How to Reconcile Chatbots and the GDPR

In order to provide increasingly individualized responses, a chatbot needs to be supplied with data about the person it’s dealing with. Therefore, the collection, analysis and treatment of information are an integral part of its function. The General Data Protection Regulation (GDPR), which will go into effect in May of 2018, raises questions regarding the treatment of personal information by chatbots. How can you ensure that your chatbot is in compliance with the GDPR?

No data = no personalized chatbot

Chatbots rely on a number of artificial intelligence sub-routines, including Natural Language Processing (NLP), which enables them to understand users’ inquiries and identify personal or contextual information. This allows them to individualize the dialogue.
In fact, a dialogue with a chatbot is carried out according to a predefined conversation framework, which is developed in relation to each user and the interactions with that user. Therefore, the more data the bot collects, the better it performs.
Imagine a restaurant website with a chatbot capable of taking orders via an instant messaging window. Without knowing the user’s name or address, it’s difficult to send out a delivery… But by the fourth time that same user orders, the bot will not only be able to automatically retrieve the user’s address, but will also be able to suggest favorite dishes or display the amount of the customary tip!
The GDPR governs the storage and use of personal data of this type, which are precisely what guarantee the effectiveness of chatbots. So what are the exact implications of this new European regulation?

How to guarantee that my chatbot is GDPR compliant

In France, the National Commission for Information Technology and Civil Liberties (CNIL) already protects personal information, prohibiting data from being collected without the consent of the person concerned. However, this legislation stops at the French borders: any data collected on foreign servers, like those of Facebook or Google in the United States, for example, is no longer the property of the individuals, but instead, becomes property of the companies. Using a French or European web host is one of the first conditions for GDPR compliance.
The objective of the GDPR is to standardize the collection and treatment of European citizens’ personal information. Its action plan focuses on three key areas:

  • User consent: this is indispensable before collecting or using any information regarding users’ private, professional or public life.
  • Use of data: it may only be used for the purposes for which it was obtained, which must be explicitly mentioned to users.
  • The right to deletion: at the user’s request, all data that has been collected may be permanently deleted down to the last detail.

Companies using chatbots must make sure that their provider is in compliance with these requirements. Otherwise, they risk fines of up to 20 million euros or four percent of their annual revenue!

  • The chatbot service and all data must be hosted in Europe.
  • Consent must be obtained from individuals before their personal information can be retained.
  • The right of users to access, correct and delete their personal information must be respected.
  • The period during which data may be used must be mapped and controlled.
  • Access to data must be protected, and a Data Protection Officer must be designated to issue alerts.


Read also: IT Support: 5 Reasons to Hire a Chatbot

A pioneer in avatars and chatbots in France, Living Actor can guide and support you in the implementation of a personalized chatbot in compliance with the GDPR. Would you like to discuss it further?