The do’s and don’ts of processing biometric data

The use of biometric data has become firmly cemented into our everyday lives – from unlocking mobile phones and laptops to accessing online banking and even clocking in at work. Gone are the days when its use was reserved solely for unlocking vaults with a retina scan in action movies! 

What is biometric data?

The GDPR defines biometric data as “personal dataInformation which relates to an identified or identifiable natural person. resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic [that’s fingerprints, to you and me] data.”   

If you use a smartphone, chances are you unlock it using biometric data, as most now rely on fingerprint or facial recognition. Biometrics also includes iris and retinal recognition, DNA matching, voice recognition, digital signatures, and even keystroke analysis.   

Despite its increased use, many organisations are still unsure about the rules governing its use and the special considerations that must be factored in.  

To help you manage this complex area, this blog outlines five key do’s and don’ts for processing biometric data responsibly.   

Blog edited and updated on 22 November 2024 

1. DO ensure that you have a lawful basis for processing

Under both the UK and EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation)., biometric data used for the purposes of uniquely identifying a person is classified as ‘special category biometric data’. Article 9(1) prohibits the processing of this type of data unless one of the conditions under Article 9(2) is met.  

These conditions include: 

• Explicit consent   
• Employment, social security, and social protection  
• Substantial public interest  
• Health and social care  
• Public health
• Archiving, research, and statistics   

Lawful bases under GDPR Article 6 

In addition to satisfying one of the conditions in Article 9, your organisation must ensure it meets one of the lawful bases under Article 6. Both conditions need to be documented in your Records of Processing Activities (RoPA). 

Note: There may be local exemptions that also need to be considered. E.g. Article 29 of UAVG, the implementation law in The Netherlands, provides exemptions where there is a necessityThe purpose of the personal data processing activity must not be able to be achieved by a less intrusive method. for authentication or security, i.e. security within a nuclear plant. 

Ensure proportionalityA balance must be struck between the means used and the intended aim to ensure that a processing activity is proportionate. and necessity 

Regardless of which lawful basis and condition for processing you rely on, it is essential that the collection and use of biometric data are necessary and proportionate to your aims. If there is a less intrusive way of processing the data, without compromising your aims and objectives, this should be considered instead. 

For example, if your organisation uses Live Facial Recognition (LFR), you should consider if CCTV and/or security personnel could achieve the same outcome. 

If you do use biometrics, you must also consider offering an alternative to individuals who do not wish to use it. For example, many online banking apps provide options to sign in with passwords or other authentication methods alongside biometric recognition.  

2. DO ensure relevant documentation is in place and provide data subjects with information about the processing 

Under the GDPR, it is a legal requirement to complete a Data Protection Impact AssessmentA formal documented assessment which allows decision-makers to identify, manage and mitigate any data protection risks associated with a project. (DPIA) if the data processing is likely to result in a high risk to the rights and freedoms of individuals. This includes many uses of biometric data processing, particularly if it is on a large scale, includes vulnerable individuals, or for other sensitive purposes. 

However, the UK’s Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).) states that it is best practice to always conduct a DPIA when processing biometric data. 

Additional documentation requirements

If your organisation relies on Legitimate InterestsLegitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle. as the lawful basis for processing biometric data, you must also complete a Legitimate Interest Assessment (LIA) to justify the processing. Furthermore, if you are relying on Substantial Public Interest, or Employment, Social Security and Social Care conditions for processing, you will need to put an Appropriate Policy Document in place before you processA series of actions or steps taken in order to achieve a particular end. any biometric data. This document outlines how your processing activities comply with the core principles of the GDPR. 

Informing data subjects 

Finally, and most importantly, you must inform data subjects about the processing of their biometric data. You will need to provide a detailed privacy noticeA clear, open and honest explanation of how an organisation processes personal data. that clearly outlines key elements. Some of these essential details include:  

• What data you are processing 
• The purposes for processing the data 
• Which lawful basis and special category condition you are relying on 
• The data retentionData retention refers to the period for which records are kept and when they should be destroyed. Under the General Data Protection Regulation (GDPR), data retention is a key element of the storage limitation principle, which states that personal data must not be kept for longer than necessary for the purposes for which the personal data are processed. periods 

A notable case in this context is the 2022 UK ICO fine of £7.5M imposed on Clearview AI  for a number of violations related to its use of biometric data, including failure to inform data subjects that their personal data was being processed for facial recognition purposes.   

