Chatbots and GDPR Readiness

By Deepak Bobbarjung and MuckAI Girish

Passage AI is developing an AI/NLP conversational interface platform for enterprises across the globe supporting a variety of applications including customer service automation and virtual assistants. At Passage AI, we take user data privacy and security very seriously. The General Data Protection Regulation (GDPR), effective May 25, 2018, is a European Union (EU) regulation on data protection and privacy for all individuals within the EU and aims to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Passage AI is ready and committed to help our customers and partners meet the GDPR specifications.

The Passage AI bot building platform is designed and architected with data protection in mind. Chatbots built with our platform can be easily configured to meet the myriad requirements of GDPR, giving end users complete control over their personal data at all times.

Data Protection by Design

The Passage AI platform has been built with several core security design principles. For example,

  • Anonymize all PII data prior to persisting it.
  • Encrypt sensitive data both at rest and in flight.
  • Set any customer data to be deleted when it is not needed.
  • All data access within our organization is on a need to know basis, and data access events are audited and logged.
  • Ability to store and process data in any region of choice – so data never has to leave the boundaries defined by our customers.
  • Data protection and disaster recovery.

We have implemented many security best practices across the organization

  • Training for all employees about security best practices in our organization.
  • Periodic penetration testing and auditing of our system.
  • Continuous internal security testing and audits.
  • An incident response plan whereby we will inform our customer about any incidents within 72 hours of discovery (as mandated by GDPR) along with recommendations to mitigate the issue.

Additionally, we have incorporated GDPR requirements into our chatbot platform as features available for customers and partners at the time of building a chatbot. These features enable customers and partners to be GDPR ready.

Here are some examples:

Ask for user consent prior to storing and processing data

Passage AI chatbots can be configured to ask the user for approval prior to storing any information for that user. If the user has not approved to store data, and storing user data is necessary for providing specific functionality, then the chatbot will politely inform the user that such functionality is not available until the user explicitly approves to store and process their information. This feature can be easily turned on by enabling a checkbox in the easy to use bot builder platform.

Users can enquire about the data we have and how it is being used

At any given time, an end user can ask the bot to show them either a summary or provide a download of all their data that resides in the system. Further, they can ask for an explanation of how that data is being used. This feature can easily be enabled by a simple checkbox on the bot builder platform.

Delete my data (forget me) option

The ‘Forget me’ option is one of the key tenets of GDPR. GDPR gives end users the right to request their data be deleted at any time. Data processors are required to comply with these requests. Bots built with the Passage AI platform will have the capability to expose this functionality to end users. End users can converse with the bot and simply say ‘please delete all my data that you have’ or various ways of expressing this in natural language, which will trigger an event in our system to delete all stored data for that user. After this event, the bot once again ask for the user’s consent to store their data in order to resume service.

At Passage AI, we appreciate the GDPR mandate which aims to return control of personal data to private citizens. We have embraced the challenge of providing all of the benefits of AI/NLP driven conversational interfaces to end users while also guaranteeing their data privacy and security, as required by GDPR. With Passage AI, our customers and partners can be confident that their chatbots are GDPR ready, and that their end users can exercise complete control over their personal data.

For more information about Passage AI, please look us up at: http://www.passage.ai