How do the EU General Data Protection Rules affect Chatbots?
With the new EU General Data Protection Rules (GDPR) we have to rethink how we are developing chatbots. GDPR is regulating how companies (anywhere in the world) have to handle personal data of EU citizens. And ‘personal data’ means any information relating to an identified or identifiable natural person (data subject). Now chatbots are clearly using and storing personal data.
So what do we have to take care of when developing chatbots?
Principles
The data collected via the chatbot should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). This principle requires a chatbot developer to make sure that the data collected during a chat is stored and safeguarded properly, which means that the location where the data is stored needs to be known at any point in time. Another principle is the lawfulness of processing. This is given in most of the use cases with a chatbot, if the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (e.g. a user is providing personal information via a chatbot in order to get a quote for an insurance).
Rights of the Data Subject
The new law provides many rights to the user of a chatbot in case personal data is collected and stored. Starting with transparency about where and who is collecting the data to fundamental rights such as right for information and access, rectification and erasure. Another important topic to take care of is the transfers of personal data to third countries or international organisations. All these topics have to be considered in an conversational flow with a chatbot where personal information is involved and stored.
Liabilities and Penalties
Not to forget to mention the possible penalties which can arise in case the company using chatbots is not in compliance with the GDPR. Non-compliance shall be subject to administrative fines up to 20.000.000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. This can lead to serious amounts, which could cause quite some financial troubles for a company.
Recommendations
Taking all these GDPR topics into consideration it is definitely recommended to consider running the chatbot development platform on-premise. With this the data storage location is known for sure and you have control over the flow of the data and where the data resides. In addition you can manage the database in a way, that it can be included in your company wide established processes related to the rights of a data subject (e.g. when a user is requesting to get information about all data stored about him/her).
In case you are using a cloud service or hosting provider you have to make sure that you enter into a so called processor agreement with your cloud service or hosting provider. In this agreement you have to specify all the relevant topics and then include this into your internal processes.