09 Oct Biometrics and the GDPR: why you should adopt the technology
Biometric security has been deemed by many as the ‘future for security’. The ability to identify a person based on their unique physical and behavioural characteristics is a potential boon for many companies, helping to improve security and enable employee attendance tracking and management. Similarly, with passwords reportedly accounting for more than 80% of workplace security breaches; biometric security and authentication can prove significantly effective in combating fraud and misconduct.
However, the introduction of the GDPR and the concerns of GDPR sensitive data has increased the demand for clarity when using biometric data in businesses. The most common issue relates to employee concerns over the storage and use of their personal data. As such, we’re highlighting some of the common misconceptions of biometrics and GDPR compliance, and why ievo systems and other readers can help to alleviate these fears.
Biometrics and the GDPR
Biometric authentication works by identifying an individual based on their unique characteristics. For instance, a biometric fingerprint system takes an image of your fingerprint and matches it against stored templates on a database to provide the appropriate response (accepted/denied) for the individual. An ievo reader, for example, takes an image of a fingerprint, transfers the information to an ievo control board to record the specific characteristics of the fingerprint and measures both the surface and subsurface data, and then stores the data as a template ready for reference should the user need to enter the building again etc. It’s important to note that the actual image of the fingerprint is not recorded or stored, so it’s not possible to duplicate the image of your fingerprint from a template.
The GDPR outline defines biometric security as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person”. As biometric data is classified as a ‘special category’ of personal data, employers must satisfy one of the below conditions when rolling out the technology.
- Your data subject (employees) have given explicit consent to the use of biometric authentication;
- The biometric security is necessary for the purposes of carrying out obligations and exercising the specific rights of the data controller or of the data subject (employees) in the fields of employment, social security and social protection law;
- The processing of biometrics is critical for protecting the vital interests of the data subject;
- The processing is necessary for the workplace and exercise of defends of legal claims;
- Biometrics is essential for reasons of public interests.
While the legislation does prohibit the processing of sensitive personal data, it does recognise the advances in biometric authentication. Similarly, there are certain bases to justify its processing, including the explicit consent of employees, the performance of specific contracts or for particular purposes within the company.
GDPR compliance should be borne at all stages of implementing biometric access control systems and security, and we recommend seeking HR or legal advice early on.
Biometrics and consent
Consent has been a ‘hot topic’ for GDPR sensitive data. Consent is a contentious issue, as employees must be able to freely exercise their rights and freedoms. For instance, their right to object to the processing of biometric data. However, the use of biometric authentication in your business must fall into one of the above conditions.
For consent to be lawful for biometric authentication, you must have to explicitly obtain permission, as you would with general marketing material. Similarly, the ‘data controller’ needs to grant the employees the ability to withdraw their consent to the use of biometrics. However, it’s important to stress to your employees that, in the case of biometric fingerprint scanners, their personal information is not stored on the reader and their fingerprint is highly unlikely to be replicated.
One of the main values to opting for biometrics in the GDPR is that ievo fingerprint readers alleviate many of the misconceptions employees have regarding biometric data. For instance, it’s highly unlikely that your fingerprint can be replicated as the reader does not store the image of your fingerprint. Therefore, they cannot be used to access sensitive information.
Our ievo solutions can also be supplied with a card reader module that, essentially, allows the biometric access control systems to use both biometric data and ID cards. This can provide great flexibility for a business that needs to provide an alternative for those employees that object against providing biometric authentication. It’s also important to note that an ievo system is classed as a ‘data processor’ under the terms of the GDPR. Therefore, your business will require a GDPR review to be checked by the ‘data controllers’, such as the installers and end users.
Are biometrics the solution to the GDPR?
In the age of the GDPR, it’s easy to understand the many misconceptions some may have with biometric information. Looking back several years ago, the response to biometric data and authentication was largely ‘negative’. However, many industries are adopting the technology due to the ease of processing, remote management capabilities and, of course, increased security. Another major advantage to biometrics in the GDPR era is the reliability and convenience, especially as they offer simultaneous fingerprint enrolment at multiple locations.
If you are considering biometric verification to enhance your security, ensure you are transparent with your employees. Personal information and fingerprint images are not stored, and the adoption of the technology will only serve to make their working lives easier and more secure. A reader, such as an ievo reader, only uses a scanned image of a fingerprint to cross-reference with stored templates on a separate ievo control board (installed on the secure side of an access point) to authenticate the identity of the user.
Processing biometric data
Biometric data offers multiple benefits, including easy processing of information – particularly if you are reliant on timesheets for your business. However, useful considerations before implementing biometrics are:
- Conduct a data protection impact assessment to identify the risks arising from biometric data processing.
- Initiate a legitimate interest assessment.
- Develop privacy statements which outline the reason for processing, the nature, collection, ongoing use of the biometric information, retention, security and transfer of the biometric data.
- Define retention policies that are transparent and state how long the biometric information will be stored.
- Implement safeguards to ensure the confidentiality, legality and availability of biometric systems.
Why use biometric authentication?
There are many reasons for businesses to use biometric authentication. The primary advantage is the heightened security, particularly for businesses handling sensitive information. The risk of security breaches via traditional key cards and pin codes is enhanced, as you have to rely on the employee’s ability to safeguard the information. However, you cannot replicate a fingerprint and, therefore, you are granting access and permissions to the correct individual.
Similarly, biometric access control systems provide greater opportunities for attendance tracking and remote management.
You can read more on the advantages of biometric security here.
Ultimately, the GDPR is still unknown and the potential consequences are yet to be determined. However, act with transparency and your company can substantially benefit from implementing biometric security.