Only one month left until the GDPR will take effect and people are already freaking out. If you haven’t made yourself familiar with this topic, you need to do it now! This article will give you a summary of what you need to know and provide you with steps to make your chatbots GDPR compliant.

Note: This article is for informational purposes only. It is not legal advice. Please reach out to your legal counsel to receive tailored guidance on how the GDPR may impact your project.

The GDPR will replace the given Data Protection Directive in the European Union. It is designed to harmonize data privacy law across Europe and will give more protection to individuals. It defines how E.U. citizens' data must be handled and will gain regulatory on the 25th of May 2018 . It will affect businesses of all sizes and no matter where they are located. Everyone handling E.U. citizens' data will be bound to the GDPR's rules. Abuses will lead to big fines, which is why this topic should be taken very seriously.

But don’t panic! Besides everything that is changing and the resulting effort, it will help people to get back control over their information. GDPR will help us to provide more data protection worldwide. This is a good thing and an important step for everyone!

Note: The GDPR will not affect you if you are a private person collecting personal data for personal reasons only.

Key Changes

New Roles

Throughout the GDPR and this article, there are roles you need to know about:

Data Subject : A natural person whose personal data is processed by a controller or processor.

: A natural person whose personal data is processed by a controller or processor. Data Controller : Decides the purpose of the collected personal data.

: Decides the purpose of the collected personal data. Data Processor: Processes on behalf of the Data Controller.

Increased Territorial Scope

The GDPR applies to all companies processing personal data of users, regardless of the companies location.

Penalties

Violating GDPR rules will lead to fines up to 4% of annual global turnover or €20 Million (which is greater).

Consent

Long and difficult to read terms and conditions are not valid anymore. Prior consent must be given in an accessible and easy form. Withdrawing must be as easy as giving it as well.

Personal Data Definition

Personal data means any information relating to a directly or indirectly identified or identifiable natural person. This includes any identifiers such as name, identification number, location data, email address, photo, bank details, medical information, posts on social networks or IP address.​

Data Subject Rights

Right to get notified within 72 hours of a data breach

Right to gain access to the stored personal data

Right to be forgotten

Right to receive personal data in a readable format

Privacy by Design and Default

Process Personal Data

You are allowed to process personal data for the following reasons:

User has given prior consent

Processing is necessary for the performance of a contract (e.g., store address in order to ship product)

Processing is necessary for compliance with a legal obligation (e.g., Accounting)

Processing is necessary for the performance of a task carried out in the public interest

Processing is necessary for vital interests (e.g., transferring medical data)

The GDPR distinguishes between the data controller and the data processor. The data controller determines the purpose and means of the processing of the personal data. The data processor processes this data. It gets much easier looking at an example. On my blog, I collect emails for my personal newsletter. I use MailChimp to store the subscribers and to send out the newsletters. In this case, I am the data controller because I decide what to collect and what happens with the data. MailChimp is the data processor.

As a data controller, I need to make sure my data processors are GDPR compliant. This is done by a data processing agreement. Yeah, that's right. You need such an agreement for every of your data processors. In the case of MailChimp, you can create such an agreement automatically on their site.

Here is a short list of other services you might already make usage of:

Provider (DigitalOcean, Linode, etc.)

Analytic Tools (Google Analytics, etc.)

Email Marketing (MailChimp, Campaign Monitor, etc.)

Check all of them for given information about if they are GDPR compliant. Most of them also already have agreements prepared for you. If you don’t find any info on their websites, contact them.

Documentation

The accountability principle requires you to document that your organization processes personal information in line with the GDPR. Next, to the mentioned processor agreements, you need to maintain a record of processing activities . This is true for controllers and processors at the same time. It forces you to write down what data you collect for which reasons and who you share it with. If there is an investigation, you will need to provide this information. This is the base for every other to make your business and projects GDPR compliant.

ePrivacy Regulation

Next, to the GDPR, there will also be a new ePrivacy regulation. It will replace the current ePrivacy Directive, also known as Cookie Law. Different to the GDPR, it will focus on how that personal data is used in the context of communication. We don't know yet when it will take effect, but you should be aware of it.

Back to Chatbots

These were some key facts about the upcoming GDPR. Of course, there is much more to this regulation, and you should check the official website for more details.

