The GDPR Compliance Checklist for Chatbots: Are You Ready?

Users and businesses alike are still scrambling to understand and deal with the Cambridge Analytica/Facebook scandal, but the deadline for consumer data protection is quickly looming. On May 25, GDPR—or General Data Protection Regulations—will go into effect. While this is an EU law, it’s important to understand that all businesses processing users who live in the EU must be compliant with GDPR requirements, regardless of where they are based. Adherence to these new rules is particularly important for chatbots, which rely on user data to provide a personalized experience. So, what is GDPR compliance, and how do you ensure chatbot GDPR compliance? With this GDPR compliance checklist, you can ensure your bot meets the new requirements.

The GDPR Compliance Checklist:

Get Explicit Consent

It’s no secret that no one reads terms of service. And if they attempt to, there’s little chance they would actually understand them. Under the new GDPR requirements, gone are the days of over-complicated terms and legalese. Now, your chatbot must first ask for users’ explicit consent before it collects their data. This means using clear, accessible and concise language that a lay person can fully understand. Another requirement is that users must be able to withdraw consent just as easily as giving it.

So, how do you pull this off for chatbot GDPR compliance? For returning users, push out a notification or prompt them when they start a new conversation alerting them to the new terms. The terms should include what’s being collected, why it is necessary and how it will be used. Users will have to accept these terms before continuing to use the bot. New users should expect the same: begin the conversation with the terms first, which they must accept.

Provide Users with Access to Their Info

The next point in our GDPR compliance checklist is providing users with access to their information. This is something that many platforms already provide; Facebook, for example, has let users download entire archives of their content and personal data for years. Under the new GDPR requirements, users should be able to download all of their data in electronic form. If your chatbot uses a persistent menu, it’s a good idea to include this option somewhere there or in the settings. Otherwise, make a query and response so users can easily get a data archive.

Users also have the right to know whether their personal data is being used for purposes other than the main user experience and why, such as using data for advertising purposes. Again, include this information in your conversation flow to make it easy for users to find out. Chatbots are all about trust, so don’t bury this information.

Let Users Delete Their Data

This is one of the most important GDPR requirements and is related to the previous point on our GDPR compliance checklist. Under the new requirements, businesses must provide users the ability to erase and delete the personal data that’s been collected. Not only does this erase the data from your servers but should also stop further dissemination of the data. This could potentially stop third parties from processing this data.

Of course, chatbots often need personal or identifiable data to function. It’s a good idea that you also make the user aware of potential issues that they might run into if they continue using your chatbot after deleting their data. If you’ve followed all the previous points in this list—educating the user on the necessity of their data for an optimal experience—then this should be simple enough to do.

Artificial Intelligence Alone Can’t Make Important Decisions

The points above are things that all businesses collecting user data will need to care about. But there’s one issue specific to chatbot GDPR compliance. An AI cannot be the sole decision maker when it comes to legal or similarly significant decisions affecting users. For example, an AI alone cannot decide whether a customer is entitled to compensation in a dispute. Users must always have a means of challenging decisions in these cases, and the burden of proof that a human manually had a say in the decision falls on you. Be aware of this if your chatbot processes claims that significantly affect users.

Some Final Words for Chatbot GDPR

Putting the above tips into effect, you’ll need to audit the data you already have for personal and sensitive data. Ensure your data storing and handling platforms are both GDPR compliant. In addition, you must have measures in place for responding to data breaches. Should a data breach occur, you must report to users and the Data Protection Authority within 72 hours.

Adhering to the above requirements might initially seem like a headache. But what is GDPR compliance except for instilling trust between you and your users? With chatbot GDPR compliance, you’re not only ensuring you stay on the right side of the law—you’re empowering your users to protect themselves and make the right decisions, which they’ll appreciate.