GDPR-Compliant AI Chatbots: The 6-Step Checklist for Irish Businesses

You added a chatbot to your website to handle customer enquiries. What you probably don't know is that it's been collecting personal data from every visitor: names, email addresses, conversation content, and in some cases IP addresses and device information. All of it stored on servers you've never checked.

That's a GDPR problem. And in Ireland, the Data Protection Commission is the most active regulator in the EU.

Here's the 6-step checklist you need to run before your chatbot goes live (or as soon as possible if it's already running).

What Your Chatbot Actually Collects (It's More Than You Think)

Most business owners think their chatbot collects "just the conversation." Wrong.

Here's what actually flows through a typical chatbot: conversation transcripts, visitor name and email (from forms), IP address, browser and device info, timestamp and session data, pages visited before and during chat, any files uploaded. That's a lot of personal data.

If your chatbot has a lead capture form, you're collecting personal data covered by GDPR Articles 13 and 14. If your chatbot uses AI processing, the conversation content gets sent to a third-party API (OpenAI, Anthropic, whoever) for response generation. That's a data transfer outside your control.

The first step is knowing exactly what flows where. Most businesses skip this part entirely. Don't be most businesses.

Step 1: Map Your Chatbot's Data Flows

Draw the path: visitor types a message. The chatbot widget captures it. The message gets sent to your chatbot platform (Intercom, Tidio, Voiceflow, Crisp, or custom). Then it gets forwarded to an LLM API. The response comes back. The conversation gets stored. Maybe it syncs to your CRM.

Each hop is a potential GDPR compliance point.

Answer these questions: Where exactly are conversations stored? Who has access? Is data encrypted in transit? Does the platform send data outside the EU? Is conversation data used to train the vendor's AI model? Does the vendor process any data on your behalf?

If you can't answer all of these, you're not compliant. That's fixable. It just takes an afternoon of vendor due diligence.

Step 2: Choose Your Legal Basis (Consent Isn't Always Required)

GDPR requires a legal basis for processing personal data. For chatbots, two apply.

Legitimate interest: if the chatbot helps deliver a service the visitor requested (answering questions, booking appointments). You don't need explicit consent, but you do need to document the legitimate interest assessment. This is the most common basis for customer support chatbots.

Consent: if you're collecting data for marketing, lead nurturing, or anything beyond the immediate service. Consent requires explicit opt-in before collection. You can't sneak it in.

Most business chatbots fall under legitimate interest for the conversation itself, but need consent for the email capture and lead gen part. The distinction matters: if your chatbot asks for an email and subscribes them to a newsletter, that's consent territory. If it asks for an email to send a booking confirmation, that's legitimate interest.

Document which basis applies to your chatbot. You'll need this for your Data Protection Impact Assessment in Step 5.

Step 3: Update Your Privacy Policy (Be Specific About the Chatbot)

Your privacy policy must specifically mention your chatbot. Generic language about cookies and analytics doesn't cover it.

Here's what to add:

"We use an AI-powered chat system on our website to answer visitor questions and capture enquiries. This system collects your name (if provided), email address (if provided), conversation content, IP address, and browser information. Conversations are processed by [vendor name] and stored on servers located in [location]. Data is retained for [period]. If you provide your email address through the chat, we'll use it to [specific purpose]. You can request deletion of your data at any time by contacting [email]."

Replace the bracketed parts with your actual details. Most businesses update their privacy policy in under an hour. It's the easiest compliance step and the one most often skipped.

Run it past whoever handles data protection in your business (or an Irish GDPR specialist if you don't have one). A single sentence that's too vague is worse than no mention at all.

Step 4: Ask Your Vendor These 8 Questions Before You Sign Anything

This is the section that saves Irish businesses the most trouble. Ask these questions before you deploy anything.

1. Where are customer conversations stored? Acceptable: EU data centre. Red flag: "AWS" with no region specified. You need a data centre in the EU, ideally Ireland or another EU country.

2. Do you have a Data Processing Agreement ready to sign? All reputable vendors have one. If they hesitate or say it's only for enterprise customers, walk away. Every business processing personal data on your behalf needs a DPA.

3. Is conversation data used to train your AI models? Many platforms do this by default. You won't know unless you ask. If they say yes, ask if you can opt out. If they won't let you, that's a red flag.

4. Can I delete a specific user's conversation data on request? GDPR Article 17 gives people the right to erasure. Your vendor must support this. You need to be able to process deletion requests within 30 days.

5. What encryption do you use for data at rest and in transit? Minimum requirements: TLS 1.2 in transit, AES-256 at rest. If they can't tell you, they haven't thought about security.

6. What's your breach notification timeline? GDPR requires the DPC to be notified within 72 hours. Your vendor should notify you within 24 hours so you have time to notify the DPC yourself. Get this in writing.

7. What happens to my data when I cancel the service? Data should be deleted or returned within 30 days of contract end. Not "eventually deleted." Not "stored for a while." Thirty days.

