GDPR and Biometric Data: Understanding GDPR Compliance for and Biometric Data

In the digital age, data is a valuable asset. For businesses, it's a tool for understanding customers and improving services. However, not all data is created equal. Biometric data, which includes unique physical or behavioural characteristics, is particularly sensitive.

John Edwards, UK Information Commissioner, said:

“Biometric data is wholly unique to a person so the risks of harm in the event of inaccuracies or a security breach are much greater – you can’t reset someone’s face or fingerprint like you can reset a password.”

The General Data Protection Regulation (GDPR), which is implemented into UK law via the Data Protection Act 2018, and the UK GDPR set stringent rules for handling such data. Businesses who are using biometric data need to understand these rules. A breach can lead to avoid hefty penalties from the ICO.

This article aims to guide you through the complexities of Data Protection Compliance for biometric data. We’ll take a look at the legal requirements, the importance of adherence and practical steps for compliance.

By understanding and implementing Data Protection Compliance, you can protect your business, uphold your integrity and build trust with your clients and employees. Here we provide a brief overview of the legal requirements, the importance of adherence and practical steps for compliance. If your business uses biometric data and you are unsure if you are meeting your Data Protection obligations, you may which to consider a Data Protection Audit.

The Significance of GDPR for Businesses Handling Biometric Data

The UK GDPR and the Data Protection Act 2018 imposes strict rules on how biometric data should be collected, stored, and processed.

Non-compliance can lead to severe penalties, including fines of up to €20 million or 4% of the company’s global annual turnover, whichever is higher. Beyond financial implications, non-compliance can also damage a company’s reputation, leading to loss of customer trust and potential business opportunities. Therefore, understanding and adhering to GDPR is not just a legal obligation, but a strategic business decision.

Defining Biometric Data Under GDPR

Under the Data Protection Act, biometric data is defined as personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a person. This data can uniquely identify that person, making it a sensitive category of data.

The types of biometric data include, but are not limited to:

  • Fingerprints
  • Facial recognition
  • DNA
  • Iris recognition
  • Voice recognition

Given the sensitive nature of biometric data, businesses must take extra precautions when handling such information to ensure Data Protection compliance

The Legal Framework: GDPR, Data Protection Act and Beyond

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to all EU member states and a regulation that the UK has adopted and uses as a basis for the Data Protection Act 2018 and UK GDPR. It sets out the principles for data management and the rights of the individual, providing a framework for businesses to follow when handling all data including biometric data.

It’s crucial for businesses to understand both these legal frameworks, as well as any other relevant data protection laws in their jurisdiction, to ensure full compliance when dealing with biometric data.

Consent and Biometric Data

The Data Protection Act 2018 stipulates that obtaining explicit consent is a key requirement for processing biometric data. This means businesses must clearly inform individuals about the data they’re collecting, why they’re collecting it, and how it will be used. Consent must be freely given, specific, informed, and unambiguous.

However, there are exceptions to this rule. For instance, if the processing of biometric data is necessary for the protection of vital interests, consent may not be required. Understanding these differences is crucial for businesses to comply with the Data Protection legislation effectively.

Data Protection Impact Assessment (DPIA) for Biometric Data

A Data Protection Impact Assessment (DPIA) is a process designed to help organisations identify and minimise the data protection risks of a project. Under UK GDPR and the Data Protection Act, a DPIA is mandatory when processing biometric data, given its sensitive nature.

The DPIA should include a systematic description of the processing operations, an assessment of the necessity and proportionality of the processing, and measures to mitigate risk. It’s a proactive step that not only ensures compliance with the UK GDPR but also builds trust with individuals whose data is being processed.

Rights of Individuals Concerning Their Biometric Information

Data Protection rules grant individuals several rights concerning their biometric data, like other types of data. These include the right to be informed about the collection and use of their data, the right to access their data and the right to rectification if the data is inaccurate.

