The challenge of data protection in the era of bots

The challenge of data protection in the era of bots

SnatchBot Team Équipe SnatchBot, 26/04/2018

Bots are computer programs powered by AI. They understand your requests and can respond to them in human language. They are expanding at breakneck speed: Gartner forecasts that more than 85% of customer interactions will be managed without a human by 2020.

Bot builders are working hard to make their creations as friendly as possible. They want to imitate feelings to encourage users to feel empathy for their bots and create a sense of friendship. But when you talk to a bot, you behave differently. Since you know you’re talking to a machine, you have no filter, no fear to be judged, and speak more freely. This explains why bots receive so many insults : you are not afraid to hurt the feelings of a program.

Why should you be concerned by the protection of your data?

What we’re calling personal data includes your identity (name, surname, age, gender, nationality), your contact details (email, phone number, mailing address), and administrative information such as bank or insurance details. Sensitive data includes ethnicity, political, philosophical or religious opinions, information about your health or your sex life as well as any offenses and criminal record.

What are the risks of sharing such data? Companies may sell your data

Companies can buy your personal information to target their ads, as I’m sure you’re aware of. To figure out how much each bit of personal information is worth for marketers, the Financial Times has done an interactive simulator to show the value of your profile. In this study, general information about identity is worth $0,0005 per person, or $0,50 per 1000 people. But when you provide information about spending habits, interests, family situation or health, the value increases considerably.

Rights and obligations linked to data protection: what the law says

Considering the importance of data protection, the European Parliament has voted a law called General Data Protection Regulation (GDPR), adopted on the 14th april 2016 and coming into application on the 25th May 2018.

This law is directly applicable in the Member States, without transposition and will apply to any company that collects, processes and stores personal data of European citizens. GDPR will start in May 2018 and will harmonize regulatory frame applicable to all EU member states, but also spreading its application outside EU for companies processing data of European citizens.

GDPR requires the explicit consent of the data subject and gives them a better control of their personal data. In the context of collecting personal data, companies are required to inform users about the object of the data collection and the time of the data conservation. In addition, they must allow data subjects to have full control over their data.

Mandatory procedures within companies

To be compliant with the GDPR, companies have to nominate a Data Protection Officer to insure the respect of new data policies, to advise the company’s employees on its application and to act as a point of contact with the supervisory authority. Moreover, companies have to define the correct documentation to insure the authorities of the respect of data procedures on requests.

They also have to ensure privacy by design (that means integrating data from the very beginning of the design of products or services) and implement an impact study to identify the risks of data breaches and the actions to be taken to reduce them. In case of data breaches, companies have to notify the competent authority in a short timeframe, as well as the owners of the data concerned.

As Bot Builders, what should we do?

The first thing to do is to appoint a DPO, responsible for the management of personal data, whatever the size of your company. The DPO should then map the personal data of your company, determining the following:

  • Which pieces of data are collected? Among them, which are personal data and which ones are sensitive?
  • When are they recorded? Before the user communicates with the bot, does it inform him/her of the collection of his/her data?
  • Where are they kept? Are there provisions to protect them?
  • Who can access this data?

Once the mapping has been completed, the DPO will have to put in place procedures to ensure data security. These procedures have to fix the following points:

  • Are the media (computers, flash drives, hard drives, etc) that may contain personal data encrypted to avoid leaks in case of theft?
  • Is the password policy strong enough to secure the access of data owned by the company?
  • Could the company anonymize the collected data to ensure personal data protection while maintaining the possibility to produce statistics?
  • Are there procedures for :
    • collecting the consent of the data subject?
    •  informing the data subject of his rights towards his data? 
    • answering requests for information by the data subject?
    • ensuring the detection of data breaches?
  • Has the company planned to realized a Data protection Impact Assessment, to evaluate the level of data protection security deployed by the company, and the weak points of the device?
  • In case of a data breach, what are the procedures planned to communicate the incident to the authorities and to data subjects concerned?
  • And finally, has the company defined a code of conducts to act ethically and protect personal data?

Once the procedures have been established, the DPO will be responsible for enforcing them, including conducting audits and communicating to the team, making them aware of the procedures and the matter of personal data protection.

Chatbots will quickly prove themselves useful for GDPR compliance: they can help get consent, update information or offer accessible opt-out options for prospects. Essentially, they reduce the pain and the necessary steps required to update your customer, prospect or candidates’ files.