Biometric data can be used for all kinds of reasons: fingerprint scanning to unlock iPhones, facial recognition software to improve security systems and even ear canal authentication for headphone security.
Like any form of data, biometrics are potentially accessible by malicious sources, and the stakes of potential biometric data breaches are much higher than other breaches.
You can always replace your payment card if your financial information is compromised, but if hackers broke into MasterCard’s ‘selfie pay’ tech, you probably wouldn’t want to replace your face.
That’s why the GDPR (General Data Protection Regulation) includes strict rules on the way biometric data can be collected and used, and it’s why organisations should think carefully before processing such information.
What is biometric data?
The GDPR defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person”.
It is one of the “special categories of personal data” that can only be processed if:
- The data subject has given explicit consent;
- Processing is necessary for carrying out the obligations and exercising specific rights of the controller or the data subject in the fields of employment and social security and social protection law;
- Processing is necessary to protect the vital interests of the data subject;
- Processing is necessary for the establishment and exercise of defence of legal claims; or
- Processing is necessary for reasons of public interest.
Processing biometric data
There are many benefits of using biometrics. The sensitivity of the information makes it a much more secure way of authenticating someone’s identity – there’s no such thing as weak fingerprints or brute-force attacks of facial recognition.
As part of a multi-factor authentication system, biometrics can vastly reduce the chances of hackers breaking into users’ accounts.
Organisations are also using biometrics for increasingly creative research and data analytics purposes.
For example, Biometric Advertising claims that it can “capture consumer behavior and instantly interpret their reactions to your specific message, display or brand identity”.
Herta Security is using facial recognition software in casinos and high-end retailers to alert employees when a member of a VIP loyalty programme enters the shop.
The GDPR certainly won’t suppress these kinds of uses of biometric data, but it does emphasise the need for caution. Before processing biometric data, organisations must:
Have a lawful ground to process biometric data
You need a lawful ground whenever you process personal data. Consent is always the least preferable option, so you should seek one of five other lawful grounds first.
Consider whether biometric data is necessary
Organisations can create a lot of fun and novel technologies thanks to biometric data.
But if the data needed to verify your identity is significantly more sensitive than the information it gives users access to, you might be better off using a less rigorous authentication process.
Security should always be a top priority, but storing highly sensitive information adds extra obligations for your organisation to follow. You may find that you can get similar levels of security from another form of verification.
Similarly, many organisations may be tempted to use biometrics just because the tech is there. In that case, the processing of biometric data probably reveals more about the data controller’s habits than the data subjects’.
See the opportunities that privacy and security present
The GDPR states that data processors must implement appropriate “technical and organisational measures” secure personal data.
This will be tricky, but as Information Age writes, “the prize is that ethics and authenticity, along with creativity, builds reputations with hard-to-reach potential and existing customers”.
By being clear with data subjects on how you will use their data, you can improve customers’ trust in your organisation. You’ll also help them understand why sharing this information is necessary and therefore encourage them to provide their data.
How to collect data responsibly and keep it secure
If you want to know more about biometrics and the GDPR, you should enrol on our Certified GDPR Foundation Training Course.
This one-day course provides a comprehensive introduction to the GDPR and a practical understanding of the key implications, compliance requirements and potential benefits for organisations.
By attending and passing the course exam you will gain enough knowledge to understand the Regulation’s principles, terms and key concepts.
So what if your government decides to make a central database with all of its’ citizens’ fingerprints in and copied onto their ID? Very much against consent with the sad excuse of “counterterrorism”. Obviously this cannot fall under the GDPR right? Proportionality much?
The public authorities also have to follow GDPR when procesing personal data. However, please note that consent is not the only legal basis for processing, the public authorities could, for example, rely on the ‘exercise of official authority vested in the controller’ (Article 6(1)(e) of the GDPR). That being said, as you have rightly pointed out, any EU or Member State level law should meet an objective of public interest and be proportionate to the legitimate aim pursued. The situations you’ve described could arguably be at odds with these principles.
When entering some building sites you have to give fingerprint Id for the biometric system. You are told this is only for purposes such as security and emergency services. Can the company involved then pass this biometric information to employers for time keeping purposes without your consent?