GDPR, I choose you! How the Pokémon Company embraces security and privacy by design

Pokémon is one of the biggest brands in the world. The colorful pocket monsters span dozens of computer games, cartoons, films, trading cards, books, toys and anything else you care to imagine.

2016 saw the release of Pokémon Go, a mobile app that combined geo-caching with basic augmented reality capabilities that brought collecting monsters into the almost-real world. The game exploded – even by Pokémon standards – racking up nearly 800 million downloads and has generated close to $2 billion in revenue.

However, this posed a problem for the Pokémon Company International. The company suddenly went from worrying about which companies should be printing the trading cards or sending out cute plush toys to the liability of holding the personal data of a huge number of children and European Union (EU) residents. That personally identifiable information (PII) presented significant regulatory risk from the EU’s General Data Protection Regulation (GDPR).

The twist here is that the company saw GDPR compliance as a business opportunity—a way to build trust with customers (and their parents). If they could meet the high privacy and security standards set by the GDPR and other global regulations, then the Pokémon Company International could differentiate itself as the safer brand when it comes to protecting PII.

Protecting PII during rapid growth

“Pokémon Go was a bit of a surprise for everyone involved,” says John Visneski, director of information security and data protection officer (DPO) at the Pokémon Company International. “You don’t plan for 800 million downloads. I think the most optimistic estimates when the application was released was somewhere in the neighborhood of 50 to 100 million.”

After spending just under 10 years in the United States Airforce working in various information security roles, Visneski joined the Pokémon Company International in early 2017 and was tasked with not only ensuring the company was secure and handling the data of hundreds of millions of children and GDPR subjects in a safe and compliant way, but also creating a security culture within the whole organization.

“My job used to be helping the Air Force fly, fight, and win. Now it’s to protect Pikachu,” he quips. “But at the end of the day it’s all the same; your security program should be aligned in lockstep with what the business objectives are.”

Pokémon: Gotta secure ‘em all!

After Pokémon was created in the early 1990s by a combination of Game Freak, Creatures, Inc., and Nintendo, a new company was formed to manage the new super-brand’s marketing and licensing. The Pokémon Company manages such operations within Japan, while Pokémon Company International – based in the US with an office in the UK – handles things for the rest of the world.

This can be everything from the physical trading card game, cuddly toys, to the phenomenon of Pokemon Go. Before Go was released and Visneski joined, the company had fewer than a dozen technology people, most of them working in the web development space.

“Pokémon Go explodes and the company made a very wise decision, in my opinion, to start their own technology arm almost overnight,” says Visneski. “When you start talking about having hundreds of millions of customers accessing your systems almost overnight, bringing someone into to start a security program is probably the prudent approach.”

Upon joining the company, Visneski was tasked with building the cybersecurity program from the ground up, creating the security architecture, hiring the security team, choosing vendors and assessing third-party partners, and dealing with GDPR. “The company pivots to become a technology company overnight and brings in application development, for the most part, in order to continue to grow the brand and have more control over our systems,” he says.

Today the company has over 100 people working within the technology organization. The security team consists of two security engineers, two operations analysts, and another person dedicated to audit and compliance. As Visneski is the company’s DPO, he also has two lawyers support his efforts around GDPR compliance. “I haven’t slept a lot this last year and a half,” he jokes.

Authenticating the identity of hundreds of millions of children

Pokémon Go was developed by Google spin-off Niantic. The two companies share responsibility when it comes to how the game operates. “They control what runs on the application, and then they control a certain percentage of the backend, and we control a bit of the backend for Child Online Privacy Protection Act (COPPA) compliance,” says Visneski.

However, that’s is just one part of the data puzzle. As well as Pokémon Go, the company has user data from its other applications, its in-person tournaments for the physical trading card game, some of the video games, and more.

To simplify things, the company developed a new central authentication platform, called the Pokémon Trainers Club. It acts as the log-in system for Go, the Pokémon.com website, the online trading card game, the video games through the Pokémon Global Link, and the physical events and tournaments. “There are hundreds of millions of users within the Pokémon Trainer’s Club. A percentage of Pokémon Go users use our platform to authenticate [Facebook and Google are also options], but that is only a small percentage of the overall user base of what we have in our systems,” says Visneski.

To cope with scale, the Pokémon Company is largely cloud-based through Amazon Web Services (AWS), and so the company’s security stack includes many cloud-based players such as Sumo Logic for security analytics and security operations center (SOC) development, Crowdstrike for data visibility, and Vera for file security. The company even uses AWS Lambda serverless functions to automate blacklisting and whitelisting to help protect against bots and cheaters.

“As a security team we’ve been able to leverage these relationships and really think through strategically how we going to continue to grow along with our business, as opposed to waking up one morning and realizing our infrastructure is 50 percent larger than it was the night before and now we have to figure out how to build thicker walls,” says Visneski. “Those sort of partnerships – beyond the capabilities that the cloud gives you – those sorts of partnerships are a force multiplier.”

