GDPR: processing biometric data

The collection of individuals’ biometric data is increasing, and the way it is processed continues to grow more sophisticated. Like any form of data, biometrics are potentially accessible by malicious sources. The stakes of potential biometric data breaches are much higher than other types of breaches. You can always replace a credit or debit card if your financial information is compromised, but if hackers broke into MasterCard’s ‘selfie pay’ tech, you would find it impossible to replace your face.

No previous data protection law addressed biometric data, but this will change when the General Data Protection Regulation (GDPR) comes into force on May 25, 2018. Twenty-eight countries are impacted including the UK. The GDPR attempts to balance the innovative ways biometrics are of use to the modern world with the need for responsible collection, storage and use.

What is biometric data?

The GDPR broadly defines biometric data as: “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person”. It is one of the special categories of personal data that can only be processed if:

• The data subject has given explicit consent
• Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in justifiable circumstances
• Processing is necessary to protect the vital interests of the data subject
• Processing is necessary for the establishment and exercise of defence of legal claims
• Processing is necessary for reasons of public interest

In defining biometric data under such broad terms, the GDPR appears to implicitly acknowledge that biometric technology is relatively nascent and will continue to evolve. As such, the definition seems well-positioned to encompass types of biometric data that may arise through the development of future technology. The definition recognises two categories of information that could be considered biometric data. The first is information pertaining to bodily characteristics i.e., a person’s physical or physiological traits. This category is straightforward and generally what most people would think of as biometric data: facial information, fingerprints, iris scans, etc.,

Behavioural information

The second category, behavioural information, is broader. Logically, any ‘behavioural characteristics’ that could permit the unique identification of a person would be considered biometric data. However, it is unclear just how narrowly regulatory authorities will interpret this category or what limiting principles, if any, will guide their analyses. Plausibly, information pertaining to someone’s habits, actions or personality could be considered behavioural information. This is a potentially broad category as it has no nexus to the sort of bodily information typically thought of as biometric data. Due to this inherent uncertainty, data controllers must closely monitor guidance relating to behavioural information deemed biometric data.

One critical impact of the GDPR’s classification of biometric data as sensitive personal data is that data controllers will need to conduct privacy impact assessments for many forms of biometric data processing. A key reason for this is that many forms of biometric data processing involve the use of modern technology. Many forms of biometric data processing will trigger the GDPR’s mandatory privacy impact assessment requirement. This is because it is foreseeable that biometric data processing will be increasingly conducted on a large scale, employ automated processing, and in some applications systematically monitor publicly accessible areas e.g. using facial-recognition technology to monitor individuals in retail settings. In such instances where privacy impact assessments are necessary to process biometric data, data controllers will need to identify the risks the processing presents to data subjects, and implement measures tailored to mitigate those risks. Such risk mitigation efforts are important as they will permit data controllers to avoid prior consultation with supervisory authorities.

 

Processing Biometric Data

There are many benefits to using biometrics: it is a more secure way of authenticating someone’s identity, and as part of a multi-factor authentication system, biometrics can vastly reduce the chances of hacking. It is also much more user-friendly than password, pins, fobs or ID badges. While GDPR does not overtly suppress the ways in which you can use biometric data, it does emphasise the need for caution. So before processing biometric data organisations must:

• Collect data for a valid reason, fairly and transparently, with the subject’s permission
• Store it safely and securely
• Use it for the purpose for which it was collected
• Retain it for only as long as it is relevant and reasonable

By being clear with data subjects on how you will use their data, you can improve customers’ trust in your organisation, help them understand why sharing is necessary and encourage them to provide their data, people buy into the concept of improved security in an uncertain world.

Almas Industries are European leaders in fingerprint access control and related security solutions with over 25,000 products installed globally. All biometric solutions and installers are not the same, if you’re considering biometric access control or time and attendance solutions, you need expert advice, guidance and help on what is the best solution for your business.

You can arrange your free, no obligation security survey by calling us on 0333 567 6677. If you prefer, you can always send a confidential email via [email protected].