GDPR: Things to consider when processing biometric data

Biometric data can be used for all kinds of reasons: fingerprint scanning to unlock iPhones, facial recognition software to improve security systems and even ear canal authentication for headphone security.

Like any form of data, biometrics are potentially accessible by malicious sources, and the stakes of potential biometric data breaches are much higher than other breaches.

You can always replace your payment card if your financial information is compromised, but if hackers broke into MasterCard’s ‘selfie pay’ tech, you probably wouldn’t want to replace your face.

That’s why the GDPR (General Data Protection Regulation) includes strict rules on the way biometric data can be collected and used, and it’s why organisations should think carefully before processing such information.

What is biometric data?

The GDPR defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person”.

It is one of the “special categories of personal data” that can only be processed if:

  • The data subject has given explicit consent;
  • Processing is necessary for carrying out the obligations and exercising specific rights of the controller or the data subject in the fields of employment and social security and social protection law;
  • Processing is necessary to protect the vital interests of the data subject;
  • Processing is necessary for the establishment and exercise of defence of legal claims; or
  • Processing is necessary for reasons of public interest.

Processing biometric data

There are many benefits of using biometrics. The sensitivity of the information makes it a much more secure way of authenticating someone’s identity – there’s no such thing as weak fingerprints or brute-force attacks of facial recognition.

As part of a multi-factor authentication system, biometrics can vastly reduce the chances of hackers breaking into users’ accounts.

Organisations are also using biometrics for increasingly creative research and data analytics purposes.

For example, Biometric Advertising claims that it can “capture consumer behavior and instantly interpret their reactions to your specific message, display or brand identity”.

Herta Security is using facial recognition software in casinos and high-end retailers to alert employees when a member of a VIP loyalty programme enters the shop.

The GDPR certainly won’t suppress these kinds of uses of biometric data, but it does emphasise the need for caution. Before processing biometric data, organisations must:

Have a lawful ground to process biometric data

You need a lawful ground whenever you process personal data. Consent is always the least preferable option, so you should seek one of five other lawful grounds first.

Consider whether biometric data is necessary

Organisations can create a lot of fun and novel technologies thanks to biometric data.

But if the data needed to verify your identity is significantly more sensitive than the information it gives users access to, you might be better off using a less rigorous authentication process.

Security should always be a top priority, but storing highly sensitive information adds extra obligations for your organisation to follow. You may find that you can get similar levels of security from another form of verification.

Similarly, many organisations may be tempted to use biometrics just because the tech is there. In that case, the processing of biometric data probably reveals more about the data controller’s habits than the data subjects’.

See the opportunities that privacy and security present

The GDPR states that data processors must implement appropriate “technical and organisational measures” secure personal data.

This will be tricky, but as Information Age writes, “the prize is that ethics and authenticity, along with creativity, builds reputations with hard-to-reach potential and existing customers”.

By being clear with data subjects on how you will use their data, you can improve customers’ trust in your organisation. You’ll also help them understand why sharing this information is necessary and therefore encourage them to provide their data.

How to collect data responsibly and keep it secure

If you want to know more about biometrics and the GDPR, you should enrol on our Certified GDPR Foundation Training Course.

This one-day course provides a comprehensive introduction to the GDPR and a practical understanding of the key implications, compliance requirements and potential benefits for organisations.

By attending and passing the course exam you will gain enough knowledge to understand the Regulation’s principles, terms and key concepts.


  1. Yannick Bours 26th October 2018
    • Sophie Meunier 23rd January 2019
  2. George Hodge 11th July 2019

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.