3. DO put robust security measures in place  

As with any personal data processing, you need to implement appropriate technical and organisational measures to protect any biometric data being processed (Article 32 GDPR). 

Biometric data is considered special category dataTypes of personal data listed in Article 9(1) GDPR that are considered sensitive and thus require extra protection. Article 9(1) lists data relating to: • racial or ethnic origin • political opinions • religious or philosophical beliefs • trade union membership • genetic data • biometric data • health • sex life • sexual orientation Where these types of personal..., therefore, the bar as to what measures are deemed ‘appropriate’ is set higher. This includes methods such as access controlsA series of measures (either technical or physical) which allow personal data to be accessed on a need-to-know basis., secure disposal, antivirus and firewall protections, encryption, and strong password management.   

If your organisation works with third parties to process biometric data, it is essential to conduct a due diligence assessment to confirm the company has appropriate security measures in place to safeguard the personal data. Learn more about vendor due diligence here.  

4. DON’T overlook data protection rights and broader human rights

When processing biometric data, you need to consider not only the data protection rights under the UK and EU GDPR but also the broader human rights of your data subjects. These include the right of access, rectification, erasure, data portability, and rights related to automated decision-making and profiling. Organisations must understand how these rights apply to biometric data and be prepared to act on them when necessary.  

In addition to GDPR protections, you must also consider wider rights. Article 8 of the European Convention on Human Rights enshrines the ‘right to a private life’. In S and Marper v United Kingdom, the court held that collecting biometric data can affect the right to a private life. In the Bridges case, the High Court stated that if biometrics are “captured, stored and processed, even momentarily” then Article 8 is triggered.  

To comply with Article 8, especially for public sector organisations, or those acting on their behalf, you must ensure:  

• The objective of the measure pursued justifies the limitation of the right   
• The processing is rationally connected to the legitimate aim   
• The processing is necessary and proportionate 
• A fair balance is struck between the rights and the interests of the community 

For more information on this, please see the Ada Lovelace report on the governance of biometrics in England and Wales.   

5. DON’T risk being fined for a breach  

As biometric data is classified as ‘special category data’ under the UK and EU GDPR, it means that any breach involving this type of data is likely to face stricter scrutiny and higher penalties. If your organisation suffers a data breach, the impact on the rights and freedoms of your data subjects is considered far more serious. 

In the event of a data breach, it must be reported to the relevant Supervisory AuthorityAn authority established by its member state to supervise the compliance of data protection regulation. with the possibility of an upper tier fine (£17.4 million/€20 million or 4% of global annual turnover). 

Although Clearview AI’s £7.5M fine from the ICO and another €20M fine from Italy’s Supervisory Authority were not related to a data breach, it highlights how seriously regulators view non-compliance in biometric data processing.   

Summary   

Biometrics are increasingly valuable tools for organisations, offering an extra layer of protection to sensitive accounts, as well as playing a vital role in law enforcement, security, and healthcare. However, with greater sensitivity comes greater responsibility and greater risk, making compliance with data protection rules and regulations even more critical.  

It is also important to stay ahead of evolving UK and EU regulations, as well as global guidelines from wider bodies that may impact the way biometric data can be processed. For example, the EU’s AI ActThe EU Artificial Intelligence Act was approved by the EU Council on 21 March 2024. A world-first comprehensive AI law, intended to harmonise rules for the development, deployment, and use of artificial intelligence systems across the EU. and other new laws that include real-time biometric systems and AI technologies. 

Further guidance 

The DPO Centre has one of the largest teams of experienced and specialist DPOs covering a wide range of industry sectors. If your organisation would benefit from our advice on how to ensure your processing of biometric or other special category data remains compliant, contact us for a discussion on how we can help.   

For organisations operating under the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU., you can also refer to the ICO’s biometric data guidance.
For EU GDPR guidance on biometric data processing, see the EDPB’s guidelines and recommendations. 

______________________________________________________________________________________________________________________________

In case you missed it… 

• Compliance with the AI Act: What you need to know blog series 
• Live Facial Recognition deployment and data protection compliance 
• Data breach management: 5 tips for an effective response 

______________________________________________________________________________________________________________________________

For more news and insights about data protection follow The DPO Centre on LinkedIn