In general, GDPR for chatbots is very similar to any other application. It’s all about giving your user enough information on what is happening with their personal data, before you store it.

11 Steps to Take

Here are the steps to make your chatbot GDPR compliant:

Are you a business? Check what data you’re storing. Identify personal data. Are you allowed to process personal data? Use personal data for the agreed purpose only. Use data protection by default. Provide enough and precise information about used data. Give the user access to stored personal data. Give the user the possibility to delete stored personal data. Add a privacy policy. Make sure you don’t log personal data.

Example

I am running a chatbot for my book Build Chatbots with PHP. It works as a messenger newsletter. The user can subscribe to get news on the book via Facebook Messenger. Let’s work together through my steps to make it GDPR compliant.

Are You a Business?

As noted already, the GDPR only affects businesses. So if you’re a private person collection personal data from E.U. citizens for personal reasons only, you’re done here and don’t need the other steps.

I am a business, and the chatbot is also about a book I sell. So for me, it means the law will affect me and need to go on with the other steps.

Check What Data You’re Storing

I am storing user information of everyone who is talking to the bot. These are the values that I store:

Facebook Scoped ID

First name

Last name

Profile picture URL

Locale code

Gender

Identify Personal Data

That’s easy. All of the fields are personal data.

Are You Allowed to Process Personal Data?

We could argue, that it is evident that the chatbot needs personal data to send out messages. Still, this would only be a valid argument for the Facebook ID. It is better to assume we are not allowed yet. I also store personal data before asking the user about the subscription. If the user agrees, I set a flag to mark the user as a subscriber. That’s a great example of how you shouldn't handle it.

Use personal data for the agreed purpose only

The chatbot asks its users before adding them as a subscriber. It then sends them news about the book via Facebook messenger. The personal data is not used for anything else.

Use data protection by default

There is data protection by default and by design. By Design means we should think about data protection from the very beginning of a project. By Default means we should ensure that default settings should have the highest possible data privacy. It also means you shouldn't save any information you do not need.

Actually, I only need the user’s name and the Facebook ID to send out messages. The other fields are not relevant to the use-case. As mentioned, I also store information about users even if they don’t subscribe. That is not valid anymore, because there is no communicated purpose and no consent. I need to change my chatbot to only store the minimum of data required for sending out messages and only to store them for subscribed users.

Provide Enough and Clear Information About Used Data

Here is the information the chatbot provides about the subscription and usage of data.

Apparently, the bot is not telling enough. I need to update this section to give users a better insight into what is happening. It must be obvious what they are subscribing to and what personal data is being used. You also need to mention the privacy policy.

Give the User Access to Stored Personal Data

My chatbot was missing a feature to show stored personal data. This is why I added a new section in the menu. It is now easy for the user to see the stored data.

Give the User the Possibility to Delete Stored Personal Data

The same goes for the right to be forgotten. In the menu is another option to let the user delete its data.

Add a privacy policy

GDPR requires all companies operating in the EU to have a privacy policy. It should contain:

What information is collected?

Who collects it?

Why is it collected?

How long will it be used?

Who will it be shared with?

How can I withdraw?

You need to let users know about this policy before collecting personal data. As you have seen, I provide a link to it within the subscription information. You can check out my Newsletter Chatbot policy to get a better understanding of what it could look like. Additionally, there is also a new menu link to the updated privacy policy.

Be Careful with Server Logs

While working with chatbots, it is common to log incoming requests from messenger services like Facebook or Telegram. They help a lot while debugging, but they contain personal data like IDs, messages, and names. You are not allowed to store them without prior consent or the mentioned permitted reasons. I only turn them on for debugging purposes now

The same goes for general server logs. They often contain IPs and other personal data like usernames from the URL. Here people discuss if they are mandatory for securing the access to the application. This would be a valid reason to store them. But, then you need to make sure to mention this in your privacy policy, as well as taking care of deleting them as soon as possible.

Conclusion

The General Data Protection Regulation brings a lot of changes to the web. It is an entire complex topic, and you need to take some time to make yourself familiar with. Everybody is trying right now to make their products GDPR compliant and as you have seen it is not that easy and clear what it takes. I hope this article could help you to get a better understanding of this new regulation and what it means for your chatbots.

This article focused on the project side of GDPR. Please keep in mind that there is much more for you or your company to consider to fulfill the GDPR.