Individuals have the right to object to the processing of their biometric data, the right to restrict processing, and the right to data portability. Understanding and respecting these rights is crucial for businesses to maintain Data Protection compliance and foster trust with their customers or users.

Data Minimisation and Secure Processing of Biometric Data

Data minimisation is a key principle of GDPR. It requires businesses to collect only the biometric data necessary for a specific purpose and to retain it only for as long as necessary. This principle helps to reduce the risk of data breaches and misuse of personal data.

Secure processing of biometric data is another critical aspect of Data Protection compliance, Businesses must implement appropriate technical and organisational measures to ensure the security of biometric data. This includes protection against unauthorised or unlawful processing, accidental loss, destruction, or damage.

Data Protection Audit: Ensuring Compliance and Avoiding Penalties

A Data Protection audit is a systematic review of your organisation’s data protection practices. It helps to identify any areas of non-compliance and to take corrective action. Regular audits are essential to ensure ongoing compliance with GDPR and to avoid potential penalties.

Non-compliance with GDPR can result in severe penalties. Therefore, it is crucial for businesses handling biometric data to conduct regular GDPR audits and to address any identified issues promptly.

The Role of Technology in Data Protection Compliance for Biometric Data

Technology plays a pivotal role in GDPR compliance, especially when it comes to biometric data. Advanced tools can assist in securely storing and processing biometric data, conducting regular audits, and ensuring data minimisation. They can also help in managing consent and responding to data subject access requests efficiently.

Privacy-enhancing technologies (PETs) and encryption techniques can provide additional layers of security for biometric data. Artificial intelligence and machine learning can also be leveraged to monitor data processing activities continuously and to detect any potential data breaches promptly.

Examples of Biometric Data Breaches

Serco Leisure Trust and Related Companies

Nine related community leisure trusts were served with enforcement orders from the ICO which ordered them to stop the use of facial recognition technology and fingerprint scanning for tracking employee attendance. The investigation conducted by the ICO revealed that the biometric data of over 2,000 employees across 38 leisure facilities had been unlawfully processed.

It was discovered during the ICO’s investigation that the leisure trusts were engaged in the illegal processing of biometric data with the aim of verifying attendance and subsequently compensation for employees’ work hours.

They did not provide an adequate explanation for the necessity or proportionality of using facial recognition technology and fingerprint scanning for this purpose, especially when less intrusive alternatives like ID cards or fobs are readily available.

It has been noted that employees were not actively provided with an alternative to having their faces and fingerprints scanned for clocking in and out of their workplace, and it was portrayed as a prerequisite for receiving payment. Considering the power disparity between Serco Leisure and its employees, it is improbable that the latter would feel empowered to decline such demands and hence the ICO Enforcement Order was issued.

Chelmer Valley High School

In this case the data controller had relied on presumed consent for the use of facial recognition technology in the school’s cashless catering system. Parents, but not children, could opt out. According to Article 4(11) of the UK GDPR, consent must involve an affirmative action; therefore, consent based on an opt-out approach would not be considered valid or lawful. Additionally, most students would have been deemed sufficiently competent to provide their own consent. The parental opt-out effectively restricted students from exercising their rights and freedoms concerning the processing of their data.  The school were reprimanded by the ICO for failure to complete a DPIA where they were legally required to do so and the failure to complete the DPIA resulted in several Data Protection violations.

The Path to Trust and Compliance

Understanding and complying with UK GDPR for biometric data is not just a legal necessity but also a path to building trust with stakeholders. By embracing transparency, accountability, and innovation, businesses can turn GDPR compliance into a competitive advantage while ensuring the privacy and protection of sensitive biometric data.

If you would like to discuss your business’s Data Protection obligations or wish to understand more about what can be achieved with a Data Protection Audit, please book an introductory call with a JPP Law Data Protection solicitor.

Mark Glenister

Introductory Call

This meeting is an introductory call with Mark Glenister to discuss any legal advice requirements you may have.

Sign up for newsletters from JPP Law: