GDPR and biometrics

GDPR and Biometrics

GDPR and Biometrics, they love and hate each other. It’s very important to protect personal information, and even more important to protect sensitive personal data. Using biometrics as a security measure (on its own or as part of two-factor authentication) is gaining popularity. Biometric data is seen as sensitive personal data, storing that data is prohibited, unless you satisfy to one of a couple of strict conditions.

Why it should be used

Within the general data protection regulations (GDPR), organizations are required to take appropriate measures to protect personal data. Since the GDPR does not prescribe which measures are appropriate, and to support companies with implementing security of personal data, ENISA (European Union Agency for Network and Information Security) has created a ‘Handbook on security of personal data processing’. In case of high-risk level personal data, the use of two factor safety measures, with e.g. one of them as biometric, is advised for access control and authentication. Of course, the more the probability and impact of a personal data breach increases, the more we need to secure this data to minimize the chance the risk can exploit.
The use of passwords only is often seen as a weak protection measure. Used passwords acquired by hacking, sometimes get exploited and are made available on the world wide web. Besides exploited password files, passwords can be hacked by guessing and brute force attacks. Password complexity is an often-discussed topic due to the weaknesses a password has. Besides something you know, you can of course use something you have, like a token, or something you are, like a fingerprint. The combination of a token (something you have) and a password (something you know) is a combination that already gained popularity to strengthen authentication. Still a risk exists that a token and password are exchanged with others.
Since biometric authentication gains popularity and the reliability increases, these techniques will be used more and more. Important in selecting biometrics is the technique used and the error rate, e.g. is it possible to reproduce your fingerprint with the stored information and what are the reliability rates.

Why it should not be used

So, what about the bad side of biometrics? It is seen as sensitive personal data, and therefore you are not allowed to store that information. You are only allowed to store biometrics in case you satisfy one or more conditions stated in the GDPR, unless otherwise decided by your government. It makes sense that biometric information is sensitive personal data if it is a copy of your fingerprint, face, iris, etc. Hackers could obtain that information to reproduce physical characteristics.
Most of the biometric systems do not store a perfect high-resolution 3D scan of physical characteristics. Mostly a pattern will be recognized on your face or fingerprint, a pattern of some lines and/or dots that fit on the physical characteristics the reader uses. Those lines and dots are encrypted and stored. Like a hash, it can be used only one way. When you encrypt the stored lines and dots, it is not possible to e.g. reproduce an actual fingerprint. So, if you want to reproduce physical characteristics you should use other ways instead of hacking such a system. Therefore, you can argue whether or not it really is sensitive personal data, imaging the data that is stored by these devices. The GDPR is clear, biometric data is part of the special category ‘when processed through a specific technical means allowing the unique identification or authentication of a natural person’.

Legislation in the Netherlands

At our data center in Amsterdam we use a fingerprint biometrics to enter critical/sensitive areas, but are we legally allowed to do so?
The GDPR allows member states to ‘maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.’ In the Netherlands a local law (UAVG) was introduced, stating that biometric data may be used if required for authentication or security.

The use in a data centre

The reason why we use biometric security measures is to limit the risk of unauthorized access to critical infrastructure and data like the rooms with fiber and traffic connections and the data hall. Since we do not know the content of the information of our clients, we treat all data as sensitive high-risk level data. For that reason, we use two types of authentication for access control. We use tokens and biometrics, so it is not possible to enter areas that could contain critical information if you are not authorized yourself (you cannot exchange the biometric authentication). Since we need to be able to be really quick in rejecting access, we use badges so without a physical badge you cannot enter access areas in the premises. Taking the physical badge is enough to directly withdraw authorizations.

More Insights

  • 30 Years of Open Internet in Europe

    On Saturday, 17 November at 2.28 pm it is exactly thirty years ago since the Netherlands was the first country in Europe to be connected to the Internet. System Administrator Piet Beertema of Centrum Wiskunde & Informatica (CWI) in Amsterdam received the confirmation that CWI – as the first institute outside the US – officially gained access to NSFnet.

    Read more
    Read more
  • Takes the Next Step Forward With Power Upgrade in Amsterdam Data Center

    today announced it has completed the first step of the second phase expansion of its flagship data center AMS1 Amsterdam by upgrading the current power grid connection to 10MW of capacity. The expansion is the company's second step forward, following the opening of the AMS1 data center in January of this year.

    Read more
    Read more
  • Datacenter cabinets are getting taller or … ?

    In my previous blog I explained the data center skyline and how it evolved over the last few years. In this blog I will give you my opinion about why data centers should standardize to higher cabinets to keep up with nowadays customer demands and requirements.

    Read more
    Read more

Call us on +31 (0)20 - 2384 200
We are happy to answer your question

Email us for more information