You’re about to pay your bill at a restaurant when you realise that you’ve left both your mobile phone and wallet at home. You’re in trouble, aren’t you? Not if you’re in some parts of China or the United States, where if you’ve pre-registered with the relevant app, you can now simply look into the cashier’s LCD screen to make a facial recognition payment
The processing of biometric data is increasing in line with technological developments, particularly by organisations seeking to simplify and /or enhance their information security by asking individuals to verify themselves with something they are (for example, a fingerprint) instead of something that they have and may lose (for example, an identity card) or know and may forget (for example, a password). However, biometric data introduce a number of compliance considerations under the GDPR.
What are biometric data?
Biometric data constitute special category data under the GDPR, as they are: “. . . personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.”
Examples of physical or physiological biometric identification techniques include facial recognition, fingerprint verification, iris scanning, retinal analysis and recognition of ear shape and voice. Examples of behavioural biometric identification techniques include analyses of handwritten signature, keystrokes, gait and gaze (i.e. eye tracking).
What happens if we get it wrong?
In January 2017, Her Majesty’s Revenue & Customs (HMRC) in the UK adopted a voice authentication which asked callers to some of its helplines to record their voice as their password. HMRC failed to give customers sufficient information about how their biometric data would be processed and failed to give them the chance to give or withhold consent. In May 2019, the UK Information Commissioner issued an enforcement notice ordering HMRC to delete any data that it continued to hold without consent.
Processing biometric data
The GDPR sets out more stringent requirements with respect to the processing of ‘special category’ data, due to the associated and significant risks to individuals’ fundamental rights and freedoms.
It is important to appreciate that depending on the context, organisations may be able to rely on a basis and condition for processing biometric data other than consent. However, it is difficult to think of a practical example particularly given that there are often reasonable alternatives to processing biometric data altogether in order to achieve the same purpose.
Conclusion
In light of the above, it is important that organisations:
- ensure they have a valid lawful basis and condition for processing biometric data, and if relying on consent, must ensure that such consent is explicit;
- undertake a data protection impact assessment (DPIA) prior to the intended processing, as per the UK Information Commissioner’s requirements and Irish Data Protection Commissioner’s requirements, and mitigate the risks identified in practice;
- ensure that the processing of biometric data adheres to the requirement for ‘data protection by design and by default’, i.e. integrating data protection compliance from the project stage right through the lifecycle of the processing;
- ensure they provide adequate privacy information to individuals; and
- ensure they are able to demonstrate their compliance in practice by implementing appropriate information security measures, in order to comply with the accountability principle of the GDPR.
Trilateral’s Data Governance and Cyber-Risk Team has extensive experience working with organisations and their digital partners to ensure that their processes and procedures are compliant with the latest data protection and ePrivacy regulation. Trilateral can help audit existing practices, perform gap analyses, and offer compliance support to facilitate compliant processing. Our support services will help your business to protect individuals’ fundamental rights, building trust among your website users and ultimately, your customers. Please feel free to contact our advisors, who would be more than happy to help.
