GDPR and chatbots - a guide to compliance

Published in

Automated Conversations

11 min readSep 5, 2018

It is time ! The long awaited General Data Protection Regulation (GDPR for those who know) has at last entered into force and is fully operational as of May 25th 2018.

10 minutes, that’s the time it will take you to get familiar with what will be expected of you. The following pages are essential for your understanding of the whys and wherefores of the new regulation.

This guide is a simplified GDPR compliance kit for those who have ‘missed the boat’ and especially for chatbot builders to rely on.

Before giving you a checklist of GDPR-proof Do’s and Don’ts (you can skip directly to Part 2 if patience is not your virtue and if you’re familiar with data protection basic principles), here’s the major changes at a glance.

1. GDPR major changes

Without being exhaustive, the new regulation brings a series of changes and improvements while strengthening the current regulatory framework.

A broader scope of application

The extended jurisdiction of the GDPR is arguably the biggest change to the current data protection landscape.

To put it in simple terms, the GDPR will apply to :

the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not ;
to the processing of personal data of data subjects residing in the EU, regardless of the place of establishment of the controller or processor, as long as they direct their activities to EU residents by offering goods or services or by monitoring their behaviour within the Union.

That means, from now on, “Thank God I’m based in the US” is no longer a valid ground to circumvent major privacy principles that prevail within the EU. Some will undoubtedly argue that such a manifest extraterritorial applicability of a European regulation is not acceptable. But that is a whole other matter that we will not address here.

Data protection core principles

The principles governing personal data protection under the GDPR are broadly similar to those set out in 23-year old Directive 95/46. According to those principles, personal data must be :

processed lawfully, fairly, and in a transparent manner in relation to the data subject (lawfulness, fairness and transparency) ;
collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes (purpose limitation) ;
adequate, relevant and limited to those which are necessary in relation to the purposes for which they are processed (data minimisation) ;
accurate and, where necessary, kept up to date. Personal data that are inaccurate, with regard to the purposes for which they are processed, must be rectified or erased without delay (accuracy) ;
kept in a form which permits identification of data subject for no longer than is necessary for the purposes for which the personal data are processed (storage limitation) ;
processed in a manner that ensures appropriate security of the personal data, using suitable technical or organisational measures (integrity and confidentiality)
Last but not least, a new addition to the list, the controller shall be responsible for, and be able to demonstrate compliance with these principles (accountability).

Consent

The conditions for valid consent have been strengthened while the definition has been broadened. For the consent of the data subject to be valid, make sure it is :

freely given,
specific,
informed,
unambiguous.

New limitations are set forward on the use of consent and processing of children’s data. Every Member State shall fix by law an age limit below which parental authorization is required provided that such lower age is not below 13 years. In France, for instance, the processing of personal data of a child shall be lawful where the child is at least 15 year old.

Data subjects rights

Granting individuals rights to their data is not novelty. What the GDPR does is reassert existing rights while introducing a new one. In short, data subjects have the right to access, rectify or erase their personal data but also the right to restrict or object to the processing of information they ‘own’.

The regulation introduces the new right of data portability.

This right allows for data subjects to receive the personal data, which they have provided to a data controller, in a ‘structured, commonly used and machine-readable format’. They could than transmit those data to another data controller of their choice without hindrance. This has a double implication :

For most organisations, the new right of data portability represents a real burden as it requires substantial investment in new systems and processes capable of ensuring the interoperability standards.
For others, this new right opens a window of new opportunities to attract customers from competitors.

Data governance obligations

The GDPR introduces a series of ‘data governance’ concepts that create new operational obligations for organisations.

Data protection by design and by default

This concept is not new.

‘Privacy by design’ means that data protection considerations should be integrated from the design stage of a project. Privacy should be an essential component to be taken into account upfront and placed at the heart of a process.
Alongside with ‘privacy by design’ lays the ‘privacy by default’ obligation according to which data controllers should apply the strictest privacy settings by default.

To put it simply, personal data must only be used for the specific purpose for which they were collected. That completes, in a sort of way, the data minimisation principle mentioned above.

