Our associate, Ashley Williams worked with our client Aimbrain to co-author a whitepaper, GDPR & Beyond: Collaboration, Consent, Capture and Care in the World of Biometric Data.
Aimbrain has a multi-module biometrics platform that allows institutions to authenticate their customer’s identity on any device across any channel.
The whitepaper looks at the first corporate use cases in the 1960s and notes that biometrics have become commonplace across banking, government, enterprise applications, physical access and more.
Today, using fingerprint and facial scans to unlock devices has put biometrics in the mainstream, and the industry is worth an estimated value of $25.3 billion by 2025. It’s no surprise that with this widespread adoption of biometrics as personally identifying information there will need to be more significant regulatory requirements to safeguard and protect this data.
This whitepaper looks at the impact and implications of General Data Protection Regulation (GDPR) for companies engaged in the processing biometric data.
According to Williams, biometric data, as defined in the GDPR means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic or fingerprint data.
“This is a cumulative test, and the GDPR rightly clarifies that the processing of certain personal data, such as photographs, should not systematically be considered as biometric data unless such personal data is processed through a specific technical means allowing the unique identification or authentication of a natural person,” adds Williams.
“The old Data Protection Act 1998 did not refer to biometric data. The GDPR now expressly identifies biometric data as a special category of personal data which is more commonly known as sensitive personal data under the old regime,” said Williams. “Whilst the position on how organisations should handle sensitive personal data has not monumentally shifted under the GDPR, most companies processing biometric data are unlikely to have treated each biometric data set as sensitive personal data and as such will need to reassess their approach in light of processing activities relating to sensitive personal data being subject to greater restrictions and obligations.”
You can download the complete whitepaper here.