
3 steps to make sure your chatbot Is GDPR compliant
In what way do chatbots fall under GDPR? What kind of data is protected? And what measures need to be taken to make sure your chatbot is GDPR compliant?
Read on to get these questions answered and join us for a deep dive into the exciting world of data privacy.
What is GDPR?
Does May 25th 2018 ring a bell? It should (if you’re interested in data privacy 😎). For this is the birthdate of The General Data Protection Regulation, better known as GDPR. A regulation that came to mark a new age in data protection legislation. And the main purpose was to apply transparency in how and why data is collected, processed, used and stored online.
Simply said – a regulation for protecting privacy online.
The regulation states that all companies or service providers operating in the European Union are obliged to inform their visitors, users or customers about how and when data is collected. They also have to make sure that all users can have their personal information edited, retrieved, forgotten or removed at any time.
Data protected by GDPR
GDPR, compared to the former Data Protection Directive, introduced a new approach to what constitutes personal data. Before GDPR, personal data was basically your name, address and social security number. But as a result of the rise and spread of internet, companies suddenly had to apply the same level of protection for completely new kinds of data.
In short, GDPR protects data such as:
- Basic identity information (like name, address, email address, but also user-generated data, such as social media posts and personal images uploaded to websites etc.)
- Web data (such as location, IP address, cookie data, and RFID tags)
- Health, genetic and biometric data (such as your medical history)
- Racial or ethnic data, political opinions, religious beliefs, sexual orientation, and so on…
How does GDPR apply to chatbots?
Since chatbots are all about gathering data, GDPR is highly relevant. Especially for chatbots using Natural Language Processing (NLP) and machine learning. Because if you want to build a chatbot that actually works well – in other words – a chatbot that can understand context and provide meaningful conversations, you have to gather data. This includes data such as name, email address or even social security number if that is relevant.
In other words: Without data – no personalization. Without personalization – no chatbot. 🤷♀️
3 Steps to make sure your chatbot is GDPR compliant
As stated above, there’s no doubt that chatbots are an area of interest when it comes to data privacy. With this in mind, we have put together a checklist of what should be done before launching your chatbot project.
➡️ Step 1: Update your privacy policy
Make sure it’s clear and accessible
Having a clear and accessible Privacy Policy is one of the main requirements of GDPR. In this context, accessible refers both to the privacy policy being easy to find on the website, but also that it should be easy to understand — written in a conversational and natural language without unnecessary legal jargon.
Be transparent & define your purposes
What comes next is to make sure your privacy policy provides all needed information, such as:
- What kind of personal data is being collected
- How the data is collected
- Why the data is collected
- How the data will be used
- Who has access to the data — are there any third parties?
- How long the data will be stored and what happens after
- What your legal basis for collecting personal data is
Provide contact information
Make sure your contact info is easy to find and that it’s clear who the company’s Personal Data Controller is, and how to get in touch with them.
➡️ Step 2: Privacy by design
Provide information & get user consent
The easiest way to inform the user or get consent is to include it directly in the chatbot’s design — via a consent question in the flow or a link to your privacy policy in the chat widget.
Allow users to retrieve their data
Users must be able to request, download, or delete their data. You can add this to the chatbot flow (e.g. “Can you send me my data?”) or include it in the chatbot’s menu.
Make sure the chatbot is secure
If your chatbot handles sensitive data like invoices or personal info, you must verify the user’s identity. In Sweden, the most common method is BankID, which can be integrated directly into the chat flow for secure authentication.
➡️ Step 3: Store the data safely and securely
All data should be stored separately and encrypted — ideally using a cloud service. This allows your company to personalize based on user behavior while staying compliant.
If you’re operating within the EU, it’s wise to choose a European cloud provider that automatically follows GDPR rules.
One example is OVH, Europe’s largest hosting provider known for high security and scalable performance.
PS: Don’t forget to set up a data retention policy — guidelines that define how long data should be kept and when/how it should be deleted.
Some final words (finally…)
First of all – a big applause for making it through all the way. We are truly impressed! 👏
GDPR is not the ‘sexiest’ subject to say the least, but you can’t ignore the fact that it is as important as it is essential when working with chatbots.
We hope this article has helped you feel more confident about making your chatbot GDPR compliant!