Privacy impact assessment

PIA is a process which helps an organisation to identify and reduce the privacy risks of a project. If you think that may impose a significant burden for your organisation, you’re quite right. Fortunately, you don’t have to carry out a PIA unless the processing is likely to result in a high risk to individuals. It is though an approach to consider whenever you carry out a major project which requires the processing of important amounts of data. For those concerned, the French supervisory authority (CNIL) has released a free software to guide you through : https://bit.ly/2xwHQ2W

Appointment of a DPO

Although the GDPR highly recommends the appointment of a DPO, every organisation is not obliged to do so. You must appoint a DPO if :

you are a public authority ;
your core activities require large scale, regular and systematic monitoring of individuals (e.g. tracking of online behaviour) ;
your core activities require large scale processing of special categories of data such as sensitive data or criminal records.

If you are not certain whether or not you are required to appoint a DPO, check out the relevant guidelines on Data Protection Officers : https://bit.ly/2J0gmYZ

Sanctions

Non-compliance with GDPR requirements exposes controllers and processors to stiff fines.

Organisations in breach can be fined up to 20 million euros or 4% of their annual global turnover, whichever of both is highest.

2. GDPR checklist for chatbots

Without personalization there is no chatbot ; without data there’s no personalization. Therefore, the more data the bot collects, the better it performs.

Get your priorities straight. Bear in mind the core principles mentioned above. They should serve as an answer to your interrogations. If not, you’re asking the wrong questions.

In order to GDPR-proof your chatbot, here’s a checklist to focus on :

Am I a data controller or a data processor ?

The distinction is crucial. Knowing who’s who will determine what regime you’ll be subject to and which obligations you’ll abide by. The dichotomy is essential and organisations need to understand the difference

A data controller is the entity that determines the purposes, conditions and means of the processing of personal data.
A data processor is the entity which processes personal data on behalf of the data controller.

The distinction being made, bear in mind it is not exclusive. Things are not always black and white. That means you may very well be both data controller and data processor depending on the situation. Let’s take a concrete example. Here, at itsAlive, we provide a platform to create custom chatbots designed to work directly within Facebook Messenger.

With regards to the clients who use our service to set-up a chatbot for their own Messenger, we act as a data controller. That means we determine the purpose and means of the processing (service personalization, billing etc.). Similarly, we act as a data controller while dealing with personal information of our employees (payroll, human resources etc.).
With regards to the end users who interact with the chatbot created by the client, we act as a data processor. The perimeter of our actions is therefore framed by the party that defines our role in the processing (here the client who customizes the bot).

In more general terms, the controller sets the goals ; the processor carries out the ‘technical’ steps necessary to accomplish them. While the previous data protection Directive regulated controllers mainly, GDPR directly regulates processors for the first time. Under the Regulation, they will be required to take responsibility for compliance.

What kind of personal data do I collect ?

Informing individuals about the type of data you collect as a data controller is paramount. Your privacy policy must specify all data categories that you collect and process. By way of example :

Data collected during an account set-up (name, email address etc.)
Data collected during a paid subscription (bank details etc.)
Data collected when a user spontaneously contacts you (email address, every information that the user voluntarily provides etc.)
Technical information (IP address, geolocation data, device type, online activities obtained through cookies etc.)

It goes without saying that sensitive data (genetic, biometric or health related data, as well as information on racial and ethnic origin, political opinions, religious or ideological conviction or memberships in a union) are subject to a higher level of protection.

Is the consent valid and does it correspond to the purpose of processing ?

Rule numero uno : avoid pre-ticked checkboxes to collect consent. As mentioned above, individuals should be able to give free, clear, informed and unambiguous acceptation of what is offered to them. Also, inactivity or silence should not constitute consent. Preference should be given instead to clear affirmative action.

In the event a service is offered directly to children, provide child-friendly notices by using clear and plain language.

Do not forget, “consent” and “purpose” must work in tandem.

