GDPR compliance for AI/ML applications and specially chatbots…

The GDPR is the successor to the 1995 Data Protection Directive, and this a regulation not directive. This has been adopted by all EU states and came into force on 25 May 2018. The regulation enforces heavy fines against the General Data Protection Regulations (GDPR) non-compliant organizations (fees up to 4% of annual revenues or 20M € — whichever is greater).

The General Data Protection Regulation (GDPR) is a regulation on data protection for European Union citizens. It also applies to the transfer of personal data outside of the EU area. GDPR gives users the control over their personal information and whether they want to share or keep their data private.

The regulation defines three stakeholders to the GDPR regulation;

1.      Data Subject: A person whose data is being processed by a controller or processor

2.      Data Controller: Individual or company that determines the purpose and conditions of collecting and processing personal data from users.

3.      Data processor: Individual or company that processes personal data for Data Controllers

Customer Rights under GDPR

  1. Right to be Informed Be transparent in how much you collect and process personal information and the purpose you intend to use it for. Inform your customer of their rights how to carry them out.
  2. Right of Access Your customers have the right to access their data. You need to enable this either through business process or technical process.
  3. Right to Rectification Your customer has the right to correct information that they believe is in-accurate.
  4. Right to Erasure You must provide your customer with the right to be forgotten, provided that your legitimate interest to hold such information does not override theirs.
  5. Right to Restriction of Processing Your customer has the right to request that you stop processing their data. 
  6. Right to Data Portability You need to enable the machine and human readable export of your customers’ personal information.
  7. Right to Object Your customer has right to object to you using their data.
  8. Right regarding Automated Decision Making You customer has the right not to be subject to a decision based solely on automated processing, including profiling.

As per the regulation any company that collects and processes EU citizens’ personal information that stores personal data of EU residents must comply with GDPR, regardless if the company is present in EU territory or not. This scope of GDPR means most pf the global business needs to be GDPR compliant.

In above sections we can see chatbots are no longer subject of a business communication only, it requires the chatbot makers consider that as a data controlling and processing manner. This require the chatbots ready to face strict scrutiny of the GDPR regulation.

Some of the generic and minimum steps that the chatbots makers need to take to be ready for GDPR compliance are listed below.

Note: The list is not comprehensive, it is just indicative list for internal assessment. Please consider full audit of chatbot before making it public for general use.

  1. The chatbot before starting a conversion clearly state what data will be collected in conversations and must be able to access what data is being collected
  2. The chatbot user must be allowed to access, review, download and erase the data collected by the chatbot
  3. The chatbot logs much be securely stored and made accessible to users. Also, have explicit permission of user before processing the log to train your chatbot
  4. Clearly stated privacy policy and contact information of Data Officer for any concerns
  5. Option of talking to real operator rather than a machine chatbot

All these are indicative list of steps that the chatbot owner need to take. A full audit may reflect more areas and make sure the chatbot is fully compliant. 

The GDPR compliance needs to ensured by design of the solutions rather than as a reactive measure. GDPR is not just about compliance, but has to do with larger conscience of your customers seeking privacy as their right. If you want to win the competition, respect your customers demand for their privacy.

Recommendation : “Make customer data privacy build by design in all your solutions irrespective of law compliance, it will bring high value in long term custom loyalty and zero litigation cost

For audit of your AI/ML solutions for Data Privacy laws, connect for confidential discussion.

Read More from Probyto