8. Do you have Standard Contractual Clauses for non-EU transfers? If any data leaves the EU (even temporarily for processing), SCCs are required. They're the legal mechanism that makes these transfers compliant.

If the vendor can't answer all eight clearly, they aren't ready for the Irish market. Move on.

Step 5: Complete a Chatbot-Specific DPIA in 90 Minutes

A Data Protection Impact Assessment sounds intimidating. It isn't, especially for a chatbot.

For a chatbot, you need four sections.

What data does the chatbot collect? Use the list from Step 1. Write down everything that flows through the system.

What are the risks? Data breach at the vendor's end, unauthorised access to your account, conversation data containing sensitive information (health details, financial data, anything someone mentioned they shouldn't have), accidental data exposure from misconfigured servers. Think about what could go wrong.

What controls are in place? Encryption, access restrictions at the vendor, data retention limits, the Data Processing Agreement you're signing, vendor certifications (ISO 27001, SOC 2). Write down what you've actually put in place.

What's the residual risk after those controls? Typically low for a standard customer support chatbot on a business website. Higher if you're collecting sensitive data or using an untested vendor.

The DPC publishes DPIA templates at dataprotection.ie. Fill in the chatbot-specific details from Steps 1 through 4 and you're done. This usually takes 90 minutes for a straightforward setup.

Keep it on file. If a customer complains to the DPC about your chatbot practices, this document proves you thought it through before deployment. It's the difference between a minor inquiry and a formal investigation.

For the broader GDPR and AI compliance framework, check our complete GDPR guide for Irish businesses.

Step 6: Build a 72-Hour Breach Plan

What happens if your chatbot vendor gets breached and customer conversations are exposed?

You have 72 hours from becoming aware to notify the DPC. The law doesn't give you longer. Your vendor should notify you within 24 hours so you have time to act.

Write a one-page plan covering: who gets notified internally (name the person, don't be vague), how you contact the DPC (breach.report@dataprotection.ie is the email), what you tell affected customers, what remediation steps you take immediately. This plan should exist before your chatbot goes live. It takes 30 minutes to write.

Not having it when something goes wrong can cost thousands in fines and weeks of panic. Have it ready.

The Compliance Payoff

Running through these six steps takes about four hours total. You'll end up with a mapped data flow, a vendor agreement with proper safeguards, updated privacy documentation, an impact assessment on file, and a breach response plan.

That's the baseline for a compliant chatbot in Ireland. It's not complicated. It's just methodical.

The DPC has been active on chatbot deployments. They've fined companies for vague privacy policies, missing Data Processing Agreements, and data transfers without proper safeguards. These aren't obscure violations. They're the fundamentals.

Not sure if your chatbot setup passes the test? Our AI Audit Tool runs through 8 questions about your current operations and flags compliance gaps in 5 minutes. It's free, and you'll get a clear picture of what needs fixing.

FAQ

Q: Does my chatbot need a cookie consent banner?

A: If your chatbot widget sets cookies (most do, for session tracking), yes. The cookie banner should mention the chatbot specifically. If your chatbot only uses session-based storage without persistent cookies, a privacy policy mention is sufficient. Check with your vendor on what they actually do.

Q: What if someone shares health information in a chat?

A: Health data is "special category" data under GDPR Article 9. If your chatbot might receive health information (dental clinics, physiotherapy, GP practices, anywhere health is discussed), you need explicit consent before the conversation starts and heightened security measures. Consider a pre-chat notice: "Please don't share medical information in this chat. For sensitive health enquiries, contact us directly."

Q: Can I use chatbot conversations to train my own AI model?

A: Only with explicit consent from the people in those conversations. Using customer data for model training is a new processing purpose that goes beyond the original reason they chatted with you. You'd need a separate opt-in, a documented purpose, and a way to remove someone's data from the training set if they request it. Most businesses don't go here. Stick with your vendor's models instead.

Q: Do I need a Data Protection Officer for a chatbot?

A: Probably not. DPOs are required for public bodies or businesses doing large-scale systematic monitoring. A customer support chatbot on a small business website doesn't trigger this requirement. But you should designate someone internally as responsible for data protection decisions and vendor oversight.

Q: What if my chatbot vendor is American?

A: That's fine as long as they offer EU data storage, have Standard Contractual Clauses in place, and provide a Data Processing Agreement that meets GDPR requirements. Most major platforms (Intercom, Tidio, Crisp, Drift) offer EU hosting options. Check before you sign up. If they only offer US data storage, look for an alternative.

Q: How long can I keep chatbot conversation logs?

A: Only as long as you have a legitimate reason. For customer support conversations, 90 days is reasonable. For lead capture data, 12 months maximum unless the person becomes a customer. Document your retention policy and stick to it. Keeping conversations "just in case" violates the data minimisation principle and wastes storage space.