As part of the IAPP Europe Data Protection Congress 2020 Online, the IAPP awarded the 2020 HPE-IAPP Privacy Innovation Award to the Data Exchange Chatbot DEX, a collaboration between Deloitte Legal and University Medical Center Utrecht.

The chatbot is currently focused on the health care sector, providing personnel at health care organizations with direct answers to privacy questions, ranging from basic to complex. The chatbot’s main purpose is to reduce the burden of commonly asked questions for compliance personnel, simultaneously reducing privacy compliance expenses and raising privacy awareness throughout the health care organization.

The HPE-IAPP Privacy Innovation Awards recognize unique programs and services in global privacy and data protection in the private and public sectors that integrate privacy in such a way that elevates its value both as a competitive differentiator and a centerpiece of customers' and citizens' trust.

Rob Peters and Peter Kits, members of the Deloitte Legal team that developed the tool, call the Data Exchange Chatbot DEX “a compliance through digital tool” and note the Privacy Innovation Award will help to spread awareness and acceptance of the technology’s possibilities within the privacy field.

“Every privacy professional knows what the IAPP stands for, so having that award granted and having that connection, we really think, is going to help us with the acceptance level of the chatbot,” they said. “If it helps with getting more technology solutions to the privacy field, that would be pretty amazing.”

The concept for the tool, Kits said, originated from discussions with the UMC Utrecht legal and privacy departments and its data protection officer about challenges they faced in daily work, including handling privacy issues.

“We discussed that using technology might bring the solution to help eliminate the greatest burden of privacy questions that arise within a hospital and/or facilitate answering these questions,” Peters said. “It started with the privacy chatbot. A chatbot is not the difficult part, every self-respecting website has one nowadays, but they are mostly related to customer support. One of the things I had not seen yet is a properly working compliance chatbot, with a focus on handling data exchange questions within a hospital environment.”

Partnering with UMC Utrecht to understand and address a hospital’s needs, the team developed the chatbot using privacy dialogues and algorithms that can directly answer questions. If it is unable to answer a more complex question, the chatbot will redirect the user to the correct compliance professional. It also recognizes frequently asked questions and themes, providing the hospital with insight for potential training or awareness programs.

“It solves the problem of answering easy, repetitive questions directly. Moreover, it enables everybody within the organization to easily ask the privacy questions that they have,” Peters said.

As an example, when asked, “What are the data privacy rights of patients?” the chatbot responded with a list of 10 data subject rights, including the right to be informed, right of access, right to rectification, right to erasure, and right to data portability.

Kits said the chatbot has been developed with privacy at the forefront, so questions are addressed in a general way, and no patient or personal data is used. If, in some circumstances, personal data is included in a user’s correspondence with the chatbot, it will not proceed.

It took about a year-and-a-half to develop the tool with its current functionalities, Peters said. Creating a fully functioning chatbot covering privacy and legal items, like the EU General Data Protection Regulation, was a time-consuming and challenging process, as was enabling the tool to speak and understand the jargon used by personnel at a health care organization.

“The difficulty of a chatbot is not what should be the correct (legal) answer, but what is the way that people are asking privacy questions. That is really difficult. Health care providers use wording and frame questions in certain ways,” Peters said. “The process of working together with the hospital was crucial for us to get those valuable insights.”

The chatbot is in its final stage of a pilot phase and will be ready to implement in health care facilities once the pilot is successfully completed, Peters said. He noted the goal is to, first, introduce the chatbot in hospitals within the Netherlands, then to expand to neighboring countries and internationally. Related industries, like pharma or life sciences, are also promising areas to introduce the value of such technology solutions, he said.

HPE-IAPP Privacy Innovation Awards are judged by a panel of voluntary privacy experts who represent a variety of industries, sectors and geographies. Judges called the Data Exchange Chatbot DEX “innovative” and “futuristic,” with one judge saying, “It will certainly be the starting point for something bigger that may give us several insights.”

Photo by Giorgio Trovato on Unsplash