As the GDPR (General Data Protection Regulation) casts its shadow over companies handling customer data, there’s a growing sense of urgency to address the technological aspects of businesses.
One question that comes often from our clients is: how do I make my Botpress chatbot GDPR compliant? While compliance with the GDPR can be tricky, we’re here to help.
If the GDPR applies to your company, here are a few tips and tricks for ensuring your chatbot’s ongoing compliance.
GDPR Crash Course
What is the GDPR?
The GDPR is an EU regulation centered on data protection and privacy. It impacts individuals and companies in the EU and European Economic Area (EEA), including the transfer of data outside the EU and EEA.
Its purpose is to give individuals control over their personal data and provide unified regulation across the EU. If your business operates in these areas, you must be compliant with the GDPR.
Not complying with GDPR bears a cost. It could lead to substantial penalties, reaching up to 20 million euros or 4% of your worldwide turnover for the preceding financial year – whichever is higher.
The goal is to be able to demonstrate to your users that you will process their data precisely as promised. This will definitely build customer trust in your chatbots, which could ultimately enhance your company's profitability and success.
What is considered personal data?
Under the GDPR, personal data is defined as “any information that relates to an identified or identifiable living individual.” This includes:
- Telephone numbers
- Credit card numbers
- Personnel numbers
- Account data
- Number plates
- Appearance
- Customer numbers
- Addresses
However, the definition under the GDPR is broad – if you’re unsure whether information should count as personal data, you’re better off assuming it should be handled as such.
Be Transparent
If you’re collecting customer data through your chatbot – and this data is considered personal data under the GDPR – you need to be transparent with chatbot users. You must explain the ‘who, what, where, when, and why’ of collecting their data.
This means informing your users on what customer data you collect, how you use it and who you share it with. These elements should always be presented to the user before you collect any customer data.
Inform the user before collection
You should provide a clear and easily understandable notice before you manage any customer data through your chatbot.
This will often look like pop-ups that explain to users what data you will collect from them, why you’re collecting it, and their rights to personal data collection.
Post a public privacy statement
You should also detail your data processing practices in an online privacy policy or statement and update as necessary. You can refer to Botpress’ Privacy Statement as an example.
Your privacy statement should include:
- What information is collected from the user
- Why you’re processing their personal data (i.e. the purpose of data collection)
- How you store and transfer personal data
- How you protect and handle their personal data
- The users’ privacy rights
Transparency about your use and handling of customer data fosters a sense of trust and goodwill – and this leads to stronger, more enduring customer relationships and, ultimately, a more sustainable and reputable business.
Be Truthful
You should only process data for your stated purposes. This includes being vigilant that your company and its employees only process customer data for the stated purposes.
For example, if you state that you’ll use customer data for sending commercial communications, train algorithms, data analytics for product improvement, technical support, customer service or service personalization, you may only use the data for such purposes, and nothing more.
Be Smart
You should only process data with proper legal justification.
Take a step back and internally evaluate your legal basis for processing customer data. This analysis is required by the GDPR.
You may only manage customer data if one or more of the following conditions are met:
- It’s based on explicit consent of the chatbot user
- It’s part of a contract with the user and processing is indispensable
- It’s fulfilling a legal obligation
- It’s to safeguard the vital interests of the user (read: life or death situation!)
- It’s performing a task in the public interest
- It’s part of your official authority
- It’s in order to pursue legitimate interests (unless such interests are outweighed by the users interests or fundamental rights and freedoms)
The most common reasons for processing customer data are consent, execution of a contract or legitimate interests.
Be Customer-Driven
You must enable users to exercise their data privacy rights.
One item on the GDPR checklist for online chatbots pertains to ensuring that chatbot users are able to exercise one or more of the various data privacy rights given to them under GDPR.
Chatbot users must be able to have access to the customer data the chatbot collected about them, correct it, restrict processing and object to it, request deletion of their data or get it in a portable format.
Ideally, users are able to exercise these rights directly through your chatbots conversation flow, via an interactive question-and-answer process. Thankfully, Botpress offers this possibility.
Be Human
Try to demonstrate that automated decisions have human involvement.
Chatbots powered by Botpress use AI-fueled technology. Unless certain conditions are met, you cannot structure your chatbot in a way that AI would make critical decisions about a user alone: decisions taken about users cannot produce legal effects or significantly affect the user.
This means that human oversight should be present in any stage of deploying your AI-powered chatbot to ensure GDPR compliance. It’s essential that you’re able to demonstrate to users that human involvement played a role in shaping these decisions.
Be Log Averse
Evaluate what type of logs you’re maintaining through your chatbot. Do you have error logs? Access logs? Security audit logs?
If you do, determine if these logs contain customer data, such as IP addresses, identifying information, or full names. If the answer is ‘yes’, you might have to put in place a process to delete this customer data. The GDPR prohibits you from keeping and retaining this data without proper justification.
When retention is unjustified, delete any personal data obtained through logs.
At Botpress, we automatically delete personal data obtained through logs after an explicitly defined period of time.
Be Secure
In addition to all the other elements, you must also ensure that you implement technical, organizational, physical, and administrative measures to protect the information being processed through your chatbot.
This could mean ensuring that you:
- Encrypt the customer data at rest and in transit
- Anonymize or pseudonymize customer data
- Appropriately manage your employees' access to customer data based on a need to know basis
- Have appropriate back-ups, among other considerations
These are all appropriate measures to secure the data that is entrusted to you – they’ll vary based on the purpose of your chatbot and the data it collects.
For other examples, you can take a look at Schedule 2 of Botpress’ Data Processing Agreement for a list of security measures we put in place when you build a chatbot with our help.
Building compliant chatbots
Ensuring your chatbot complies with the GDPR isn’t just important for legal or financial reasons. Establishing trust and transparency with your users is integral to your company’s public image and your individual customer relationships. If in doubt, make sure your products and services follow a GDPR checklist to ensure compliance.
We’re happy to help you ensure your AI chatbot complies with necessary regulations. Many features of GDPR compliance are built straight into Botpress so you can focus on bot-building.
For any questions, you can reach out at [email protected].
.svg)
