GDPR And The Implications Of Biometric Data

What are the implications of biometric data and the GDPR?

Our associate, Ashley Williams worked with our client Aimbrain to co-author a whitepaper, GDPR & Beyond: Collaboration, Consent, Capture and Care in the World of Biometric Data.

Aimbrain has a multi-module biometrics platform that allows institutions to authenticate their customer’s identity on any device across any channel.

The whitepaper looks at the first corporate use cases in the 1960s and notes that biometrics have become commonplace across banking, government, enterprise applications, physical access and more.

Today, using fingerprint and facial scans to unlock devices has put biometrics in the mainstream, and the industry is worth an estimated value of $25.3 billion by 2025. It’s no surprise that with this widespread adoption of biometrics as personally identifying information there will need to be more significant regulatory requirements to safeguard and protect this data.

This whitepaper looks at the impact and implications of General Data Protection Regulation (GDPR) for companies engaged in the processing biometric data.

According to Williams, biometric data, as defined in the GDPR means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic or fingerprint data.

“This is a cumulative test, and the GDPR rightly clarifies that the processing of certain personal data, such as photographs, should not systematically be considered as biometric data unless such personal data is processed through a specific technical means allowing the unique identification or authentication of a natural person,” adds Williams.

“The old Data Protection Act 1998 did not refer to biometric data. The GDPR now expressly identifies biometric data as a special category of personal data which is more commonly known as sensitive personal data under the old regime,” said Williams.  “Whilst the position on how organisations should handle sensitive personal data has not monumentally shifted under the GDPR, most companies processing biometric data are unlikely to have treated each biometric data set as sensitive personal data and as such will need to reassess their approach in light of processing activities relating to sensitive personal data being subject to greater restrictions and obligations.”

You can download the complete whitepaper here.

A cookie is a small file of letters and numbers that we store on your browser or computer, phone or tablet hard drive if you agree. more information

INFORMATION ABOUT OUR USE OF COOKIES Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience and also allows us to improve our website. By continuing to browse the website, you are agreeing to our use of cookies. A cookie is a small file of letters and numbers that we store on your browser or computer, phone or tablet hard drive if you agree. We use the following cookies: • Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to return to a previous page. • Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. The analytical/performance cookies are provided on our behalf by Google Inc. to aid with reporting of user behaviour, market research and improving website functionality. This user behaviour is analysed in order to improve this website. To see how this applies to Google Analytics, visit You can stop tracking by Google Analytics by visiting COOKIE DURATION The strictly necessary session cookies are a temporary cookie which remains in the cookie file of your browser until you close the browser. The other cookies will remain in the cookie file of your browser after the closing of the browser, and will become active again when you reopen this website. The different cookies have different expiration dates. Following expiry of a cookie, a new version of that cookie will be downloaded when you next visit this website, unless you have withdrawn your consent in the meantime. You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our website. Contact If you have any queries regarding this cookie policy please contact us at