Checklist: Live chat and GDPR

In the spring of 2018, The General Data Protection Regulation (GDPR) took effect in the EU. We’ve listed 7 things to keep in mind when installing live chat on your webpage.

The spring of 2018 was a busy one for the companies of Europe. Everyone was trying to get ready in time for the new regulations of the GDPR, and there was plenty of confusion about how to do that.

Today, most organisations have managed to get new routines in place. But every time you add a new way for your customers to get in touch with you, it’s wise to repeat the basics. If you’re about to install live chat on your website, this could be a great time to brush up on your GDPR skills.

By the way, congrats on a great decision! More leads, increased sales, and happier customers are just a few of the benefits from live chat. We’ve written more about the benefits of chatting with your customers here.

There are no specific rules for live chat in the GDPR, but the same rules that go for all processing of personal data apply. We’ve listed 7 things to keep in mind  when you start using live chat:

  • Document all processes
  • Don’t collect or store more data than necessary
  • Create a detailed privacy policy
  • Protect all personal data carefully
  • Remember the right to be forgotten
  • Sign a Personal Data Processing Agreement with all data processors
  • Involve and educate everyone in your organization

Guide  “Who am I talking to?” Security, verification and customer experience  Read the guide

#1 Document all processes

The obligation to document all processes involving personal data is foundational in the GDPR.  You need to be able to show how and where personal data is being handled, how it is stored and with whom it is shared. If, for example, you plan to send information from your live chat to your CRM, you need to make sure this process is documented.

Why all this hassle about documentation? Well, because one of the features of the GDPR is it’s not enough to just follow the rule, you also have to be able to show how you follow them.

#2 Never collect or store more data than necessary

You’re not allowed to collect and store more personal data than what can be legally motivated. Every piece of data that you gather must be clearly connected to a purpose; a purpose that also needs to be clearly stated. This means that it’s not an option to collect data that “might come in handy” in the future.

So, what to do with outdated information? As soon as personal data becomes obsolete in relation to your purposes. it must be deleted or anonymized. Therefore, it’s important to have processes in place to make sure this happens. One way of doing can be to routinely superfluous personal data on a regular basis, a process often referred to as data minimisation.


Read more: How to do a security audit for your business in 10 minutes

#3 Create a detailed privacy policy

To be entitled to process data, you need to both have a legal purpose with doing so, and state that purpose clearly. A great place to do so is usually in your company’s privacy policy. Here you can explain in detail what kind of information you gather and store, how it’s used and who has access to it.

In the policy, you should also explain how individuals can get access to information that is about them, and how they can get it deleted. For an example of what that might look like, you can check out our privacy policy here.

#4 Protect all personal data carefully

All personal data must be carefully protected at all times so that sensitive information doesn’t fall into the wrong hands. There are both technical and organizational security measures to be taken. Examples of technical security measures are firewalls, encryption, and anti-virus protection, and internal routines, clear guidelines and controlled workflows are examples of organizational ones.

But what if personal data accidentally do fall into the wrong hands? In the GDPR this is called a data breach, and data breaches are to be reported to the relevant supervisory authority. If the data breach has created a risk for “the rights and freedoms” of the individuals concerned, for example through identity theft or fraud, they should also be informed of what has happened.


Read more: Telavox's BankID integration increases security and efficiency

#5 Remember the right to be forgotten

In most countries, the GDPR has given individuals, whose data is being processed, more rights than before. One of these rights is the right to access any information that is being stored about you, and the right to know and control how it’s being handled and used.

An important part of the GDPR is the right to erasure, often referred to as the right to be forgotten. It means that any individual that your company has collected data about, at any time can demand that all data is deleted. So in the context of live chat, this means that all visitors to your website can demand to have for example a chat conversation containing personal data deleted.

#6 Sign Personal Data Processing Agreements with all data processors

With the new rules of the GDPR, your company is responsible for all personal data that is being processed, even if you hire external partners and suppliers to process it for you.

For example, if your company would hire Telavox for a service where personal data is handled, a specific agreement is needed to make sure the cooperation is compliant with the GDPR. Your company, the Data Controller, would then need to sign a Personal Data Processing Agreement with Telavox, the Data Processor.  

For an example of such an agreement, check out our Personal Data Processing Agreement here.

#7 Involve and educate everyone in your organization

Make sure everyone in your organization is on board and well aware of the new regulations. This is especially important when it comes to employees who are client-facing. This is important because the new rules came into place to protects our individual integrity online. But also because violations of the rules can become a very costly affair, to say the least.

The highest levels of fines can amount to 20 million euro or four per cent of a company’s global annual turnover, which means that internal education is well worth the effort and the investment.

Do you have questions about our solutions and GDPR? Get in touch!

Did you now that live chat is included in the Telavox widget? It’s free and it’s super easy to install on your website.

Discover our free live chat

See Telavox in action contact sales  <>