How To Make Your Chatbot GDPR Compliant

There are two major requirements to stay on top of business: innovativeness and data. Today we are going to combine the two and discuss how to make your chatbot GDPR compliant step-by-step. Let's start with the basics of what GDPR is.


What Is GDPR?

The General Data Protection Regulation(GDPR) is a regulation on data protection for European Union citizens. It also applies to the transfer of personal data outside of the EU area. GDPR gives users control over their personal information and whether they want to share or keep their data private.

What Types Of Data Are Protected By GDPR?

– Basic identity information (name and surname; date of birth; phone number; a home address; an email address; ID card number and Social Security number etс. )

– Web data (location, IP address, cookie data )

– Health and genetic data

– Biometric data (data that identifies a person)

– Racial and ethnic origin

– Religious beliefs

– Political opinions

Which Companies Are Affected By GDPR?

Any company that collects and processes EU citizens’ personal information that stores personal data of EU residents must comply with GDPR, regardless of whether the company is present in EU territory. This means that most businesses need to be GDPR compliant.

There are three parties of GDPR compliance regulation.

Data subject: A person whose personal data is processed by a controller or processor

Data controller: Determines the purpose and conditions of collecting and processing personal data from users.

Data processor: Processes personal data for Data Controllers. 

A Data Controller may be:

– You and your company’s

– CRM or Database

You are a Data Controller if your company:

Collects personal data;

Decides which types of data to collect;

Modifies collected data;

Sets the purpose of collected data usage;

Decides if to share the data and with whom;

Determines for which period of time to store the data.

A Data Processor can be:

Analytic tools (Google Analytics, Mixpanel, etc.)

Communication tools (Messenger, Slack, Telegram, Skype, WhatsApp, etc.)

Natural Language Understanding (NLU) & Artificial Intelligence (AI) Services (DialogFlow, IBM Watson, etc)

Cloud Providers and third-party companies

You are a data processor if your company does the following actions for a Data Controller:

Implements systems and methods or tools to collect personal information;

Installs the security surrounding personal data;

Stores personal data;

Passes personal data from one company to another;

Now that you're familiar with GDPR, let's move on to see how to make your chatbot GDPR compliant. There are 6 steps that have to be made to ensure your bot is compliant.

A GDPR Requirements Checklist For Chatbots

1. At the beginning of a conversation, the chatbot should provide users with a clear-cut, transparent, distinguishable, and easily accessible form to understand what data is collected, and how the bot and organization will use it.

2. Chatbot users should be provided with a clear and simple way to access, review, and download copies of their data (in an electronic form) that was collected, free of charge. A user should be able to erase their data if desired to do so. If the platform you are using supports persistent menus, those options should be offered there, or it can be added manually to your custom chatbot by a developer.

3. Also, the user should be able to delete their information whenever they please. Adding this option to a chatbot’s persistent menu provides a great way to give your users the ability to erase their personal data.

4. Review the chatbot logs. Usually, different web servers and messenger platforms that run chatbot services can store different types of logs, such as access, error, or security audit logs. Sometimes they might contain personal data such as IDs, IPs, and names. Companies are not allowed to store this kind of information if there is no legitimate reason to. Even if there is a legitimate need, organizations are not allowed to save them without the user's direct consent. These logs can be reviewed by a developer to ensure that you aren't storing any personal data.

A chatbot service should demonstrate that it has appropriate technical and organizational measures to protect against a data breach. Also, it should have clear procedures to handle any information leak. Data breaches that may pose a risk to individuals must be notified to the Data Protection Authority (DPA) within 72 hours and to affected individuals without undue delay following Article55.

Chatbot security can be accomplished by using the following strategies:

user identity authentication

authentication timeouts

two-factor authentication

biometric authentication

end-to-end encryption

self-destructing messages.

You can find more about how to make your chatbot secure here.

All companies that proceed users data should have a clearly stated privacy policy which contains the following pertinent information:

What information is being collected?

Who is collecting it?

Why is it being collected?

For how long will it be used?

Who will it be shared with?

How can consumers withdraw from the agreement to give their data?

For example:

Users should be acquainted with this privacy policy before their data is collected. To share this with users, companies can use a link in chatbots conversational flow or have a summarized version as a part of chatbots introductory greetings and conversation.

The General Data Protection Regulation is bringing change to the modern digital ecosystem. As GDPR compliance covers all European Union citizens, it means that this regulation affects most businesses worldwide with no exception to chatbots.

Today we’ve looked at the GDPR and covered all of the necessary steps to take to keep in mind to make your chatbot compliant.