GDPR and Biometrics, they love and hate each other. It’s very important to protect personal information, and even more important to protect sensitive personal data. Using biometrics as a security measure (on its own or as part of two-factor authentication) is gaining popularity. Biometric data is seen as sensitive personal data, storing that data is prohibited, unless you satisfy to one of a couple of strict conditions.
Why it should be used
Within the general data protection regulations (GDPR), organizations are required to take appropriate measures to protect personal data. Since the GDPR does not prescribe which measures are appropriate, and to support companies with implementing security of personal data, ENISA (European Union Agency for Network and Information Security) has created a ‘Handbook on security of personal data processing’. In case of high-risk level personal data, the use of two factor safety measures, with e.g. one of them as biometric, is advised for access control and authentication. Of course, the more the probability and impact of a personal data breach increases, the more we need to secure this data to minimize the chance the risk can exploit.
The use of passwords only is often seen as a weak protection measure. Used passwords acquired by hacking, sometimes get exploited and are made available on the world wide web. Besides exploited password files, passwords can be hacked by guessing and brute force attacks. Password complexity is an often-discussed topic due to the weaknesses a password has. Besides something you know, you can of course use something you have, like a token, or something you are, like a fingerprint. The combination of a token (something you have) and a password (something you know) is a combination that already gained popularity to strengthen authentication. Still a risk exists that a token and password are exchanged with others.
Since biometric authentication gains popularity and the reliability increases, these techniques will be used more and more. Important in selecting biometrics is the technique used and the error rate, e.g. is it possible to reproduce your fingerprint with the stored information and what are the reliability rates.
Why it should not be used
So, what about the bad side of biometrics? It is seen as sensitive personal data, and therefore you are not allowed to store that information. You are only allowed to store biometrics in case you satisfy one or more conditions stated in the GDPR, unless otherwise decided by your government. It makes sense that biometric information is sensitive personal data if it is a copy of your fingerprint, face, iris, etc. Hackers could obtain that information to reproduce physical characteristics.
Most of the biometric systems do not store a perfect high-resolution 3D scan of physical characteristics. Mostly a pattern will be recognized on your face or fingerprint, a pattern of some lines and/or dots that fit on the physical characteristics the reader uses. Those lines and dots are encrypted and stored. Like a hash, it can be used only one way. When you encrypt the stored lines and dots, it is not possible to e.g. reproduce an actual fingerprint. So, if you want to reproduce physical characteristics you should use other ways instead of hacking such a system. Therefore, you can argue whether or not it really is sensitive personal data, imaging the data that is stored by these devices. The GDPR is clear, biometric data is part of the special category ‘when processed through a specific technical means allowing the unique identification or authentication of a natural person’.
Legislation in the Netherlands
At our data center in Amsterdam we use a fingerprint biometrics to enter critical/sensitive areas, but are we legally allowed to do so?
The GDPR allows member states to ‘maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.’ In the Netherlands a local law (UAVG) was introduced, stating that biometric data may be used if required for authentication or security.
The use in a data centre
The reason why we use biometric security measures is to limit the risk of unauthorized access to critical infrastructure and data like the rooms with fiber and traffic connections and the data hall. Since we do not know the content of the information of our clients, we treat all data as sensitive high-risk level data. For that reason, we use two types of authentication for access control. We use tokens and biometrics, so it is not possible to enter areas that could contain critical information if you are not authorized yourself (you cannot exchange the biometric authentication). Since we need to be able to be really quick in rejecting access, we use badges so without a physical badge you cannot enter access areas in the premises. Taking the physical badge is enough to directly withdraw authorizations.