Slack bots and GDPR
The first post of this series on GDPR was on the question what personal data are. To summarize, it’s not only about clearly personal identifiable information such as postal addresses of customers. I intend to write this series with a strong focus on practicality instead of staying superficial. This post will analyze the relation of Slack bots and GDPR.
Slack and Slack bots
With its focus on frictionless team communication, Slack quickly became a standard for startups and is also moving more and more into the corporate world. One of Slack’s benefits is that you can easily integrate third party services and integrate different data sources to have one central work place.
Early on Slack opened up for third party providers to offer integrations and bots to interact with actual users in your Slack workspace. That ranges from rather simple daily posts of certain metrics (such as app downloads) over automated polls to more complex behaviour. And, as mentioned above, Slack is often used as the central communication tool in a company. To achieve a certain level of transparency, a lot of especially young startups also automatically post app reviews (assuming they do apps) or user support emails in a dedicated Slack channel. There are a lot of benefits to it. Everyone can be easily informed about user needs and bug reports and can react quickly — very important in an early phase startup.
Impact of GDPR
Don’t get me wrong, transparency on information is very important. Though with GDPR there’s some more things to consider when it comes to personal data. First, you have to do some homework when processing personal data in a third party tool:
1. You need to mention this in your privacy policy to show transparency of data processing.
2. If the third party company is located outside of the EU (and Slack is headquartered in San Francisco, US), you need to check whether you can work with them. Without going into too much detail (there’s a dedicated blog post following), Slack is part of the EU-US Privacy Shield. That means, GDPR regards personal data in “an adequate level of protection”.
3. You should have a data processing agreement in place.
“Right to erasure”
This is all doable without too much hassle. But you need to be aware of what personal data you have in Slack. But that’s not all, GDPR also requires you to offer certain rights to your users, such as the right to erasure. That poses the question how you want to deal with it. For sure, you will have the personal data not only in Slack, but also in another place, in the example of user support emails you will have a certain tool for that. Now, when someone requests you to delete his personal data, you need to delete it in the dedicated tool as well as in Slack. That’s certainly possible, though potentially a lot of work. So you should reconsider whether you continue using Slack for personal data in addition to the tools that you use anyways.
And you probably don’t want to mention dubiously named software in your privacy policy.
Compliance of slack bots
Now coming back to Slack bots. Slack bots can have the access rights to basically read all your public and private channels, some even your private messages. If those bots are operated by a third party and they can read your Slack channels with personal data, you would need to do all the things described in this article. And you probably don’t want to mention dubiously named software in your privacy policy.
Even if you have no personal data in Slack (anymore), you may want to check whether you have bots in there with overly broad access rights, simply for the reason that this can leak your valuable company information (e.g. business or patent information).
Overall this doesn’t mean that you need to disable all Slack bots that you find useful. But you should double-check, for GDPR and for your own data’s safety.
This post is part of a series on my learnings with GDPR. Please have in mind that, though based on diligent work, it can contain mistakes and wrong understanding of the legislation. Please let me know if you find those parts.