Access ControlBiometricsData StorageFeatured News

Exclusive: Ensuring data privacy compliance for biometrics


Remy Cricco, Business Development Manager Europe at IDEMIA explains why it is critical to successfully manage data in projects.

An increasing number of companies from a wide variety of sectors are looking at deploying biometrics to increase, not only their levels of security, but to also strengthen existing protection means such as access control and CCTV.

Biometric terminals guarantee who is granted physical access, creating a “this is me” verification instead of a “this something I have or know” confirmation for access credentials such as cards, fobs, smartphones and PIN codes. Contrary to its growth over the last 19 months, the rapid adoption of biometrics did in fact begin prior to the COVID-19 pandemic. As a paradox however, during these uncertain times there were less employees physically present on sites and, subsequently, as the risk of intrusions increased so did the need for better protection.

In Europe with GDPR – as well as in an increasing number of other countries in the world – regulations have been enforced to protect consumers’ and employees’ data privacy; companies must therefore comply with quite stringent processes to avoid exposing themselves to very significant financial penalties and reputational damages.

To assess this balance between the privacy risk and security measures, a Data Protection Impact Assessment (DPIA) is therefore a key mandatory document in this process and must be performed very seriously by the company’s Data Privacy Officer (DPO) department, ideally involved in the project from its beginning, and supported by experienced external entities.

Biometrics considered sensitive data

The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR’s primary aim is to enhance individuals’ control and rights over their personal data and to simplify the regulatory environment for international business.

The GDPR includes dozens of new rules that organisations must follow in order to protect the personal information they collect about their clients or employees. Failing to comply with the GDPR can put entities at risk of paying severe penalties, with fines that can go up to 20 million euros or up to 4 % of the company’s total global turnover of the preceding fiscal year.

Biometric data, in particular, resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of individuals, is considered as special data according to Article 9, and therefore requires a specific treatment through a DPIA document. In the UK, the Data Protection Act 2018 was passed and two adequacy decisions have been taken post-Brexit, on June 28 2021. These decisions make the UK bill compliant to GDPR and the Information Commissioner’s Office (ICO) remains the data authority.

Contrary to some other regulations, you will not present your project to and get an approval stamp from the authorities. Instead, you will have to conduct a Data Protection Impact Assessment (DPIA) by yourself, which is a process to help you identify and minimise the data protection risks of your project. You must do a DPIA for any processing that is likely to result in a high risk to individuals, in particular, when biometric data is collected and processed.

Your DPIA must describe the nature, scope, context and purpose of the data processing; it will also have to assess necessity, proportionality and compliance measures. A specific part of it will also consist of identifying and assessing risks to individuals and recognising any additional measures to mitigate those risks. To assess the level of risk, the recommended approach should comprise of both the likelihood and the severity of any impact on individuals – high risk could result from either a higher probability of some harm or a lower possibility of serious harm.

More specific to biometric data, you will have to justify why you need to deploy a biometric system as well as how you will collect, process and protect biometric data. In addition to this, such justification will need to incorporate where you will store the data (whether this be in the terminals, in the access cards or a hybrid mix of the two) and more; thus, describing in detail your technical setup at terminal and system level. Of course, you will also have to describe in detail how you inform employees about the deployment, how you collect their explicit consent to have their biometric data collected and processed and the access and modification rights you provide them. The DPIA is a very thorough process.

Tips to anticipate and manage the DPIA step

We have seen a significant number of projects being slowed down, or sometimes even stalled, by this DPIA step that was underestimated or not well prepared by technical project teams. Some companies may even still apply self-censorship by not launching a project at all due to the fear incurred by this critical step.

Strangely, many companies still wrongly believe that biometric deployments are limited to very specific sectors such as the police, military or wider government entities and are in fact forbidden in the private sector. This is of course a wrong belief. As stated before, a biometric deployment for employee access control is not forbidden but is instead carefully framed.

Many DPOs also certainly overemphasise the level or risk associated to the whole process. The DPIA is not an exam that you pass and then get a green light from to deploy your project; instead, it is something that you shall keep prepared in case of a control by data privacy authorities.

If you take the process seriously and work alongside appropriate external support, there is no reason why it should fail and indeed many companies manage to deploy biometric terminals every year. This is why we strongly recommend that those undertaking such projects should involve the DPO department at the early stages. In doing so, the department becomes a significant stakeholder instead of only being consulted at the end of the process.

Seeking external advice and guidance is a must that will allow you to save time and be more efficient. This is why IDEMIA launched “DPIA-as-a-service”, leveraging our experience of this process for our own many commercial and industrial sites in several different countries, including the UK, where we have deployed biometrics for access control.

As a business, not only have we successfully developed a worldwide network of DPOs, we are also fully knowledgeable about our own biometric terminals and implementation configurations; operated by our data privacy team, this service will help your project teams and DPO address all biometric-related items of the DPIA. In doing so, we enable you to save time, precise your responsibility, improve your level of confidentiality, guarantee total security of personal data and provide a comprehensive and reliable document for the data authority.

IDEMIA has the capability to accompany its customers across the world in countries that have enforced data privacy regulations inspired by GDPR as well as in those that consider implementing them in 2022 and beyond. In many countries that have not yet adopted such regulations, we recommend that companies deploying biometric terminals fill in a DPIA anyway – in spite of the fact there may not be any specific regulation forcing you to do so, it is a worthwhile exercise.

To find out more information, visit:

This article was originally published in the December edition of Security Journal UK. To read your FREE digital edition, visit: