GDPR (General Data Protection Regulation) is a European Union regulation aimed at protecting the personal data of European citizens. This legislation, which entered on May 25, 2018, gives power back to individuals for the storage and use of their personal data.
Every company must comply with rules and processes that ensure that no use of the data collected can be made without the explicit consent of individuals. Being "GDPR compliant" will then be an obligation for all digital startups and this article describes how we handled the topic at Botmind.
To respect a fundamental right of European citizens.
- Being GDPR compliant is a prerequisite for signing contracts (customers, partners, etc..)
- Letting our users control the use of their data generates trust that promotes the use of our product.
- Not complying is punishable by heavy financial penalties.
- Complying now means you won't be caught off guard if the changes you need to make in your business are greater than expected.
First, we have taken the mandatory rules and processes defined by the legislation. Here are the actions we have taken:
- Appointing a DPO (Data Protection Officer) who is responsible for regulating and monitoring the use of personal data.
- Establishing a register of stored/used data that allows us to determine the use made of each type of stored data.
- Ask for explicit consent from the individuals involved in the processing of their data and be able to prove it.
- Provide a process for deleting data if a user makes such a request.
- Establish an escalation procedure to the CNIL in case of a breach of confidentiality of personal data.
Then we went a step further to ensure that our users' data would be protected and confidential. By automating responses to customer requests, we often handle personal data and we therefore defined the following good practices:
- We do not share user expressions from different customers between accounts, even those related to small talk ("Hello", "Goodbye", "How are you", etc..)
- We integrate the principles of "Data Minimization" and "Privacy by default" into our platform: only data whose use is validated by the individual is stored and it is possible to mark sensitive data so that it is anonymized in the database.
- We apply the "Protection by Design'' principle in the development of our platform and other components.
- We secure access to our data servers and host these servers within the European Union.