How To Make Your Chatbot GDPR Compliant

There are two major requirements in order to stay on top of business: innovativeness and data. Today we are going to combine the two and discuss how to make your chatbot GDPR compliant step-by-step. Let’s start with the basics of what GDPR actually is.

Sign up to get the latest chatbot news and updates

What Is GDPR?

The General Data Protection Regulation(GDPR) is a regulation on data protection for European Union citizens. It also applies to the transfer of personal data outside of the EU area. GDPR gives users the control over their personal information and whether they want to share or keep their data private.

What Types Of Data Are Protected By GDPR?

Basic identity information (name and surname; date of birth; phone number; a home address; an email address; ID card number and Social Security number etс. )

Web data (location, IP address, cookie data )

Health and genetic data

Biometric data (data that identifies a person)

Racial and ethnic origin

Religious beliefs

Political opinions

Which Companies Are Affected By GDPR?

Any company that collects and processes EU citizens’ personal information that stores personal data of EU residents must comply with GDPR, regardless if the company is present in EU territory or not. This means that most businesses need to be GDPR compliant.

There are three parties of GDPR compliance regulation.

Data subject: A person whose personal data is processed by a controller or processor

Data controller: Determines the purpose and conditions of collecting and processing personal data from users.

A Data Controller may be:

You and your company’s

CRM or Database

You are a Data Controller if your company:

Collects personal data;

Decides which types of data to collect;

Modifies collected data;

Sets the purpose of collected data usage;

Decides if to share the data and with whom;

Determines for which period of time to store the data.

Data processor: Processes personal data for Data Controllers. A Data Processor can be:

Analytic tools (Google Analytics, Mixpanel, etc.)

Communication tools (Messenger, Slack, Telegram, Skype, WhatsApp, etc.)

Natural Language Understanding (NLU) & Artificial Intelligence (AI) Services (DialogFlow, IBM Watson, etc)

Cloud Providers and third-party companies

You are a data processor if your company does the following actions for a Data Controller:

Implements systems and methods or tools to collect personal information;

Installs the security surrounding personal data;

Stores personal data;

Passes personal data from one company to another;

You are a data processor if your company does the following actions for a Data Controller:

Implements systems and methods or tools to collect personal information;

Installs the security surrounding personal data;

Stores personal data;

Passes personal data from one company to another;

Now that you’re familiar with what GDPR is, let’s move on to see how to make your chatbot GDPR compliant. There are 6 steps that have to be made to ensure your bot is compliant.

A GDPR Requirements Checklist For Chatbots

1. At the beginning of a conversation, the chatbot should provide users with a clear-cut, transparent, distinguishable, and easily accessible form to understand what data is collected, and how it will be used by the bot and organization.

2. Chatbot users should be provided with a clear and simple way to access, review and download copies of their data (in an electronic form) that was collected, free of charge. A user should be able to erase their data if desired to do so. If the platform you are using supports persistent menus, those options should be offered there or it can be added manually to your custom chatbot by a developer.

3. Also, the user should be able to delete their information whenever they please. Adding this option to a chatbot’s persistent menu provides a great way to give your users the ability to erase their personal data.

4. Review the chatbot logs. Usually, different web servers and messenger platforms that run chatbot services can store different types of logs such as access, error or security audit logs. Sometimes they might contain personal data such as IDs, IPs, and names. Companies are not allowed to store this kind of information if there is no legitimate reason to. Even if there is a legitimate need, organizations are not allowed to save them without direct consent from the user. These logs can be reviewed by a developer to ensure that you aren’t storing any personal data.

A chatbot service should be able to demonstrate that it has appropriate technical and organizational measures in place to protect against a data breach. Also, it should have clear procedures to handle any information leak. Data breaches which may pose a risk to individuals must be notified to the Data Protection Authority (DPA) within 72 hours and to affected individuals without undue delay in accordance with Article55.

Chatbot security can be accomplished by using the following strategies:

user identity authentication

authentication timeouts

two-factor authentication

biometric authentication

end-to-end encryption

self-destructing messages.

You can find more about how to make your chatbot secure here.

All companies that proceed users data should have a clearly stated privacy policy which contains the following pertinent information:

What information is being collected?

Who is collecting it?

Why is it being collected?

For how long it will be used?

Who will it be shared with?

How can consumers withdraw from the agreement to give their data?

For example:

Users should be acquainted with this privacy policy before their data is collected. To share this with users, companies can use a link in chatbots conversational flow or have a summarized version as a part of chatbots introductory greetings and conversation.

The General Data Protection Regulation is bringing change to the modern digital ecosystem. As GDPR compliance covers all European Union citizens, it means that this regulation affects most business worldwide with no exception to chatbots as well.

Today we’ve looked at the GDPR and covered all of the necessary steps to take to keep in mind to make your chatbot compliant.