Chatbots & GDPR: Is my Chatbot GDPR Compliant ?
With one month left til the EU starts enforcing heavy fines against the General Data Protection Regulations (GDPR) non-compliant organizations (fees up to 4% of annual revenues or 20M € — whichever is greater). It is the time when you pull out that audit report your team started preparing 2 years ago when the EU parliament first adopted the GDPR (on April 14, 2016) with the “GDPR Ready” stamp on it, and rest assured that everything is going to be alright.
If this is the first time you hear about this, well, this might be an issue, but don’t panic, this article will take you through a quick brief of what you need to know before you start deciding on your actions.
How did it all happen?
Ok, so let’s take a step backwards; the General Data Protection Regulation was a result of four years of effort to update the Data Protection Directions European countries had in place since 1995. Aiming to give people more control over how organizations use their information, a great example of that is what is happening recently with the ongoing Cambridge Analytica Scandal, the second reason is to give the EU companies a single law and a supervising entity that governs how they deal with users’ data (instead of 28), which will collectively save up to €2.3 billion per year in various benefits for those companies.
What do you need to know?
The General Data Protection Regulations (GDPR) addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The EUGDPR Portal gives information and definitions that we need to understand:
· A Data Subject a natural person whose personal data is processed by a controller or processor
· A Data Controller is the entity that determines the purposes, conditions and means of the processing of personal data
· A Data Processor is an entity which processes personal data on behalf of the controller.
Data Processing and Storing:
Consent: Companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Right to Access The right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose (In a very explicit, clear, and transparent notice or disclaimer). Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format.
Right to be Forgotten (Data Erasure) the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
Data Protection Officers: DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or ? organizations that engage in large scale processing of sensitive personal data. If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.
Auditing: Both the data controllers and the data processors need to maintain a record of processing activities.
How does this affect you?
Even if your business is based outside of the EU, but controls or processes the personal data of EU citizens, the GDPR applies.
What does this say about your Chatbot?
With this brief intro to GDPR (you can find full information on the Official Website), your Chatbot as any other application within your organization, needs to be fully compliant, so what do you need to do?
1- Whether you’re a data controller or a data processor, if you’re receiving and handling user’s data through your Chatbot it will have to completely comply with the new regulations.
2- In order to provide the user with a personal experience, your chatbot probably relies on the use of some Personal Data, thus you need to completely Audit your stored data and Identify Personal Data, identify if your data storing and handling platforms are GDPR compliant.
3- Provide your Chatbot users with clear policies and agreements of data storage and usage, the keyword here is Consent. In the beginning of a conversation, your Chatbot should provide users should with a clear, transparent, distinguishable, and easily accessible form to understand what data is collected, and how it will be used by the Chatbot and your organization.
4- The amount of data provided through a conversation with a Chatbot might exceed the amount collected when the user fills a form due to the nature of the conversation. Your Chatbot users need to be provided with a clear and easy way to access, review and download copies of their personal data (in an electronic form) that was collected through the Chatbot, free of charge, and erase it if requested. If the platform you are using supports persistent menus you should offer those options there.
5- Review your Chatbot logs, it is very common for many web servers and messenger services that run Chatbot services to keep different types of logs such as access, error or security audit logs, which might hold Personal data such as IDs, IPs and names. Your organization is not allowed to log this kind of information if there is no legitimate reason to. Even if there is a legitimate need, you’re not allowed to store them without direct consent from the user.
6- Your Chatbot service should be able to demonstrate that you have appropriate technical and organizational measures in place to protect against a data breach. Users data, Conversation logs, Users Context Data, etc … In addition to clear procedures to handle any breach. Data breaches which may pose a risk to individuals must be notified to the Data Protection Authority (DPA) within 72 hours and to affected individuals without undue delay in accordance with Article 55
What is your next step(s)?
You might have noticed that many of these procedures were considered as best practices by many organizations for some time, the difference with GDPR in place now is that it is the first time a law has such clear, hefty implications on non-compliant organizations, hopefully this article will give you a better understanding on what GDPR is and how it might affect your Chatbot.
Rajai Nuseibeh, MBA, the VP of Marketing, botique.ai, an enterprise platform that automates chat interactions using proprietary Conversational AI. We compose Chatbots using a wide selection of pre-built, pre-trained AI modules, which makes the integration process quick and easy.