One of the wealthiest global entertainment industries, gaming is projected to generate revenues of $159.3 billion in 2020, and to count more than 3 billion gamers in 2023. (Source: New Zoo)
Gamers are a sophisticated audience and quality content localisation, such as dubbing, visuals, and cultural referencing, is critical to keep gamers loyal and hit sales objectives.
Processing the personal data of so many gamers means publishers, editors and studios must navigate and master ever-evolving and increasingly strict international data security, protection and privacy legislations. General Data Protection Regulation (GDPR), in effect since May 2018, sets the global standard, and the majority of data privacy legislations, active in 66% of countries, are modelled after GDPR.
A dangerous and common oversight in the GDPR compliance strategies of gaming companies is voice data (actor voice samples), the primary tool for dubbing localisation projects, which is often ignored.
Not only protected by GDPR, voice data is protected by almost all worldwide data protection legislations. Whether an organisation is creating, receiving or sharing voice content, solid and organisation-wide compliance policies are critical when handling this sensitive data.
IDENTIFY SERVICES PROCESSING VOICE DATA AND WHERE IT IS STORED
DPOs are often surprised by the number of employees, different departments, and external suppliers involved in the voice casting process and who handle project voice data. Depending on the size of an organisation or project, there may be more than 10 people involved in the production chain, from the start of a project until final client delivery.
For example, in big companies, in-house projects often include an Account Manager oversees the project and assigns the voice production to a Project Manager, who may then assign the project to an Audio Localisation Manager, who may then subcontract the project to a Voice Director (usually external). Project stakeholders are dispersed across various departments,, and all of them process the voice data at one point.
Audio content is shared with all production stakeholders, each of whom is subject to compliance obligations.
In many cases, because of this transversality, DPOs are not even aware this data exists, are being stored, received, shared and processed internally by different departments.
This personal data is rarely entered into structured compliance workflows and is a compliance time bomb as every project stakeholder is subject to compliance obligations.
Localisation and dubbing teams
Establishing strong compliance framework within your localisation and dubbing departments is key for a successful strategy. These teams work with high volumes of voice samples, centralised and stored in independent databases, maintained specifically for casting projects.
Audio teams, responsible for finding the right voice talents for projects, pull samples from these private casting databases, and/or download samples from voice actor platforms, and/or request samples from colleagues and send these to Project Managers by email, who send the samples to Account Managers, who send the samples to one or several intermediaries, who send them to final clients in voice casting propositions.
- Circulating samples are often saved by handlers, either inadvertently, or added to their private casting database for future castings
- Databases are not synchronised
- Actors are often unaware their samples are referenced in private casting databases, and while they would most likely be glad to learn this, GDPR obligations require their authorisation for processing
NAME AN “HONORARY VOICE DATA DPO”
Managing voice data in compliance with GDPR and worldwide data protection legislations is complex and requires pragmatic and structured policies. As multiple departments receive and process this data on a regular basis, an optimal compliance strategy is to designate an “Honorary Voice-Data DPO”, to whom all in-bound voice assets are forwarded, for compliance verification and processing.
As with all personal data, the “Honorary Voice-Data DPO” should structure and implement voice-data compliance workflows, including, but not limited to:
- Request and record actor authorisation
- Process modification / rectification / deletion requests
- Request actor consent once requested changes are made
- Delete refused samples within a determined time limit
- Renew actor authorisation following a strict calendar (usually every 2 years)
- Provide actor access to personal data within 30 days of request
- Add newly acquired samples to compliance workflows
- Track and record all tasks
DEFINE ORGANISATION-WIDE & SERVICE-SPECIFIC VOICE DATA POLICIES
Defining strict policies for different departments and potential scenarios is important. Training and educating your teams on the potential legal, financial and brand risks of non-compliance is essential.
Implementing a global policy of direct routing of voice samples to your Voice Data DPO for compliance management is a great safeguard and a good practice. A few examples of departments and their interactions with voice data:
Account Managers work directly with final clients. They receive and share voice assets with internal departments, subcontracted partners, subsidiaries and final clients.
Project Managers often receive and share voice assets with internal departments, subsidiaries and subcontractors. They sometimes deliver final client castings.
Audio teams often do live casting recordings for alpha game roles. These samples are added to casting databases for future projects.
*Important: Live recordings are contracted for specific projects. Once added to “live” casting databases, they immediately become subject to GDPR obligations as consent for processing must be 100% independent of work contracts and NDAs.
Human Resources, and many other departments, often receive unsolicited voice samples from hopeful actors. They also receive samples related to specific projects that must be added to processing workflows if kept after project completion.
Casting delivery to final clients has been done via email for many years, and this practice puts all project stakeholders at risk. If your audio production teams are still delivering castings by email, you should consider developing internal software for project delivery via streaming or purchasing compliant casting delivery software licenses from a third party.
CENTRALISE VOICE DATA. RESTRICT ACCESS.
Centralising voice assets facilitates compliance monitoring, verification and workflow management. If data is not centralised and teams are allowed to self-manage multiple casting databases, several risk factors come into play:
- Ensuring synchronisation of actor consent and refusal in all databases
- Guaranteeing modifications and/or deletions in all databases
- Ensuring all voice data used in castings is compliant
Restricting casting database access and action authorisations to ensure the ongoing GDPR compliance integrity of your assets is strongly recommended. For example, depending on your team workflow, you might consider:
- Authorising account managers, project managers and in-house voice directors access to authorised and compliant voice samples and actor lists, but insist on new data being given directly to your Voice-Data DPO for compliance processing
- Offering limited access and action authorisations to external voice directors, and only to specific projects if possible
- Limit access to casting database samples awaiting consent to your “Honorary Voice Data DPO”
VERIFY SUPPLIER & PARTNER VOICE DATA COMPLIANCE.
Non-compliant partners, suppliers, and even clients, put the entire production chain at risk of fines up to €20 million or 4% of global turnover, not to mention the potential damage to your brand.
Game companies continue to intensify their compliance efforts in terms of data security, data transfers, and processing traditional personal data, often used by marketing and sales teams. However, while mandatory proof of voice data compliance is becoming a standard request of key players in the gaming industry, many businesses have not yet implemented voice data compliance framework and continue putting their partners and clients at risk.
Do you ask every partner and supplier how they handle their voice data GDPR compliance? Do they have firm policies and automated processes in place? If not, how are they organised? Are they managing voice data compliance across all departments? Can they provide proof of compliance? How would they hold up in a compliance authority audit?
A good practice is to implement an organisation-wide policy of only working with suppliers able to provide proof of their voice data GDPR compliance. More on non-compliance risks.
DELIVER GDPR-SAFE PROJECTS. PROTECT CLIENTS & YOUR ORGANISATION.
The ideal solution for protecting your organisation and clients from non-compliance risks is to deliver casting projects via streaming. This way, samples are never downloaded or transferred, as projects are accessed via a cloud.
Traditional casting delivery entails sending voice samples to final clients via email. After project completion, GDPR requires all samples and actor data either be securely deleted or entered into compliance processing. Unfortunately, these samples are often forgotten, stored on clouds, servers, etc., and never enter compliance workflows. This practice not only puts your clients at risk, but also your organisation.
Project delivery via streaming mitigates one of the most risky compliance factors in voice casting: the sharing of voice samples. Even if partner compliance responsibility is stipulated in a contract, GDPR requires your organisation be capable of ensuring your business partners are compliant.