We’re all about user data, but what exactly does that mean?

Pierre Vivant: “User data” is not a notion employed by Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, “on the protection of individuals with regard to the processing of personal data and on the free movement of such data”.

This one actually deals with “personal data”.

User data, as the user of a website or an application for example, is only one part of personal data. Personal data also includes, for example, employee data.

What exactly do you mean by the term “user data”?

P.V: By user data, we obviously mean the data entered directly by the user to register, for example, on a website or an application, and which includes various elements such as an e-mail address, a pseudonym, but also a physical address, a first and last name, a date of birth… which differ depending on the registration form.But user data is also made up of other information that the user communicates unconsciously.This may include, for example, the length of the connection or the customer’s browsing experience on the website, which can be used to target the user’s interests.

“This data conveys information about the user (profile, tastes, choices, activities…)”.

Why is it important to protect it?

P.V: This data provides information about the user (profile, tastes, choices, activities…).They enable us to learn about aspects of a person’s private life. For this reason, it is necessary to protect them, which is the focus of the RGPD regulation (and the 1978 Data Protection Act, which is still in force).For the individual, this protection is necessary to limit a possible intrusion into his or her private life.

For the company, this protection is essential on two levels.Which are they?

P.V: The first is, of course, to comply with regulatory obligations, to avoid any legal sanctions. The second is to gain the trust of customers. Customers who know that their personal data is only used for a specific purpose, and that its security is guaranteed, will have confidence in the company. It’s an argument that helps companies build customer loyalty.

What are the key points to know before retrieving data?

P.V: You have to make sure you comply with the Regulation, and ask yourself the right questions: what data is being recovered?For what purpose? Who has access to it? How long is it kept? How is it stored/where is it hosted?

It’s important to go through this process to ensure that the regulations are complied with, before collecting any data.

It is then essential to inform the data subject. After all, data cannot be collected without the data subject’s knowledge. Finally, in certain situations, consent must be obtained.

What does a brand risk if it fails to protect its users’ data?

P.V: There are two risks. The first is financial: in the event of infringement, the CNIL can impose penalties, including fines of up to 20 million euros, or in the case of a company, up to 4% of annual worldwide sales.

The second is reputational: being sanctioned by the CNIL, or even having only a public formal notice issued, can have the effect of damaging a brand’s reputation and image in the eyes of its customers.