6 Tips to Ensure Your Chatbot is GDPR Compliant

6 Tips to Ensure Your Chatbot is GDPR Compliant

Tips. Insight. Offers. Are You In?

General Data Protection Regulation (GDPR) entered into force and was fully operational as of May 25th 2018. You can read all about it here. The new regulations brought a series of changes and improvements while strengthening the current regulatory framework. The GDPR applies to any website or mobile application collecting data from EU residents and that means chatbots and voice assistants as well!

Despite some myths and misunderstandings around GDPR the regulations there has been some success in the new policy despite still being described as being in a transition period. With incidents such as the Cambridge Analytica scandal last year users are even more concerned as to what we do with their data.

It's important to note that, 71% of UK adults want tougher action in penalising companies that abuse our data privacy by misusing third-party data.

If you use chatbots as part of your sales and marketing strategies, you’ll need to make sure the processes you use to collect consumers’ personal data, as well as what you do with this data are in line with GDPR. Read on for some tips on how to ensure that your chatbots are GDPR compliant.

1. User Consent

Consent is not valid unless it is “freely given, specific, informed, and unambiguous.” Basically, that means a “clicked” agreement is required.
For websites, your privacy notice is a great place to get consent from users. Here is a great example:

Privacy popup example

Don’t forget to update your privacy policy!

One of the rules of the GDPR is that all companies utilizing consumer data need to have a clearly stated privacy policy which contains the following pertinent information:

  • What information is collected?
  • Who is collecting it?
  • Why is it being collected?
  • How long will it be used for?
  • Who will it be shared with?
  • How can consumers withdraw from the agreement to give their data?

For a chatbot, it should provide users with a clear-cut, transparent, distinguishable, and easily accessible form to understand what data is collected, and how it will be used by the bot and organization. This needs to be provided at the start of the conversation and also its often a good idea to provide an easy way to access this in future e.g for bots supporting NLP a free text intent or part of an integration menu such as Facebook Messengers:

GDPR Chatbot consentChatbot Privacy Consent

We've found that having a privacy page in place listing all the important information is also an effective way to aid in compliance.


2. Allow users to have their data forgotten

According to the GDPR, users should be able to request that all their Personal Data is removed.

Chatbots need an intent to support this e.g  ‘please forget my data’, ‘delete my personal data’, etc. Or this could be part of the menu system:

Erase Data Chatbot Option

This data removal request needs to be followed up correctly.

3. Allow users to retrieve their data

Users should be able to retrieve their Personal Data.

Chatbot users should be provided with a clear and simple way to access, review and download copies of their data (in an electronic form) that was collected, free of charge. This can be actioned in multiple ways. You could either build a dialogue for this e.g  ‘please tell me what data you are storing’, ‘can you send me my data’. The response should present the data to the user or send an email to start the process.

Allow Data Retrieval Mechanism

4. Use personal data for the stated purposes only

This is vital for becoming GDPR compliant. Your online chatbot may be an informal way of collecting personal data, but it is still considered to be a data collecting and processing tool and so will fall under the GDPR legislation.

Clearly stating what information is used for is key. This means that you are only able to use the data for the stated purposes, such as sending newsletters, emails, SMS marketing messages or contacting users on Facebook Messenger.

Implement a mechanism to make sure users are clear as to what you will do with their data. This can be added as part of a welcome or supported by intent match or part of the privacy policy.

Chatbot Privacy use of information.

If you tell your customers that you will be using their email address and mobile phone number to send them information about your services and products, you should do that and nothing more.

5. Leverage Chatbot Conversation

Chatbots provide an engaging interaction medium for users which is no doubt enhanced by a personalised experience. This will often mean that a chatbot needs to collect some personal data from their users. When designing chatbots always remember to keep privacy first in mind. With a chatbot, it is easy to ask for a users permission and explain why you need it because you are already in a dialogue with your user.

Use opportunities when available to clarify and advise users during the conversation.


6. Safeguarding Data


There are two important roles defined in the GDPR that affect you as a company and the chatbot you build. Firstly, the data controller and secondly, the data processor:

  • Data Controller represents the entity which determines the purposes and means of the processing of personal data
  • Data Processor represents the entity which processes personal data on behalf of the controller

Data controllers are the decision makers about which personal data gets collected, stored and processed - so most companies are considered controllers!

Chatbots are all about data. If you want to create a solid conversational experience, you need to use Natural Language Understanding (NLU) and dialogue systems. The underlying machine learning algorithms need training data in order to improve and learn. Collecting this data is necessary to train the models and the more data you have the better the bot performs.

Data is essential - but it's also vital to reduce the risk of data breaches and adhere to the GDPR  data processing principles.

With GDPR you are prohibited to store this data without explicit consent from users or if there is no legitimate reason to store this data. If you do have a need to store this data to improve your chatbot’s interaction with consumers, you may not do so unless you have explicit consent.

It’s common for many web and messenger servers to keep different types of logs, such as access, error or security audit logs. These logs might hold personal data such as IDs, IPs, and even names.

Reviewing your logs will allow you to find any personal data and deal with it accordingly.

Cloud Compliance

At The Bot Forge we use the Dialogflow natural language processing engine to create our chatbots. Using Google Cloud services means we can rely on GDPR being upheld with regards to our chatbot data:

At Google Cloud, we champion initiatives that prioritize and improve the security and privacy of user data. We’ve made multiple updates to ensure that Google Cloud customers can confidently use our services now that the GDPR is in effect.

We have peace of mind as compliance with the GDPR is a top priority for Google Cloud. It's important to have this confidence when using third-party services which handle your data.

Want to talk about GDPR and data privacy?

About The Bot Forge

Consistently named as one of the top-ranked AI companies in the UK, The Bot Forge is a UK-based agency that specialises in chatbot & voice assistant design, development and optimisation.

If you'd like a no-obligation chat to discuss your project with one of our team, please book a free consultation.