Privacy leaders from 60 companies gathered at Cisco headquarters in San Jose, CA on November 12th for the inaugural Privacy War Games, a new training and preparedness program launched by FPF and The Providence Group. The war games split participants into five teams to practice strategic decision-making in a fast-paced environment that presented the challenges many companies can encounter in their every-day practice. This will help participants better manage future privacy risk – an increasingly complex task that is made more difficult by: the increasing number of state and sectoral privacy laws; evolving regulatory and compliance requirements; and the regulatory and legal ambiguity of the European General Data Protection Regulation (GDPR).
In light of a rapidly changing legal and regulatory environment, privacy risk management has grown increasingly complex for even the most advanced companies. The war games exercise forced our participants to explore privacy scenarios from different perspectives by adopting roles on the game teams that did not necessarily comport with their current jobs. By role-playing as the Federal Trade Commission, European Union regulators, state legislators, and two fictional companies, participants gained a deeper (and sometimes counter-intuitive) understanding of privacy challenges and anticipated how each team’s moves would affect the scenario as a whole.
The Privacy War Games team encouraged a commitment to authenticity throughout the exercise. Players withheld information, made decisions with limited information, dealt with unreasonable partners and managed stressful interactions with media and regulators.. Referees were assigned to each team in order to answer questions about rules and options available to the teams at various points in the game.
The exercise unfolded in two rounds. During the lunch break referees and a facilitator processed each team’s round one decisions. After lunch, the teams learned the consequences of their decisions and proceeded to make their round two decisions based on additional facts.
In a final debriefing, the control group facilitated a discussion, asking participants what they found surprising and what they learned. Answers ranged from insights gained about the scope of regulators’ authority to lessons learned about controlling the amount of information individuals in their own company should receive when there is a privacy incident. Several participants commented on how important it is to consider who needs to be at the table when a decision gets made. Companies need to have constructive conversations with a diverse team – even when departments have competing priorities.
Participants completed a postgame survey before leaving. Their feedback indicated that the event was well-received and provided suggestions for making the next war games event even better. Participants especially appreciated adopting the perspective of unfamiliar actors. In the few days after the event, FPF has already received inquiries on when the next PWG will take place.
According to a recent survey by PriceWaterHouseCoopers, only one-third of business leaders worldwide feel confident that their organization is prepared to meet recent and emerging requirements for cybersecurity, data privacy, and data-use governance. The 60 companies who participated in our war games are now ahead of the competition thanks to the valuable experiences and best practices that they acquired from this exercise.
We look forward to conducting more war games in the future. To learn about bringing the Privacy War Games to your company, contact firstname.lastname@example.org.