Using GDPR to build customer trust

Though many of its earliest fans are now well into adulthood, the large number of children engaging with the company’s products means regulatory compliance is a big part of remit. The company has long had to comply with COPPA in the US, which governs the online collection of personal information for those under 13 and includes requirements around verifiable consent from a parent or guardian.

Its experience with COPPA, however, put it in good stead for the arrival of GDPR. “As a company, one of our core values is child safety,” says Visneski, “and because the company has this really strong foundation in child online privacy protection that our legal team took very seriously, we already had a pretty good start from an advocacy standpoint of ‘GDPR is something that we need to  pay attention to, it’s something we need to take seriously’.”

As the company’s DPO, he was keen to use GDPR as the new high bar across the entire database, not just for customers in the EU. “I don’t want it to just be a child safety; I want it to be customer safety. All of our customers deserve the right to their data and a privacy program that makes them feel safe and valuable, because what we’re really selling is trust.”

“What we’re really doing is giving parents this reassurance that in comparison to our competitors we take security and privacy so seriously that they can they can feel safe that their children have a safe space to enjoy our brand. When you start talking in those terms, that’s business enablement. That’s turning privacy and security into something that we sell.”

Security as a business enabler

As well as using GDPR as a business booster externally, Visneski also takes a similar approach internally. “The goal isn’t for me to say yes we can collect something or no we can’t collect that. You have to raise the security culture of your entire organization. Eventually, people become privacy and security experts and they won’t even realize it.

“The goal should be that everyone becomes a well-educated privacy expert and business organization to make that decision on their own and make it accurately and make it with that privacy mindset at heart. I’m only going to have a small team. I can’t be everywhere at once. I need security and privacy champions across the entire company.”

Visneski feels this mantra of not simply being a naysayer means security is viewed in a higher regard by the rest of the business, and it is more involved as a result. “Our philosophy when it comes to security is that we’re business enablers first and security professionals second,” he says.

“What we try to do is make sure that the first question we ask ourselves isn’t about risk; it isn’t about threats or fancy tools. What we think about first is ‘what does the business need, what are the business objectives, and how is our technology arm going to make the business be more effective and efficient?’,” he says. 

Adopting this mindset, Visneski argues, prevents security being seen merely as the people telling the business what it can’t do. Security, then, becomes a team the business wants in meetings to help the business achieve its goals.

One example of being an enabler is the company’s use of Sumo Logic. The log management and analytics provider was brought in primarily for security analytics capabilities, but is now widely used across the business including DevOps, finance and business intelligence. “Our second biggest power user is someone that works in our games studio. That allowed us to sit at that nexus of how to integrate data securely across the company in order to do enable the business,” says Visneski. “It’s easy for me to go talk to our CFO; it’s easy for me to go talk to the president because I’m no longer just trying to prove my return on investment.”

Being proactive in securely sharing data with third parties

As the marketing and licensing wing of a multibillion-dollar brand, the Pokémon Company International is heavily involved in dealing with third parties touching sensitive data. For example, shipping companies need addresses or tournament organizers may need names or email addresses.

As well as your own company’s data processes, GDPR legislation covers sharing of data with third parties. Ensuring third-parties not only have an appropriate level of access but practice good cyber hygiene themselves is a core part of how the company operates. Rather than a burden, Visneski views these requirements as a way to make how the business shares data – and those it shares data with – better.

“You can really use GDPR and your privacy program as a lever by which to hold your partners accountable and ensure that you’re only getting into business with vendors and with third-party developers and what-have-you that are doing a good job of protecting what data you give them access to.”

All vendors the company works with must complete information security questionnaire, and anyone that touches data needs to go through closer assessment. Questions can include policies around security posture, data encryption and retention, or limiting or revoking access to data. Rather than a red light/green light system, it’s designed to allow for the Pokémon security team to pivot and put the controls in place to ensure each integration goes smoothly and safely.

While Visneski says his team rarely says no and are willing to work with third parties to help them, there have been cases where they have been rejected. “Word is starting to spread that we take these sorts of things seriously. When we’re onboarding vendors the thing they now lead with is, ‘How can we get to where you guys want us to be? How can we make sure that you guys feel like we take this seriously?’”

“We can’t be only people that are holding these folks accountable,” says Visneski. “I like to think it’s starting to help some of these companies justify to their boards and CFOs why they need to make investments in security and privacy. That’s going to be the rising tide that’s going to lift all these ships.”

Given that GDPR has been closely followed by California’s Consumer Privacy Act (CCPA) in the US, the General Data Protection Law in Brazil, and others, Visneski feels instilling a security and privacy by design ethos in the company simply makes good business sense. “Establishing those forms of high-water marks for your privacy program is going to be a good investment for the future. The businesses that are going to be successful are the ones that have been leaning forward when it comes to securing their customers’ personal data.”