GDPR and Biometrics

The UK laws and regulations regarding copyright and ownership brings me to an interesting thought. With the new European regulation, the privacy of citizen increased significantly (Bustard, 2015). And now with the introduction of GDPR, there would be a need for carefulness in capturing, storing, and processing biometric data. Prior to processing it, data organizations would need a legally valid ground to process such information. A lot of organizations just follow the technology fads, but this would be a point where they need to see if they really need biometric technology.


In 2017, when Apple launched IPhone X that uses Face ID functionality, there was a lot of discussion that how would it protect such data, which is highly sensitive in nature. GDPR specifically classifies biometrics as a “sensitive category of personal data”. It defines biometrics in Article 4 under clause 14 as “’biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data” (Privacy Regulation, 2017).


The definition focuses on two types of biometric data; bodily and behavioural where latter is a broader subject area. Ross (2017) states “It is unclear just how narrowly regulatory authorities will interpret this category or what limiting principles, if any, will guide their analyses. Plausibly, information pertaining to someone’s habits, actions or personality could be considered behavioural information within the scope of the definition.”


The GDPR will impact the processing of the biometric data, where the data controllers would require assessing the impact of processing different kinds of biometric data on privacy. Data controllers will need to conduct risk assessment and a plan to mitigate those risks (Ross, 2017).


Do you think this would restrict the use of biometrics especially in the workplaces?




Bustard, J. (2015). ‘The Impact of EU Privacy Legislation on Biometric System Deployment: Protecting citizens but constraining applications’, IEEE Signal Processing Magazine, 32(5), pp.101-108.


Privacy Regulation. (2017) Article 4 EU GDPR “Definitions”. Available at: http://www.privacy-regulation.eu/en/article-4-definitions-GDPR.htm (Accessed: 12 February 2018)


Ross, D. (2017) Processing biometric data? Be careful, under the GDPR. Available at: https://iapp.org/news/a/processing-biometric-data-be-careful-under-the-gdpr/ (Accessed: 12 February 2018)


Leave a Reply

Your email address will not be published. Required fields are marked *