Does the GDPR allow you to track biometric data?

Under the EU GDPR (General Data Protection Regulation), biometrics is considered a “special category of personal data” that requires both a special legal basis for processing and an accompanying data protection impact assessment.

You are therefore permitted to track biometric data, but you might find the effort it takes outweighs the benefits.


What is biometric data?

Biometrics is essentially information pertaining to someone’s physical, physiological and behavioural characters. Fingerprints and retinal scans are two of the most common types of biometric data, but organisations are increasingly experimenting with technologies that make use of biometrics.

For example, Visa is working on a system to help banks incorporate biometrics into e-commerce. This follows on from Mastercard’s continued interest in ‘selfie pay’ technology. Meanwhile, Herta Security is using facial recognition software in casinos and high-end retailers to alert employees when a member of a VIP loyalty programme enters the shop.


Processing biometric data

As with any other kind of personal data, organisations need a lawful basis for processing biometrics. In the past, organisations relied on consent, but the GDPR’s toughened rules for obtaining and maintaining it means consent is always the least preferable option.

Of the remaining lawful bases, you would most likely be able to justify:

  • Contractual obligations, if you need to process biometrics to fulfil the terms of a contract (including an employment contract); or
  • Legitimate interests, if there is any reason (including commercial benefit) to process biometrics, provided it’s not outweighed by negative effects to individuals’ rights and freedoms.


Pros and cons of biometrics

Organisations can do a lot of fun things with biometric data, and there are two obvious benefits of using it.

First, people love gadgets, even when they don’t seem to have any clear purpose, so the novelty of biometrics can be marketed as a unique selling point.

Second, biometrics offers unheralded levels of security – without any of the inconvenience associated with passwords. Although using complicated passwords and unique phrases for each account makes them less likely to be hacked, they are also a lot harder to memorise.

With biometrics, users have nothing to remember, because they are the password, and crooks would have to go to extraordinary lengths to hack into an account.

However, these benefits come with a cost. Organisations would be required to keep large volumes of sensitive information, which would create untold damage if breached. Given the current landscape of cyber crime, with organisations repeatedly breached despite adopting best practices, you might see it as simply too big a risk.

Individuals might also be hesitant about giving organisations their information. There is already growing concern over the way companies such as Facebook use people’s personal data, and if you are to persuade people to give you their biometric data, you’ll need to make a convincing argument about why it’s necessary and how you will make sure it’s kept securely.


Learn more about the GDPR

You can find out more about the GDPR by enrolling on one of our training courses. Depending on your level of expertise, you might be interested in either:

The courses are available in classroom, distance learning and Live Online formats.

Book these courses together in our combination course to save 15%.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.