If you are operating an online business with users from the EU you have probably heard many times about GDPR over the last 6 months. It goes into full effect on the 25th of May and requires certain changes in your online marketing arsenal. Unless you were sleeping under a rock for so long, you have probably read about the legislation that is designed to protect personal user data of all individuals in the European Union. In this post we are going to discuss what Fanbot.ai has done in order to be compliant and the changes we have made in our system to make sure you are compliant too when you create a messaging bot with Fanbot.ai.
What is the GDPR?
The General Data Protection Regulation (GDPR), which goes into effect May 25, 2018, creates consistent data protection rules across Europe. It applies to all companies that process personal data about individuals in the EU, regardless of where the company is based. Processing is defined broadly and refers to anything related to personal data, including how a company handles and manages data, such as collecting, storing, using and destroying data.
We at Fanbot.ai take data privacy and security very seriously, for all of our users regardless where they are from. Being a company whose business revolves around around handling some personal data from Facebook Messenger and Viber, we have always taken extra steps to make sure all data that is necessary to operate and improve the bots is handled with the best possible care.
Data controllers and processors
The GDPR applies for both data controllers and data processors, hence it’s important to understand the relationship between them. Fanbot.ai is a data processor and it’s partners (bot makers) are either data controllers or primary processors in relation to personal data of individuals. Data controllers collect data from the end-users, with their appropriate consent. Data processors provide services to the controller in accordance to their instructions.
Using 3rd party integrations
When you are using 3rd party integrations to process any personal data that you collected from your bot (for example using our Zapier integration), you need to make sure that those services are also GDPR compliant. When your user asks you to delete their data you need to make sure that you delete it from all connected system as well.
Product updates to support GDPR in your bot
As Fanbot.ai is a data processor in our relationship with our customers (bot makers), we have put in several ways in which you can make your bot compliant.
Right to Access/Erase
One of the key aspects of GDPR is the right of an individual to access and erase all personal data that is stored about them. Fanbot.ai allows you to give them access to view and delete their data with a simple link that you can add to one of the buttons to the persistent menu of your bot. You can share that button/link anytime in direct messages, conversations or automated replies.
If the end-user asks you to update or delete their data and all subsequent information from your bot, then you can do that in the Fanbot.ai admin panel, under the Settings menu of your bot. Please make sure that you also delete the user’s data from all 3rd party systems that might be connected to your bot or database. Keep in mind that the full Messenger and Viber chat history will still be stored by Facebook and Viber and our tools only cover Fanbot.ai, not the Facebook or Viber account itself, so you will need to take further actions in those platforms on your own.
You can use the Fanbot API to export all data stored about your end-users and send it to them when they request it. The export can be done for a group of users or for just a single user, on demand.
You need to make sure that your users give you their consent to control their data. There are a couple ways to achieve this. The first one is to make sure your users have a clear understanding about your services when they subscribe to your bot or broadcasting messages. When they subscribed, you also have to provide the option to unsubscribe easily. Fortunately, these features are built in to Fanbot.ai as non-deletable system conversions and you can set them up under the Automation menu. Generally the best practice is to clearly communicate the reasons to subscribe to channels and messages, then provide the option to unsubscribe at the menu of your bot or at the end of all automated broadcasting messages.
Procedures for correcting personal data
As your bot either operates on Facebook Messenger and/or Viber, it is only natural that your bot only uses data that the end-user specified in those platforms. If the end-user decides to update their personal data in those platforms, the changes will be reflected in the database of your bot as well. Since our system only uses those data, the procedure for correcting or updating the end-user’s personal data is to redirect them to their social media accounts.
If you want to inform your end-users about all the GDPR related compliance steps that you have taken, we suggest you to place a button in the persistent menu of your bot that can redirect the users to your information page.
Retention of personal data
Earlier, an unsubscribed user from your bot was not necessarily deleted, for practical reasons. To help your brand maintain GDPR compliance, we will start automatically removing personal data from subscriber profiles 90 days after they unsubscribe from your Fanbot.ai bot. After 90 days, the personal data associated with somebody who unsubscribed will no longer be available in any way.
As per requirements of the process, we commit to displaying a list of all our current sub-processors in use by Fanbot.ai. A sub-processor includes any third party that we share personally identifiable info with.
Here is that list:
- AWS, Amazon
- MongoDB, Atlas
What else you need to do?
Do you have any questions regarding our product updates and how to make your bot GDPR compliant? Feel free to contact us and we will be happy to answer.
Disclaimer: this does not mean that your business will be fully compliant automatically and to ensure that you’re compliant with all aspects of the GDPR, you should consult your legal advisor. If you don’t have one, contact us and we will help you find one.
Also published on Medium.