Information Security

6 Tips to ensure that your chatbots are GDPR compliant

Chatbot GDPR

With the GDPR (General Data Protection Regulation) looming over companies that deal with customer data, there are frantic questions being asked about how to make the technological aspects of businesses more GDPR compliant.

One aspect that will need to change is the online chatbot, a tool which burst onto the AI scene and is not going anywhere soon. If you use chatbots as part of your sales and marketing strategies, you’ll need to address the processes you use to collect consumers’ personal data, as well as what you do with this data. Read on for a few tips on how to ensure that your chatbots are GDPR compliant.

Use personal data for the stated purposes only

This is vital for becoming GDPR compliant. Your online chatbot may be an informal way of collecting personal data, but it is still considered to be a data collecting and processing tool and so will fall under the GDPR legislation.

This means that you are only able to use the data for the stated purposes, such as sending newsletters, emails, SMS marketing messages or contacting users on Facebook Messenger. Using this data for anything else runs counter to the GDPR guidelines, which could mean that you incur a large fine of up to €20 million or four percent of your global turnover. If you tell your customers that you will be using their email address and cell phone number to send them information about your services and products, you should do that and nothing more.

Consent is key

Chatbots and humans are better together, there’s no doubt about that. Your online chatbot most likely needs personal data from consumers in order to provide a personalized experience, but the most important aspect of the new GDPR regulations is that you need explicit consent from consumers to use their personal data.

At the start of a conversation, your chatbot should provide users with a clear and easy-to-understand consent form to fill in. Gone are the days of lengthy and indefinable consent forms. Now, you need to make it clear to users how and why you’ll be using their data in order to get consent from them while using your chatbot. It doesn't have to sound ‘robotic’ but should be informational and easily understandable.

Give users access to their information

One of the points on the GDPR checklist for online chatbots is that you need to provide users with access to their information once you’ve collected it. Users need to be able to download all of their data in digital form by using a query and response format in your chatbot. They also need to be able to delete certain data if they wish.

As well as being allowed access to their own information, users have the right to ask whether their details are being used for purposes other than what you have stated, such as for advertising purposes or campaigns. You should include this information in the chatbot’s conversation flow, remembering that chatbots are all about user trust. Hiding information not only tarnishes your reputation but can have serious legal consequences.

Look back at your logs

Reviewing your chatbot logs is important in making them fully GDPR compliant. It’s common for many web and messenger servers to keep different types of logs, such as access, error or security audit logs. These logs might hold personal data such as IDs, IPs, and even names.

You are prohibited to store this data without explicit consent from users or if there is no legitimate reason to store this data. If you do have a need to store this data to improve your chatbot’s interaction with consumers, you may not do so unless you have explicit consent. Reviewing your logs will allow you to find any and all personal data and deal with it accordingly, which could mean fully deleting it from your system after the consumer has requested you to do so.

AI cannot make important decisions alone

Online chatbots use AI (artificial intelligence) to function and to provide a customized experience for each user. However, it is vital to remember that AI cannot make decisions alone, especially when it comes to legal queries or other significant decisions that could affect users.

Your AI might be on par with HAL 9000’s intelligence (well, let’s hope not) but AI in chatbots is not able to make decisions such as whether or not a person is entitled to compensation for a legal dispute. If you want to make your online chatbot GDPR compliant, you’ll need to show users that a human had a hand in the making of these decisions. This is vital if your chatbot deals with claims that can significantly affect users, such as would be the case for insurance companies or legal professionals.

Don’t forget to update your privacy policy

One of the rules of the GDPR is that all companies utilizing consumer data need to have a clearly stated privacy policy which contains the following pertinent information:

  • What information is collected?

  • Who is collecting it?

  • Why is it being collected?

  • How long will it be used for?

  • Who will it be shared with?

  • How can consumers withdraw from the agreement to give their data?

This privacy policy needs to be shown to users before their data is collected, so you can use a link in your chatbot’s conversational flow to share it with consumers or have a summarized version as part of your chatbot’s introductory greetings and conversation.

The GDPR requires strict and secure data processing practices

Once you receive that data from consumers using the chatbot, you’ll need to adhere to strict, secure data processing practices as set out by the GDPR regulations. You may even have to encrypt this data in such a way that if someone does manage to get their hands on it, it’s not available in plain text format.

Your data processing practices need to be changed in order to have a compliant online chatbot, but if you already have strict practices in place then these changes may not be so drastic. Showing users that you’ll be using their data only in the way that you’ve said will build their trust in your business and in using your chatbots which can increase profits and success.

It’s vital to ensure that you have explicit consent from users and that you provide users access to their data as well as the ability to delete this information if they feel the need to do so. Avoid using AI in your chatbots to make decisions alone, rather use humans for decisions that pertain to client information. Having a privacy policy is vital, so be sure to have this clearly stated before you collect any data from consumers. If you’re interested in more information, read our recent article detailing what the GDPR and the ‘right to be forgotten’ could mean for data-driven marketing and customer analytics.

Explore other articles

Step into the future of business messaging.

SMS and two-way channels, automation, call center integration, payments - do it all with Clickatell's Chat Commerce platform.