Woebot Labs’ GDPR Compliance Plan

What is GDPR?

The European Union (EU) issued the General Data Protection Regulation (GDPR) in order to improve upon data privacy laws and influence the ways organizations manage data privacy. GDPR policy must be in place by May 25, 2018.

GDPR impacts all organizations located geographically within the EU, as well as those that are located outside of the EU if they collect, store, and/or manage data of EU subjects.

How will Woebot Labs manage GDPR?

Woebot Labs will be compliant with GDPR by May 25, 2018. We will readily communicate our process of readiness to ensure current updates are easily accessible to you.

1) Remaining committed to ensuring and reviewing a reliable data infrastructure.

As a cloud-based company, we have the benefit of many great tools to assist us in protecting your data and running a reliable service. We constantly monitor our infrastructure to ensure it’s quality. We also work hard to stay up to date with the latest best-practices to keep our services running smoothly and securely. We pride ourselves on meeting the higher standards required by laws such as GDPR by applying them to all of our users, worldwide.

2) Ongoing transparency regarding Woebot Labs’ data policies and procedures.

Since the company’s inception, Woebot Labs has been committed to safeguarding user data and their privacy. Woebot Labs will continue to monitor GDPR regulations and will adjust and update compliance planning accordingly and as needed. Updates will be made available on our website.
Encryption: All message data sent to and from Woebot Labs is encrypted. The conversation data in our iOS and Android platforms are also stored encrypted.
Anonymized data: Since the company launched in June 2017, all user data is limited to the minimum amount required for the Service to function. Data is not linked to users in an identifiable way.
Security Infrastructure: We continue to invest in a robust security team which oversees and maintains:
a) the integrity of the data infrastructure
b) clear and compliant privacy policy and consent forms
c) security incident procedures and notifications that meet GDPR requirements
Data Portability: Users are able to request and delete their data. Procedures for requesting data and/or deletion are in place.

More about GDPR.

EU GDPR Compliance Website

Woebot Labs & GDPR

In 2016 the EU announced it’s plans for making companies responsible for user data protections of all EU citizens, regardless of where the company resides geographically.

At Woebot Labs, rooted in scientist-practitioner philosophies, has been preparing for full compliance by May 2018., and and we can say it has been an exceptionally validating and dare I say it, even, enjoyable process. Here’s why… Yes, validating and enjoyable.

GDPR is different than HIPAA

What makes EU’s General Data Protection Regulation (GDPR) stand apart from the United States’ Health Insurance Portability and Accountability Act (HIPAA) is that the former is a fundamentally person-centered approach. Much of this is owed to how GDPR was developed – beginning with European legislators seeking to understand the privacy issues that concern their citizens, and their opinions on the bounds of privacy tolerance, from both an ideological and practical standpoint.

Whilst legislating for health privacy tech is a good idea, HIPAA focuses more on specific technical requirements than GDPR. It provides a clear roadmap for tech architecture that must be in place for minimal acceptable security standards, and is clearly interpretable and certainly helpful. One of my fears with HIPAA however, is that users can assume that just because something is “HIPAA compliant”, it is 100% trustworthy, but this isn’t always the case. HIPAA compliant software companies can still be vulnerable to hacks and to other vulnerabilities that may be overlooked get hacked, perhaps due to poor user-centered privacy design decisions.

GDPR law, in contrast, is founded upon user-centered principles which means that developers are forced to think through privacy by design at every level of development, and either change or defend their work flows from the position of putting people’s privacy first. Instead of simply checking-boxes, this elevates the conversation and it acknowledges the frank benefits of has fostered the kind of conversation th of a much higher standard of data protection.

Woebot is User-Centered

We are fortunate to have already developed Woebot was originally developed from a user-centered position. For example, upon user request Woebot can delete data and thus mirrors the GDPR principal referred to as “the right to be forgotten”. Also, our informed consent procedures during app-onboarding are borrowed from best practice for human-centered research.

Leading the Way…

Indeed, GDPR moves away from a perception that there is a “right” way of doing things versus a “wrong” way. Instead it forces a deeper, more nuanced level of design, grounded in sensible protection rather than prescription, imperative as new data-driven technologies come on stream, and can actually push the field further. And we think that is a very positive thing.

Documents & Details

What is GDPR
How will Woebot Labs be GDPR compliant
Privacy Policy and Terms of Service
Profile Deletion
Profile Transfer
GDPR Report
Contact Woebot Labs