That means whenever a data controller intends to further process the personal data for a purpose other than that for which the data were obtained in the first place, a prior information on the new purpose is to be provided to the data subject. Thus, you cannot use the email address provided by an individual who voluntarily uses the ‘contact form’ of your website to send him newsletters or promotional offers pertaining to the services you offer. That is not what he ‘signed’ for.

Have I provided appropriate information about the data processing and the individuals rights ?

Transparency is the golden rule ! If you are a data controller, make sure you provide a clear and intelligible information notice to ensure transparency of the processing. Redirecting a user to a long and tedious ‘terms & conditions’ section is no longer an adequate way to obtain valid consent or provide appropriate information. More specifically, as a data controller there are 2 key steps to follow :

Provide transparent information with regards to the processing by specifying :

the identity and contact details of the controller (or the DPO when applicable)
the type of data you collect
the purpose of processing
the retention period of the data
the recipients of the data
details of data transfers outside the EU and the appropriate safeguards (e.g. BCRs, Privacy Shield etc.)

Provide transparent information with regards to the data subjects’ individual rights :

of access
to rectification
to erasure (‘right to be forgotten’)
to restriction of processing
to object
not to be subject to automated decision making (profiling)
to data portability

In addition to providing information, you must also be able to comply with requests from individuals. That means you must secure the right methods to respond to a request in an adequate way. Let’s take the example of data portability, ambitious addition to the GDPR. The right to port data allows individuals to obtain and reuse their personal information for their own purposes across different services of their choice. As a data controller, you must be able to recognise a request for data portability and be able to use appropriate and secure methods to transmit the data in a structured and machine-readable format.

Have I implemented an adequate risk management system ?

The GDPR requires to process personal data securely. This is a new data protection principle that applies to both the data controller AND the data processor. That implies that you take appropriate measures to guarantee information security and preserve the integrity and confidentiality of the data you manage. This includes physical and organisational security measures such as :

Implement risk analysis in order to assess the appropriate level of security
Carry out technical controls, regular audits and corrective measures when necessary
Have effective incident response procedures
Ensure that any data processor you use also implements appropriate technical and organisational measures
Set up a breach notification system. Unless the breach is unlikely to result in a high risk for the rights and freedoms of the concerned individuals
>data processors must report personal data breaches to data controllers without undue delay after becoming aware of it
>data controllers must report personal data breaches to the national supervisory authority (e.g. the French CNIL) AND to data subjects without undue delay.

Are the third parties I work with GDPR compliant ?

In the course of your activity you’ll most likely work with third-parties, whether they are based in the EU territory or not. Make sure the partner companies you exchange data with are GDPR compliant. That includes safeguards such as, for US-based companies (e.g. a hosting service provider), a certification under the Privacy Shield framework. More specifically, you are required as a data controller to review and map key international data flows in order to ensure appropriate safeguards. The signature of a legally binding document stating the level of commitment with regards to GDPR requirements is necessary whenever you call upon the services of a data processor.

Am I able to demonstrate compliance with GDPR requirements?

Keep a record of your processing activities. That applies to both data controllers AND data processors as part of the new ‘accountability’ principle introduced by the regulation. According to this principle, you are not only responsible for complying with the GDPR but also you must be able to demonstrate your compliance. Here are a number of measures that you can take :

Implement comprehensive policies and procedures :

by updating your privacy policy with respect to GDPR requirements ;
by notifying to your clients the measures you have taken in the context of your commitment to comply.

Maintain documentation of your processing activities (data-mapping) by specifying :

data categories
processing purposes
data transfers
retention period.

Carry out data protection impact assessments whenever the processing is likely to result in high risk to individuals’ interests ;

Set up a performant system for recording and reporting data breaches ;

Appoint a Data Protection Officer when necessary.

3. Conclusion

Once again, the above mentioned checklist is not to be taken as exhaustive. There is much more to this regulation and it is highly recommended you check it out for a broader and sharper comprehension : https://bit.ly/2HPHMw8

Last but not least, aim for privacy by design and by default.

The GDPR shouldn’t be seen as another strict and rigid regulatory framework designed to haunt companies. It is rather to be perceived as a formidable initiative destined to instill a privacy-oriented behaviour in businesses. Privacy matters. Period!