Managing biometric data: the GDPR's requirements

More organizations are accumulating biometric data through fingerprint and retina scans, facial recognition and even ear-canal authentication. Biometric authentication has the potential to become the most accurate identification method. But this data, like any other type of data, is not immune to security issues. In fact, the stakes are higher for biometrics because the data is so personal. After all, you can cancel and replace a credit or debit card if your account is compromised, but you can't exactly replace your face if you're relying on facial recognition.

While there is no current law addressing biometric data, the General Data Protection Regulation (GDPR) covers biometrics in detail. According to the GDPR, biometric data is defined as "personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person." Biometrics is one of the "special categories of personal data" that can only be used if the data subject has given clear consent.

The GDPR endeavors to balance the advanced capabilities that biometrics affords with organizations' responsibility to carefully gather and protect the data.

Biometrics has various advantages over other methods of authentication. The sensitivity of the data makes it more dependable. When implemented as a part of a layered authentication system, biometrics dramatically decreases the opportunities for hackers to breach authorized users' accounts.

Some organizations are using biometric data for progressive innovative research and data analytics. The GDPR does not prohibit this kind of practice, but organizations should provide security warnings. One must have lawful grounds for processing personal data. Organizations have the responsibility to use best practices to securely store and maintain this highly sensitive data.

Security should always be the number one priority. Biometrics has spurred exciting technological innovation, but if the biometric data are more sensitive than the data the identification allows you to access, it may be optimal to use a less demanding method of authentication.

The GDPR requires data processors to employ proper technical and organizational procedures such as one-way coding to keep data secure. One-way coding keeps biometrics templates from being reverse engineered and reconstructed. These procedures can be complex, but by clearly explaining your data-security measures to organizations, you can inspire confidence and help them understand why collecting these data is both necessary and safe.