The introduction of the GDPR has increased the demand for clarity when making use of biometric data in businesses. The most common issue is that which relates to employee concerns over the storage and use of their personal data. We highlight some of the common misconceptions of biometrics and GDPR-compliance, as well as why ievo systems and other readers can help to alleviate these fears.
BIOMETRICS AND THE GDPR
Biometric authentication functions to identify an individual based on their unique characteristics. For example, a biometric fingerprint system takes an image of your fingerprint and then proceeds to match it against stored templates on a database to provide the appropriate response (accepted/denied) for the individual. An ievo reader, for example, would take an image of a fingerprint, transfer the information to an ievo control board for the recording of the specific characteristics of the fingerprint and measure both the surface and subsurface data, and then it stores the data as a template which is ready for reference should the user need to enter the building again or something along those lines. It’s important to note that the actual image of the fingerprint is not recorded or stored, so it’s not possible to duplicate the image of your fingerprint from a template.
Since biometric data is classified as a ‘special category’ of personal data, employers must satisfy one of the below conditions when rolling out the technology.
- Your data subject (employees) must give explicit consent to the use of biometric authentication
- The biometric security is necessary for the purposes of carrying out obligations and exercising the specific rights of the data controller or of the data subject (employees) in the fields of employment, social security and social protection law
- The processing of biometrics is critical for protecting the vital interests of the data subject
- The processing is necessary for the workplace and exercise of defends of legal claims
- Biometrics is essential for reasons of public interests.
- While the legislation does prohibit the processing of sensitive personal data, it does recognise the advances in biometric authentication. Similarly, there are certain bases to justify its processing, including the explicit consent of employees, the performance of specific contracts or for particular purposes within the company
GDPR compliance is a requisite at all stages of implementing biometric access control systems and security. Seeking HR or legal advice early on is recommended.
If you are considering biometric verification to enhance your security, make sure to be transparent with your employees. Personal information and fingerprint images will not be stored, and the adoption of the technology will only serve to make their working lives easier and more secure. A reader, such as the ievo reader, only utilises a scanned image of a fingerprint to cross-reference with stored templates on a separate ievo control board (installed on the secure side of an access point) to authenticate the user’s identity.
Biometric data has multiple benefits, including easy processing of information – particularly if your business relies on timesheets. You can read more on the advantages of biometric security here.
Ultimately, the GDPR is still an unknown entity and the potential consequences are yet to be fully determined. However, act with transparency and your company can substantially benefit from implementing biometric security.