Biometric data is being used in countless systems these days. If you’ve ever used your fingerprint scan to unlock your phone or facial recognition software, then your biometric data is being processed.
But like any form of data, biometrics – i.e. information relating to individual’s physical, physiological or behavioural characteristics – are potentially accessible by malicious sources, and the stakes of potential biometric data breaches are much higher than other breaches.
You can always replace your payment card if your financial information is compromised, but if hackers broke into MasterCard’s ‘selfie pay’ tech, you probably wouldn’t want to replace your face.
That’s why the GDPR (General Data Protection Regulation) includes strict rules on the way biometric data can be collected and used, and it’s why organisations should think carefully before processing such information.
What is biometric data?
The GDPR defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person”.
It is one of the “special categories of personal data” that can only be processed if:
- The data subject has given explicit consent;
- Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the fields of employment and social security and social protection law;
- Processing is necessary to protect the vital interests of the data subject;
- Processing is necessary for the establishment and exercise of defence of legal claims; or
- Processing is necessary for reasons of public interest.
Processing biometric data
There are many benefits of using biometrics. The sensitivity of the information makes it a much more secure way of authenticating someone’s identity; there’s no such thing as weak fingerprints or brute-force attacks of facial recognition.
As part of a multi-factor authentication system, biometrics can vastly reduce the chances of criminal hackers breaking into users’ accounts.
Organisations are also using biometrics for increasingly creative research and data analytics purposes. For example, Biometric Advertising claims that it can “capture consumer behavior and instantly interpret their reactions to your specific message, display or brand identity”.
Herta Security is using facial recognition software in casinos and high-end retailers to alert employees when a member of a VIP loyalty programme enters the shop.
The GDPR certainly won’t suppress these kinds of uses of biometric data, but it does emphasise the need for caution. Before processing biometric data, organisations must:
- Have a lawful ground to process biometric data
You need a lawful ground whenever you process personal data. Consent is always the least preferable option, so you should seek one of five other lawful grounds first.
- Consider whether they really need biometric data
Organisations can create a lot of fun and novel technologies thanks to biometric data, but if the data needed to verify your identity is significantly more sensitive than the information it gives users access to, you might be better off using a less rigorous authentication process.
Security should always be a top priority, but storing highly sensitive information adds extra obligations for your organisation to follow. You may find that you can get similar levels of security from another form of verification.
Similarly, many organisations may be tempted to use biometrics just because the tech is there. In that case, the processing of biometric data probably reveals more about the data controller’s habits than the data subjects’.
- See the opportunities that privacy and security present
The GDPR states that data processors must implement appropriate “technical and organisational measures” to keep data secure. This will be tricky, but as Information Age writes, “the prize is that ethics and authenticity, along with creativity, builds reputations with hard-to-reach potential and existing customers”.
By being clear with data subjects on how you will use their data, you can improve customers’ trust in your organisation, help them understand why sharing this information is necessary and therefore encourage them to provide their data.
What else do you need to know about processing sensitive personal data?
You can get more advice on how to meet the GPDR’s data processing requirements by reading GDPR: An Implementation and Compliance Guide.
This handbook explains the GDPR in simple terms, breaking down its compliance requirements into manageable chunks. You’ll learn everything you need to implement a robust information security system and avoid the prospect of regulatory penalties.
A version of this blog was originally published on 15 September 2017.