Chatbots are becoming an increasingly important feature of customer service provision. In part, this is due to their ability to collect and process valuable customer data for use by human agents or to provide automated solutions to customer service issues. However, this data collection capacity means that chatbots must comply with the General Data Protection Regulation (GDPR). Here, we examine how and where chatbots and GDPR intersect.


Key differences under GDPR

smiling woman holding pink and white chat bubble chatbots and gdpr

In May 2018, GDPR replaced the Data Protection Act 1998 and introduced a number of important, new legal obligations. Below, we take a look at five of the key changes that will impact on chatbot development and use.

  1. Punishment – One of the biggest changes introduced under the GDPR is the extent to which those who breach the regulations and do not carry out safe data management practices. Under GDPR, organisations can be charged up to €20 million or 4% of global turnover, whichever is highest. This sanction is remarkably high when compared to previous actions and is meant to act as a deterrent as well as punishment.

2. Consent – The GDPR is heavily preoccupied with the idea of consent and ensuring that users understand and consent to the services offered by an organisation. Though by no means flawless, the GDPR’s system of consent is built upon four defining characteristics; consent that is:

  • freely given
  • informed
  • specific
  • unambiguous

Consent requests must meet all four of these criteria if they’re to be deemed adequate under GDPR.


3. Consent – GDPR places extra emphasis on two data governance concepts: data protection by design and by default.

  • Data protection by design means that privacy concerns and controls should be taken into consideration during the design process and that mechanisms should be put in place to ensure that any software meets the requirements set out in the GDPR.
  • Data protection by default is the idea that the default approach to privacy should always be to apply the strictest privacy settings possible.


4. Data Subjects’ Rights – Anyone who has their personal data collected is a data subject. The GDPR grants these data subjects new rights in order to give them control over the ways in which their personal data is collected and used. These include the right to access, rectify, and erase any personal data relating to them.

5. Data Protection Officer – Not all organisations need to appoint a Data Protection Officer (DPO), but it is required by those that are public authorities, that engage in large scale, regular, and systematic monitoring of individuals, or those that process special categories of data. These “special categories” include biometric, political, and criminal record data. The DPO is responsible for ensuring internal compliance with GDPR and acts as a point of contact for employees.

Five GDPR questions to ask about your chatbot

young woman holding a red mobile phone smiling

In the context of chatbots, you’ll need to ask at least five questions to ensure that your software is GDPR compliant and that you’re collecting, processing, and storing data in the correct manner.

  • Controller or processor?

First off, it’s necessary to distinguish between data controllers and data processors.

Data controllers are those actors that “determine the purposes, conditions and means of the processing of personal data.”

Data processors are those actors that “process personal data on behalf of the data controller”

For a more detailed explanation, have a look at the ICO documentation on the difference between data controllers and data processors.

Depending on which of these two categories you fall into, you’ll have different responsibilities. However, it’s also important to understand that there are certain circumstances in which you can be both a processor and a controller. Having established whether you’re a processor or controller (or both), it’s necessary to reference the GDPR directly for a complete list of your responsibilities and obligations.

  • What personal data is being collected?

In order to increase transparency, it’s necessary to inform all users of the type of data that you’re collecting. Consequently, organisations must identify all of the personal data that its chatbots acquire. These are then included on the privacy policy document.

With chatbots, this is likely to include:

      • identifying information (e.g. name and address)
      • contact information (e.g. email address or phone number)
      • financial information (e.g. payment details)
      • IT data (e.g. location, IP address, and cookies)

However, all organisations should ensure they’ve thoroughly vetted their chatbot service and included all types of data in the privacy policy.

It’s also necessary to differentiate and distinguish between personal data and sensitive data, such as biometrics or criminal records. This is due to the way in which these two different types of data are treated differently.

  • How am I requesting consent?

old fashioned pink phone next to iphone

If you’re to meet the criteria set out for consent in the GDPR, it’s a good idea to ensure that your chatbot consent process avoids pre-ticked checkboxes and that all information is presented to users in a clear and appropriate manner. For instance, a chatbot service aimed at children needs to use language that is appropriate to the target age group. Remember – all consent must be positive and actively provided. Inactivity cannot be construed as constituting consent.

  • Are risk-reducing processing measures in place?

Both data controllers and data processors have an obligation to take appropriate measures to protect the integrity of personal data. This means carrying out a thorough risk assessment, implementing monitoring processes, creating efficient procedures for responding to specific types of incident, and ensuring that employees understand the escalation protocols.

  • Are you working with any third parties?

Finally, many organisations interact and work alongside third parties, some of whom may have access to certain parts of their digital system and who may deliberately or inadvertently compromise data security. To minimise the possibility of a privacy breach, all partner companies need to be GDPR compliant and an organisation’s internal data flows need to be mapped to ensure that access is safeguarded at all times. This is particularly true of chatbots, which may be situated on third party websites or platforms.

What next?

Ensuring your chatbot is GDPR-ready depends on developing a thorough understanding of the policy. We’ve taken a look at some of the principal factors chatbot developers and owners need to consider when introducing a new chatbot. Though GDPR is a complex policy, it is similar in many ways to its predecessor, the Data Protection Act 1998. This means that organisations aren’t dealing with entirely new regulations and should already have some experience with data security and privacy practices. Despite this, when it comes to chatbots and GDPR, it’s essential that you’ve made every effort to ensure your software meets the relevant legal requirements.

Have a question or want further information on chatbots and GDPR? Our expert team have been providing customer contact solutions for over 25 years. Call us on 01344 595800 or drop us a line.