Bots are computer programs powered by AI. They understand your requests and can respond to them in human language. They are expanding at breakneck speed: Gartner forecasts that more than 85% of customer interactions will be managed without a human by 2020.
Bot builders (that’s what people developing those bots are called) are working hard to make their creations as friendly as possible. They want to imitate feelings to encourage users to feel empathy for their bots and create a sense of friendship. But when you talk to a bot, you behave differently. Since you know you’re talking to a machine, you have no filter, no fear to be judged, and speak more freely. This explains why bots receive so many insults : you are not afraid to hurt the feelings of a program.
This led Caroline Bercegeay, a french entrepreneur, to create her first bot called “petites questions”. The bot advises inexperienced mothers and creates a safe space where they can ask whatever they want without the fear of judgement. Why would a program tell you how to live your life, right?
But sometimes, innocence is just an appearance. You could very well be giving away private and personal information to a program that collects and resells data. Have you given your approval? Is it legal? Do you have means to erase this conversation?
In a nutshell, an important question is raised : can I trust this bot? And that adds another piece to the huge data protection challenge we have today.
Why should you be concerned by the protection of your data?
What we’re calling personal data includes your identity (name, surname, age, gender, nationality), your contact details (email, phone number, mailing address), and administrative information such as bank or insurance details.
Sensitive data includes ethnicity, political, philosophical or religious opinions, information about your health or your sex life as well as any offenses and criminal record.
What are the risks of sharing such data?
Companies may sell your data
Personal data can be used for two main reasons : identity theft or sending of targeting advertising.
A study realized by Atlantico in July 2015 confirmed everybody’s nightmare: you can find standard kits of personal data (address, email, phone number, credit card numbers), called “fullz”, on the dark web. According to the journalists, these fullz are worth 19€ on average, with a minimum of 1$ and a maximum of 450$. The price is directly linked to the quality of the profile and its profitability: it will be higher if the kit includes credit card numbers with a high limit.
But breaches of privacy aren’t only in the evil dark web. Companies can buy your personal information to target their ads, as I’m sure you’re aware of. To figure out how much each bit of personal information is worth for marketers, the Financial Times has done an interactive simulator to show the value of your profile. In this study, general information about identity is worth $0,0005 per person, or $0,50 per 1000 people. But when you provide information about spending habits, interests, family situation or health, the value increases considerably.
The company stocking your data can be exposed to security leaks
To avoid data breaches, a company has to set up heavy security processes and respect them. And even then, nobody’s bulletproof. 70% of data breaches are caused by humans, either on purpose, like in SwissLeaks, or by mistake, like the Australian Immigration Services.
In SwissLeaks, a former HSBC computer scientist, Hervé Falciani, stole confidential fiscal documents from his employer exposing a system of fiscal fraud organized by the bank, and sent them to journalists. He had simply downloaded the data onto a USB stick and leaked it. He has been sentenced to 5 years of prison for economic spying and exchange of data for money. He wasn’t recognized as a whistle blower.
The case of the Immigration Australian Services comes from a pure mistake. One of their employees disclosed personal information about 31 Heads of State and Government invited to the G20 in Brisbane by incorrectly filling the destination addresses of his email.
And we won’t even talk about the Ashley Madison leak that revealed the personal information of 32 million members having extramarital affairs!
Rights and obligations linked to data protection: what the law says
Considering the importance of data protection, the European Parliament has voted a law called General Data Protection Regulation (GDPR), adopted on the 14th april 2016 and coming into application on the 25th May 2018.
This law is directly applicable in the Member States, without transposition and will apply to any company that collects, processes and stores personal data of European citizens.
Before GDPR, European Directive 95/46/CE framed personal data protection but contained serious loopholes, in particular concerning the data protection on the Internet and the application of the rights across the Union. In France, this Directive was in addition to the “Loi Informatique et Libertés” of 1978, amended on 6 August 2004.
A harmonized and strengthened legal framework
GDPR will start in May 2018 and will harmonize regulatory frame applicable to all EU member states, but also spreading its application outside EU for companies processing data of European citizens.
It will also impose more important sanctions: financial penalties can cost up to 4% of a company’s annual turnover or € 20 million (the highest amount retained), compared with €300,000 formerly provided in France by the Law Informatique et Libertés, €30,000 is the average penalty in 2016.
Moreover, the GDPR establishes that the subcontractor is submitted to the same expectations and sanctions than the Responsible for Traitement (the company who has collected the data in).
The control of their own data by data subjects
GDPR requires the explicit consent of the data subject and gives them a better control of their personal data. In the context of collecting personal data, companies are required to inform users about the object of the data collection and the time of the data conservation. In addition, they must allow data subjects to have full control over their data, allowing them to be viewed, modified, deleted or transferred to another Responsible of Treatment by their owner. Moreover, users have the right to refuse the use of their personal data for profiling : every person has the right not to be the subject of a decision based exclusively on automated processing.
To successfully enforce these new obligations, it’s important for the company to inform the data subject about his rights and how he can contact the Data Protection Officer to make a request. That is why the companies have to establish new procedures.
Mandatory procedures within companies
To be compliant with the GDPR, companies have to nominate a Data Protection Officer to insure the respect of new data policies, to advise the company’s employees on its application and to act as a point of contact with the supervisory authority.
Moreover, companies have to define the correct documentation to insure the authorities of the respect of data procedures on requests.
They also have to ensure privacy by design (that means integrating data from the very beginning of the design of products or services) and implement an impact study to identify the risks of data breaches and the actions to be taken to reduce them.
In case of data breaches, companies have to notify the competent authority in a short timeframe, as well as the owners of the data concerned.
As Bot Builders, what should we do?
The first thing to do is to appoint a DPO, responsible for the management of personal data, whatever the size of your company.
The DPO should then map the personal data of your company, determining the following:
- Which pieces of data are collected? Among them, which are personal data and which ones are sensitive?
- When are they recorded? Before the user communicates with the bot, does it inform him/her of the collection of his/her data?
- Where are they kept? Are there provisions to protect them?
- Who can access this data?
Once the mapping has been completed, the DPO will have to put in place procedures to ensure data security. These procedures have to fix the following points:
- Are the media (computers, flash drives, hard drives, etc) that may contain personal data encrypted to avoid leaks in case of theft?
- Is the password policy strong enough to secure the access of data owned by the company?
- Could the company anonymize the collected data to ensure personal data protection while maintaining the possibility to produce statistics?
- Are there procedures for :
- collecting the consent of the data subject?
- informing the data subject of his rights towards his data?
- answering requests for information by the data subject?
- ensuring the detection of data breaches?
- Has the company planned to realized a Data protection Impact Assessment, to evaluate the level of data protection security deployed by the company, and the weak points of the device?
- In case of a data breach, what are the procedures planned to communicate the incident to the authorities and to data subjects concerned?
- And finally, has the company defined a code of conducts to act ethically and protect personal data?
Once the procedures have been established, the DPO will be responsible for enforcing them, including conducting audits and communicating to the team, making them aware of the procedures and the matter of personal data protection.
And once you’ve done all that, congrats! You’re all set and can go for a drink.
If you’re having troubles enforcing ground rules for securities, here’s how we do it here: each team member leaving its laptop unattended and unlocked gets a nice message on our private Slack announcing he’ll be treating everyone with croissants the next morning! I won’t lie, I kind of miss the breakfasts, but croissants are becoming rarer and security is getting stronger!
I hope it’ll work out just fine for you as well 🙂