“While there are undoubtedly significant benefits in using new technologies, organisations need to be aware of the potential challenges when choosing and using any systems involving biometric data,” writes Steve Wood, Deputy Commissioner for Policy at the UK Information Commissioner’s Office.
“Any organisations planning on using new and innovative technologies that involve personal data, including biometric data, need to think about these key points:
- Under the GDPR, controllers are required to complete a DPIA where their processing is ‘likely to result in a high risk to the rights and freedoms of natural persons’ such as the (large scale) use of biometric data.
- When you’ve done your DPIA, make sure you act upon the risks identified and demonstrate you have taken it into account. Use it to inform your work.
- You must be able to demonstrate your compliance by putting appropriate technical and organisational measures in place.
- If relying on consent as a legal basis, then remember that biometric data is classed as special category data under GDPR and any consent obtained must be explicit.”