GDPR: Things to consider when processing biometric data

Biometric data can be used for all kinds of reasons: fingerprint scanning to unlock iPhones, facial recognition software to improve security systems and even ear canal authentication for headphone security.

But like any form of data, biometrics are potentially accessible by malicious sources, and the stakes of potential biometric data breaches are much higher than other breaches. You can always replace your payment card if your financial information is compromised, but if hackers broke into MasterCard’s ‘selfie pay’ tech, you probably wouldn’t want to replace your face.

No currently enforced data protection law addresses biometric data, but the EU General Data Protection Regulation (GDPR) covers it in detail. The Regulation, which takes effect on 25 May 2018, enhances individuals’ rights regarding their personal data, and will attempt to balance the innovative capabilities that biometrics provides and organisations’ obligation to collect that data responsibly and keep it secure.

Although it’s an EU regulation, the GDPR will still have a big influence across the Asia–Pacific region, as it applies to any organisation in the world that processes EU residents’ personal data.

What is biometric data?

The GDPR defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person”.

It is one of the “special categories of personal data” that can only be processed if:

  • The data subject has given explicit consent;
  • Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the fields of employment and social security and social protection law;
  • Processing is necessary to protect the vital interests of the data subject;
  • Processing is necessary for the establishment and exercise of defence of legal claims; or
  • Processing is necessary for reasons of public interest.

Processing biometric data

There are many benefits of using biometrics. The sensitivity of the information makes it a much more secure way of authenticating someone’s identity – there’s no such thing as weak fingerprints or brute-force attacks of facial recognition. As part of a multi-factor authentication system, biometrics can vastly reduce the chances of hackers breaking into users’ accounts.

Organisations are also using biometrics for increasingly creative research and data analytics purposes. For example, Biometric Advertising claims that it can “capture consumer behavior and instantly interpret their reactions to your specific message, display or brand identity”. Herta Security is using facial recognition software in casinos and high-end retailers to alert employees when a member of a VIP loyalty programme enters the shop.

The GDPR certainly won’t suppress these kinds of uses of biometric data, but it does emphasise the need for caution. Before processing biometric data, organisations must:

  • Have a lawful ground to process biometric data

You need a lawful ground whenever you process personal data. Consent is always the least preferable option, so you should seek one of five other lawful grounds first.

  • Consider whether they really need biometric data

Organisations can create a lot of fun and novel technologies thanks to biometric data, but if the data needed to verify your identity is significantly more sensitive than the information it gives users access to, you might be better off using a less rigorous authentication process. Security should always be a top priority, but storing highly sensitive information adds extra obligations for your organisation to follow. You may find that you can get similar levels of security from another form of verification.

Similarly, many organisations may be tempted to use biometrics just because the tech is there. In that case, the processing of biometric data probably reveals more about the data controller’s habits than the data subjects’.

  • See the opportunities that privacy and security present

The GDPR states that data processors must implement appropriate “technical and organisational measures” to keep data secure. This will be tricky, but as Information Age writes, “the prize is that ethics and authenticity, along with creativity, builds reputations with hard-to-reach potential and existing customers”.

By being clear with data subjects on how you will use their data, you can improve customers’ trust in your organisation, help them understand why sharing this information is necessary and therefore encourage them to provide their data.

Preparing for the GDPR

If you want to know more about biometrics and the GDPR, you should enrol on one of our training courses. Depending on your level of expertise, you might be interested in either:

Certified EU General Data Protection Regulation Foundation (GDPR) Training Course

Certified EU General Data Protection Regulation Practitioner (GDPR) Training Course

The courses are available in classroom, distance learning and Live Online formats.