How To Make Your Chatbot GDPR Compliant
Is your chatbot protecting user data according to Europe’s largest regulations? In this post, we will explain how privacy works and how to make your chatbot GDPR compliant step-by-step.
What Is GDPR?
The General Data Protection Regulation (GDPR) is a set of rules that gives citizens of the European Union legislative control over sharing, editing, and removing their personal data online. The regulation aims to apply transparency in company/user relations for data collection and storage.
In simple words, GDPR helps to protect privacy online. Companies are obliged to inform about how and when the data is collected, as well as protect it from possible breaches and report if such happened. Users can demand to edit or remove personal information from databases at any time.
What Types Of Data Are Protected By GDPR?
For company websites, it’s about user information collected with forms, payment systems, and marketing software that follow users’ web activity. As per official resources, GDPR covers such information as:
- Identity information (name and surname; date of birth; phone number; a home address; an email address; ID card number and Social Security number etс. )
- Web data (location, IP address, cookie data)
- Health and genetic data, biometric data (data that identifies a person);
- Racial and ethnic origin, religious beliefs, political opinions, and so on.
Note that GDPR is not limited to information storage only. It also implies transparency of data collection: users must understand why this information is requested, how it will be protected, and how to claim the right to be forgotten and remove it anytime.
What if a company fails to comply with GDPR?
As you might have heard, severe penalties come in charge, making up to 20 million euros for especially high violations. In June 2021, Deliveroo Italy has been charged 2,500,000 euros for “Non-compliance with general data processing principles”. The regulation is real and can’t be ignored, so chatbot GDPR compliance is a must.
Why Does Chatbot Fall Under GDPR?
Chatbots are often used for lead generation and collect information like names, emails, phone numbers, etc. Rule-based chatbots are a great example of such: they ask simple questions and accept inputs just like a regular website form. GDPR requires companies to explain how this data will be used.
Another point is user behavior data. With NLP or Machine Learning, a chatbot can process the input to understand the context and provide the best reply. Per GDPR, people have the right to object to the use of their personal data for automated decision-making. Also, if a chatbot analyses web activity like page visits, it is subject to prior consent as well.
A GDPR Requirements Checklist For Chatbots
Your GDPR-compliant page will need to include the legal basis around 8 User Rights: The Right to Information, The Right of Access, The Right to Rectification, The Right to Erasure, The Right to Restriction of Processing, The Right to Data Portability, The Right to Object, The Right to Avoid Automated Decision-Making.
- What information is being collected? Description of types and all possible ways.
- How long will it be stored and used? What happens after this period?
- How is it processed? Are there any third parties involved in a data exchange?
- Your legal basis for collecting personal data: why is it required? What is the minimum information needed?
Users must have the ability to:
- Confirm the processing of personal data;
- Get a copy of any personal data that is stored;
- Ask to change their data if they believe it is not accurate
- Request to erase date per “right to be forgotten”
- Withdraw consent to data processing partially or completely.
- Object to data processing, like direct marketing (unsubscribe)
2. Add privacy and access to the conversation data
The chatbot should provide users with a clear-cut, transparent, distinguishable, and easily accessible form to understand what data is collected, and how the bot and organization will use it. Users should be acquainted with privacy policies before their data is collected. To share this with users, companies can use a link in chatbots' conversational flow or have a summarized version as a part of introductory greetings and conversation.
You can indicate these points, as well as give users access to review consent, manage chat history, and download copies of their data in the chat menu. If the platform you are using supports persistent menus, those options should be offered there, or they can be added manually to your custom chatbot by a developer.
In addition, if your chatbot uses NLP for automated decision making it is also subject to prior consent. A chatbot cannot make decisions when it comes to legal queries or unlawful use of personal information that could affect users.
Also, the user should be able to delete their information whenever they ask. Adding this option to a chatbot’s persistent menu provides a great way to give your users the ability to erase their personal data.
3. Provide the chatbot logs
Usually, different web servers and messenger platforms that run chatbot services can store different types of logs, such as access, error, or security audit logs. Sometimes they might contain personal data such as IDs, IPs, and names. Companies are not allowed to store this kind of information if there is no legitimate reason to. Even if there is a legitimate need, organizations are not allowed to save them without the user's direct consent. These logs can be reviewed by a developer to ensure that you aren't storing any personal data.
4. Review the data that you’re collecting
5. Make sure the chatbot is secure
A chatbot service should demonstrate that it has appropriate technical and organizational measures to protect against a data breach. Also, it should have clear procedures to handle any information leak.
Data breaches that may pose a risk to individuals must be notified to the Data Protection Authority (DPA) within 72 hours and to affected individuals without undue delay following Article55.
Chatbot security can be accomplished by using the following strategies:
- user identity authentication
- authentication timeouts
- two-factor authentication
- biometric authentication
- end-to-end encryption
- self-destructing messages.
These were some of the tips on how you can make your chatbot GDPR compliant. Note that GDPR is not a single regulation for data security.
More on Chatbot Security and Regulations
There are a plenty of other legal systems protecting user privacy on a local or industry level.
Internet covers the whole world so, it's very likely that a user in any country may use your chatbot.
As for local privacy requirements, such include:
1. US CalOPPA
2. Canada PIPEDA
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal law that dictates how businesses in the private sector must handle the personal information of their users.
3. Australia's Privacy Act
4. EU Privacy Directives
Apart from GDPR, more regulations include:
- In the EU, the Data Protective Directive and the ePrivacy Directive
- In the UK, the DPA Act
Apart from local regulations, there might be additional industry-based laws. For example, if a chatbot is applied within healthcare and processes patient information, the HIPAA Privacy Rule comes in charge. It sets security standards for protecting specific health information that is held or transferred online.
As patients entrust their data to healthcare organizations, it must be protected in a few ways to maintain the data of practitioners and patients. These mean:
- annual self-audits and revision of security status;
- actionable fixes in case any insecurities were uncovered;
- described policies and processes of crew training regarding data security;
- documents that witness the efforts for providing data safety;
- the procedure of data protection in case of breaches.
In case of HIPAA violation, which is any breach in an organization’s compliance program, may result in penalties.