Conversational AI & Data Protection: what should companies pay attention to?

By Published On: July 31st, 2023Categories: Automatisierung, Chatbots & AI

In an increasingly digitalised world, conversational AI technologies are playing an ever greater role. Voice-controlled assistants such as chatbots and voicebots enable businesses to interact with their customers in a personalised and efficient way. The ability to have human-like conversations and handle complex queries has made Conversational AI a powerful tool to optimise customer service and automate business processes, for example.

However, the use of conversational AI also brings challenges, especially with regard to data protection and the handling of (sensitive) user data. The processing and storage of this data requires a high degree of responsibility and transparency on the part of companies in order to gain and maintain the trust of users.

Why is the use of Conversational AI related to data or user data?

Conversational AI is (a) functionally dependent on training data and (b) only meets user experience requirements if it collects certain data to understand the contextual dialogue.

  • The use of Conversational AI relies on data, as this technology relies on gathering enough information and knowledge to function effectively. A Conversational AI system is based on machine learning. This allows the AI to learn from data and continuously improve its performance. To enable this learning, they need large amounts of training data. In order for a Conversational AI to process natural language (NLP), it needs a large amount of text data to recognise patterns and relationships in human language, and to capture the probability and relevance of words and phrases.

    For example, Open AI’s large language model, ChatGPT, was trained with a large amount of text data from various sources on the internet. The training covered a wide range of topics, including Science, History, Literature, Pop Culture and more.

  • In addition, conversational AI needs contextual understanding so that it can provide meaningful value in user interactions. This means it needs to understand the context of a conversation in order to provide appropriate responses. This requires analysis of past questions in the dialogue and access to relevant information contained in the data.

What sensitive data does Conversational AI access?


Conversational AI systems collect various types of sensitive data to enable personalised interactions and services. This sensitive data includes personal identification data such as names, email addresses, phone numbers and social profile data. It is used to identify the user and provide personalised services. It depends on the use case what data is used and how sensitive it is.

If it is a use case of a financial service provider, Conversational AI systems need to collect financial data, especially if it is used to process financial transactions or payments. In such cases, sensitive information such as credit card information or bank account details are captured to authorise payments and complete transactions.

In healthcare, Conversational AI systems are used to collect information about medical conditions, symptoms or treatments. Sensitive data such as medical histories, medical diagnoses and prescribed medications can be collected. This data is used to provide personalised medical advice or recommendations.

Furthermore, location data is accessed in certain use cases. It is used to provide location-based services or information. Location data can be collected either live via GPS tracking or through prior location sharing by the user. It is used to provide personalised location services, travel information or local recommendations.

What measures should companies take to ensure the protection of sensitive user data in Conversational AI?

To protect user data and privacy, companies need to consider a number of aspects – at a corporate, legal and technical level:

  • Ensuring transparency in Conversational AI is crucial to give users a clear overview of data processing. Companies should transparently communicate to users how their data is collected, used, stored and shared. This can be done through clear and understandable privacy policies, terms of use or privacy notices. The information should be easily accessible and written in a language that users can understand.
  • Users should be able to give their consent to the collection and processing of their data and to withdraw this consent at any time. It is important that companies clearly state what data is collected and for what purpose it is used. In addition, users should have control over their data and be able to adjust their privacy settings.
  • Conversational AI systems use complex algorithms to analyse data and provide personalised responses. Companies should provide users with information on how these algorithms work, especially on the possible impact on decisions or recommendations. Disclosure of criteria and factors used in processing the data can contribute to transparency.
  • Companies should clearly state the purpose for which they collect users’ data and how they use it. This may include providing personalised services, improving system performance, developing new features or meeting legal requirements. Clear data use purposes give users a better understanding of why their data is being collected.
  • Users should have the right to access their collected data and correct or delete it if necessary. Companies should provide clear procedures to meet these requirements and allow users easy access to their own data.
  • It is important to note that the implementation of transparency in Conversational AI should be done at both a corporate and legal level. Data protection laws such as the General Data Protection Regulation (GDPR) in the European Union set certain requirements for transparency and privacy. Compliance with such regulations can help ensure transparency. Companies must take the necessary measures to ensure that users’ data is adequately protected and handled in accordance with applicable data protection regulations.
  • Data protection measures should already be considered during the development of Conversational AI systems by integrating them into the system design. This includes techniques such as anonymisation, pseudonymisation or encryption to ensure data confidentiality.
  • Data transmission between users and Conversational AI should be encrypted to ensure secure transport of sensitive data. In addition, appropriate security measures for the storage of data should be implemented to prevent unauthorised access or data leakage.
  • Access to the collected data should be limited to authorised persons. Internal policies and procedures for access control should be implemented and data should only be kept for a limited period of time and regularly deleted when no longer needed.
  • Regular security audits and data protection audits are necessary to identify potential vulnerabilities and close security gaps. Transparent information policies, where users are clearly informed about the data collected, the purpose for which it is used, how long it is stored and how they can control it, are also important.

In summary, it is important to implement adequate data protection measures to minimise the risk of data breaches and to protect the privacy of users. At the same time, companies should provide transparent information about data processing and enable user control and consent. Compliance with applicable data protection laws is essential to ensure the protection of sensitive user data.


Conversational AI is closely linked to the processing of user data, as this technology relies on data to function effectively. Companies need to be transparent about the type of data collected, the purpose for which it is used and how it is stored. Users should have control over their data and be able to give and withdraw consent for data processing. Companies should provide clear procedures for viewing, correcting and deleting user data.

More articles