General Data Protection Regulation (GDPR) entered into force and was fully operational as of May 25th 2018. You can read all about it here. The new regulations brought a series of changes and improvements while strengthening the current regulatory framework. The GDPR applies to any website or mobile application collecting data from EU residents and that means chatbots and voice assistants as well!
Despite some myths and misunderstandings around GDPR the regulations there has been some success in the new policy despite still being described as being in a transition period. With incidents such as the Cambridge Analytica scandal last year users are even more concerned as to what we do with their data.
If you use chatbots as part of your sales and marketing strategies, you’ll need to make sure the processes you use to collect consumers’ personal data, as well as what you do with this data are in line with GDPR. Read on for some tips on how to ensure that your chatbots are GDPR compliant.
1. User Consent
Consent is not valid unless it is “freely given, specific, informed, and unambiguous.” Basically, that means a “clicked” agreement is required.
For websites your privacy notice is a great place to get consent from users. Here is a great example:
- What information is collected?
- Who is collecting it?
- Why is it being collected?
- How long will it be used for?
- Who will it be shared with?
- How can consumers withdraw from the agreement to give their data?
For a chatbot, it should provide users with a clear-cut, transparent, distinguishable, and easily accessible form to understand what data is collected, and how it will be used by the bot and organization. This needs to be provided at the start of the conversation and also its often a good idea to provide an easy way to access this in future e.g for bots supporting NLP a free text intent or part of an integration menu such as Facebook Messengers:
We’ve found that having a privacy page in place listing all the important information is also an effective way to aid in compliance.
2. Allow users to have their data forgotten
According to the GDPR, users should be able to request that all their Personal Data is removed.
Chatbots need an intent to support this e.g ‘please forget my data’, ‘delete my personal data’, etc. Or this could be part of the menu system:
This data removal request needs to be followed up correctly.
3. Allow users to retrieve their data
Users should be able to retrieve their Personal Data.
Chatbot users should be provided with a clear and simple way to access, review and download copies of their data (in an electronic form) that was collected, free of charge. This can be actioned in multiple ways. You could either build a dialogue for this e.g ‘please tell me what data you are storing’, ‘can you send me my data’. The response should present the data to the user or send an email to start the process.
4. Use personal data for the stated purposes only
This is vital for becoming GDPR compliant. Your online chatbot may be an informal way of collecting personal data, but it is still considered to be a data collecting and processing tool and so will fall under the GDPR legislation.
Clearly stating what information is used for is key. This means that you are only able to use the data for the stated purposes, such as sending newsletters, emails, SMS marketing messages or contacting users on Facebook Messenger.
If you tell your customers that you will be using their email address and mobile phone number to send them information about your services and products, you should do that and nothing more.
5. Leverage Chatbot Conversation
Chatbots provide an engaging interaction medium for users which is no doubt enhanced by a personalised experience. This will often mean that a chatbot needs to collect some personal data from their users. When designing chatbots always remember to keep privacy first in mind. With a chatbot, it is easy to ask for a users permission and explain why you need it because you are already in a dialogue with your user.
Use opportunities when available to clarify and advise users during the conversation.
6. Safeguarding Data
There are two important roles defined in the GDPR that affect you as a company and the chatbot you build. Firstly, the data controller and secondly, the data processor:
- Data Controller represents the entity which determines the purposes and means of the processing of personal data
- Data Processor represents the entity which processes personal data on behalf of the controller
Data controllers are the decision makers about which personal data gets collected, stored and processed – so most companies are considered controllers!
Chatbots are all about data. If you want to create a solid conversational experience, you need to use Natural Language Understanding (NLU) and dialogue systems. The underlying machine learning algorithms need training data in order to improve and learn. Collecting this data is necessary to train the models and the more data you have the better the bot performs.
Data is essential – but it’s also vital to reduce the risk of data breaches and adhere to the GDPR data processing principles.
With GDPR you are prohibited to store this data without explicit consent from users or if there is no legitimate reason to store this data. If you do have a need to store this data to improve your chatbot’s interaction with consumers, you may not do so unless you have explicit consent.
It’s common for many web and messenger servers to keep different types of logs, such as access, error or security audit logs. These logs might hold personal data such as IDs, IPs, and even names.
Reviewing your logs will allow you to find any personal data and deal with it accordingly.
At The Bot Forge we use the Dialogflow natural language processing engine to create our chatbots. Using Google Cloud services means we can rely on GDPR being upheld with regards to our chatbot data:
At Google Cloud, we champion initiatives that prioritize and improve the security and privacy of user data. We’ve made multiple updates to ensure that Google Cloud customers can confidently use our services now that the GDPR is in effect.
We have peace of mind as compliance with the GDPR is a top priority for Google Cloud. It’s important to have this confidence when using third-party services which handle your data.
Want to talk about GDPR and data privacy?