GDPR and biometrics

GDPR and Biometrics

GDPR and Biometrics, they love and hate each other. It’s very important to protect personal information, and even more important to protect sensitive personal data. Using biometrics as a security measure (on its own or as part of two-factor authentication) is gaining popularity. Biometric data is seen as sensitive personal data, storing that data is prohibited, unless you satisfy to one of a couple of strict conditions.

Why it should be used

Within the general data protection regulations (GDPR), organizations are required to take appropriate measures to protect personal data. Since the GDPR does not prescribe which measures are appropriate, and to support companies with implementing security of personal data, ENISA (European Union Agency for Network and Information Security) has created a ‘Handbook on security of personal data processing’. In case of high-risk level personal data, the use of two factor safety measures, with e.g. one of them as biometric, is advised for access control and authentication. Of course, the more the probability and impact of a personal data breach increases, the more we need to secure this data to minimize the chance the risk can exploit.
The use of passwords only is often seen as a weak protection measure. Used passwords acquired by hacking, sometimes get exploited and are made available on the world wide web. Besides exploited password files, passwords can be hacked by guessing and brute force attacks. Password complexity is an often-discussed topic due to the weaknesses a password has. Besides something you know, you can of course use something you have, like a token, or something you are, like a fingerprint. The combination of a token (something you have) and a password (something you know) is a combination that already gained popularity to strengthen authentication. Still a risk exists that a token and password are exchanged with others.
Since biometric authentication gains popularity and the reliability increases, these techniques will be used more and more. Important in selecting biometrics is the technique used and the error rate, e.g. is it possible to reproduce your fingerprint with the stored information and what are the reliability rates.

Why it should not be used

So, what about the bad side of biometrics? It is seen as sensitive personal data, and therefore you are not allowed to store that information. You are only allowed to store biometrics in case you satisfy one or more conditions stated in the GDPR, unless otherwise decided by your government. It makes sense that biometric information is sensitive personal data if it is a copy of your fingerprint, face, iris, etc. Hackers could obtain that information to reproduce physical characteristics.
Most of the biometric systems do not store a perfect high-resolution 3D scan of physical characteristics. Mostly a pattern will be recognized on your face or fingerprint, a pattern of some lines and/or dots that fit on the physical characteristics the reader uses. Those lines and dots are encrypted and stored. Like a hash, it can be used only one way. When you encrypt the stored lines and dots, it is not possible to e.g. reproduce an actual fingerprint. So, if you want to reproduce physical characteristics you should use other ways instead of hacking such a system. Therefore, you can argue whether or not it really is sensitive personal data, imaging the data that is stored by these devices. The GDPR is clear, biometric data is part of the special category ‘when processed through a specific technical means allowing the unique identification or authentication of a natural person’.

Legislation in the Netherlands

At our data center in Amsterdam we use a fingerprint biometrics to enter critical/sensitive areas, but are we legally allowed to do so?
The GDPR allows member states to ‘maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.’ In the Netherlands a local law (UAVG) was introduced, stating that biometric data may be used if required for authentication or security.

The use in a data centre

The reason why we use biometric security measures is to limit the risk of unauthorized access to critical infrastructure and data like the rooms with fiber and traffic connections and the data hall. Since we do not know the content of the information of our clients, we treat all data as sensitive high-risk level data. For that reason, we use two types of authentication for access control. We use tokens and biometrics, so it is not possible to enter areas that could contain critical information if you are not authorized yourself (you cannot exchange the biometric authentication). Since we need to be able to be really quick in rejecting access, we use badges so without a physical badge you cannot enter access areas in the premises. Taking the physical badge is enough to directly withdraw authorizations.

More Insights

  • Why a solid foundation of compliance is a must for the financial and gaming industry

    As a company that is within the financial or gambling industry, lots of requirements can apply to you. Governmental requirements or requirements by industry standards can make it very hard to have some services outsourced. As an example, for online gaming in Malta or processing credit card PINs very strict regulations are defined by the Malta Gaming Authorities (MGA) or the Payment Card Industry (PCI).

    Read more
    Read more
  • The fast-growing gaming industry requires reliability in the data center

    In the gaming industry, with billions in revenue, there is an important factor, a factor that a player may not immediately think of: latency (delay time). It is a fact that the experience of a game is poor as well as the underlying infrastructure and data center.

    Read more
    Read more
  • How Remote Hands Service can Improve your Data Center Deployment

    When organizations weigh the costs of building their own data center solution against the benefits of colocation services, they often keep most of their focus on technical aspects. They consider connectivity options, regulatory compliance and security, but sometimes overlook one of the most important benefits of colocation. Why are Smart Remote Hands important for your business?

    Read more
    Read more

Call us on +31 (0)20 - 2384 200
We are happy to answer your question

Email us for more information