GDPR and the Chatbot complicates data issues

SeaKnight By SeaKnight, 23rd Feb 2018 | Follow this author | RSS Feed | Short URL
Posted in Wikinut>Business>IT & Ecommerce

Covering how owners and users of chatbots are impacted by GDPR rules


The incoming General Data Protection Regulations will create a lot of issues for any company that stores personal data (i.e, all of them). Coming into force in May and including the UK regardless of Brexit, they represent a major change. Businesses that use chatbots need to ensure their data is protected, secure and not passed on, and able to be deleted if the person who initiated the chat desires.

Chatbot data is now an issue

When it comes to chatbots, despite all the hype over AI and other technologies, they are largely just another method of collecting data. Some chatbots might not collect any, simply giving out advice or information in response to questions. Even so, the bot stores an IP address, that could be considered personally identifiable information. But any chatbot that takes an ID, email address, phone number, even a credit card or payment method for an order will fall under the auspices of GDPR.

When it comes to collecting personal data, in an extension of existing data protection laws that date back to the nineties, companies must inform users about the reason for any data collection (which is easy enough for most chatbots, and can be introduced at the start of any chat).

The big change is that the subject of the data can now have full control over the way that data is used, so a business must allow them to be inspected, modify and have the right to delete that data. They can also ask that data not be used for profiling or identification or sharing with other parties (not just the usual “no marketing” tick box).

Protections and Provisions for Chatbots under GDPR

Clearly, if any data from a chatbot conversation is stored in the cloud, then companies need to ensure that data is secure. Similarly, if you use a Facebook Messenger chatbot, then you need to be aware that Facebook stores and may use that data. Chatbot providers or developers also need to ensure the business can edit and delete information.

Even global chatbot players like SnatchBot, based in Israel, are getting ready for the changes. 'We are well aware of the new regulations and intend to meet the data privacy requirements ahead of the May 2018 deadline.' Best practices will be in place among most worldwide leaders by the changeover.

Given that even a small startup can store huge amounts of information about people, all businesses will need to follow these rules, and have a nominated data protection officer to enforce and advise on the policies.

Privacy must be built in by design, which is why smaller companies have an advantage, as they can more easily update their cloud services, apps or other customer-facing features. Do note that personal data also applies to that of your employees, so staff records, payroll and similar are also included!

With a 4% of turnover maximum fine, failing to adhere will be a costly failure. The company running the bot will also have to ensure it has the correct procedures and documentation to protect the data and report on breaches if they happen (no more hiding that massive data breach, and hoping a company gets away with it).

Get ready for chatbot change

For many, updating to GDPR simply involves ensuring your provider is in compliance. This may include checking where their data is stored and how secure it is. When it comes to the bot, there has to be confirmation that data can only be stored with consent, and a way to make it accessible by individuals and deletable on request.

As a “data controller,” that is an organisation that collects data, you will need to be able to explain to the GDPR why you collect data and how you protect it and ensure it remains private through the use of privacy and protection policies. With those steps in place your business should be compliant, but it is best to consult GDPR experts to be sure.

Since your customers will expect their data to be safe, while there is some short term hassle involved, it is for the wider good in the long term.


Business, Chatbots, Data Storage, Enterprise, Gdpr, Privacy

Meet the author

author avatar SeaKnight
Tech writer focused on how it can change the world, for better or worse

Share this page

moderator Peter B. Giblett moderated this page.
If you have any complaints about this content, please let us know


Add a comment
Can't login?