GDPR and biometrics

GDPR and Biometrics

GDPR and Biometrics, they love and hate each other. It’s very important to protect personal information, and even more important to protect sensitive personal data. Using biometrics as a security measure (on its own or as part of two-factor authentication) is gaining popularity. Biometric data is seen as sensitive personal data, storing that data is prohibited, unless you satisfy to one of a couple of strict conditions.

Why it should be used

Within the general data protection regulations (GDPR), organizations are required to take appropriate measures to protect personal data. Since the GDPR does not prescribe which measures are appropriate, and to support companies with implementing security of personal data, ENISA (European Union Agency for Network and Information Security) has created a ‘Handbook on security of personal data processing’. In case of high-risk level personal data, the use of two factor safety measures, with e.g. one of them as biometric, is advised for access control and authentication. Of course, the more the probability and impact of a personal data breach increases, the more we need to secure this data to minimize the chance the risk can exploit.
The use of passwords only is often seen as a weak protection measure. Used passwords acquired by hacking, sometimes get exploited and are made available on the world wide web. Besides exploited password files, passwords can be hacked by guessing and brute force attacks. Password complexity is an often-discussed topic due to the weaknesses a password has. Besides something you know, you can of course use something you have, like a token, or something you are, like a fingerprint. The combination of a token (something you have) and a password (something you know) is a combination that already gained popularity to strengthen authentication. Still a risk exists that a token and password are exchanged with others.
Since biometric authentication gains popularity and the reliability increases, these techniques will be used more and more. Important in selecting biometrics is the technique used and the error rate, e.g. is it possible to reproduce your fingerprint with the stored information and what are the reliability rates.

Why it should not be used

So, what about the bad side of biometrics? It is seen as sensitive personal data, and therefore you are not allowed to store that information. You are only allowed to store biometrics in case you satisfy one or more conditions stated in the GDPR, unless otherwise decided by your government. It makes sense that biometric information is sensitive personal data if it is a copy of your fingerprint, face, iris, etc. Hackers could obtain that information to reproduce physical characteristics.
Most of the biometric systems do not store a perfect high-resolution 3D scan of physical characteristics. Mostly a pattern will be recognized on your face or fingerprint, a pattern of some lines and/or dots that fit on the physical characteristics the reader uses. Those lines and dots are encrypted and stored. Like a hash, it can be used only one way. When you encrypt the stored lines and dots, it is not possible to e.g. reproduce an actual fingerprint. So, if you want to reproduce physical characteristics you should use other ways instead of hacking such a system. Therefore, you can argue whether or not it really is sensitive personal data, imaging the data that is stored by these devices. The GDPR is clear, biometric data is part of the special category ‘when processed through a specific technical means allowing the unique identification or authentication of a natural person’.

Legislation in the Netherlands

At our data center in Amsterdam we use a fingerprint biometrics to enter critical/sensitive areas, but are we legally allowed to do so?
The GDPR allows member states to ‘maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.’ In the Netherlands a local law (UAVG) was introduced, stating that biometric data may be used if required for authentication or security.

The use in a data centre

The reason why we use biometric security measures is to limit the risk of unauthorized access to critical infrastructure and data like the rooms with fiber and traffic connections and the data hall. Since we do not know the content of the information of our clients, we treat all data as sensitive high-risk level data. For that reason, we use two types of authentication for access control. We use tokens and biometrics, so it is not possible to enter areas that could contain critical information if you are not authorized yourself (you cannot exchange the biometric authentication). Since we need to be able to be really quick in rejecting access, we use badges so without a physical badge you cannot enter access areas in the premises. Taking the physical badge is enough to directly withdraw authorizations.

More Insights

  • The hidden costs of hosting your infrastructure on-premise

    There are many myths around it and the choice between hosting your mission-critical infrastructure in-house or accommodating your IT infrastructure in a professional data center. Managing and implementing your business-critical infrastructure in-house is a huge responsibility on top of your daily work and the choice should not only be made on the basis of costs. It depends on your business requirements and specific usage options, as well as the costs of the service.

    Read more
    Read more
    Blog
  • Datacenter.com Wins EU Code of Conduct for Energy Efficiency Award

    Datacenter.com, announced it has received the Annual Award from the European Commission Joint Research Center that oversees the EU Code of Conduct (CoC) on Data Center Efficiency for the data center facility in Amsterdam (AMS1). The award was received by Datacenter.com CEO Jochem Steman during this year’s prestigious Datacloud Europe Awards ceremony in Monaco.

    Read more
    Read more
    news
  • Data Center Industry Survey 2019

    Uptime Datacenters released the Ninth Annual Uptime Institute Data Center Survey. The survey provides an overview of the shape, practices and major trends driving the mission-critical digital infrastructure of today. This survey, the most comprehensive research survey of its kind, was conducted online during March and April 2019 with nearly 1600 participants.

    Read more
    Read more
    Blog

Call us on +31 (0)20 - 2384 200
We are happy to answer your question

Email us for more information

Join Our Monthly Newsletter

Stay updated with all latest updates, upcoming events & much more
Subscribe
SUBSCRIBE NOW
close-link

Join Our Monthly Newsletter

Stay updated with all latest updates, upcoming events & much more
Subscribe
SUBSCRIBE NOW
close-link