’t to derail teams or inject
new requirements that screw up other initiatives, but to work with teams so they can plan
and execute over time (by December of this year) to resolve compliance issues.
If you haven’t heard from us yet and you suspect your team may be impacted, shoot me a
note and I’m happy to give you the TL;DR or answer any additional questions.