Are your biometrics secure enough? Ask a Compliance Officer

August 26, 2024 | 5 minute read

This author has not yet filled in any details.
So far the author has created 75 blog entries.

Stay up to date with the latest content by subscribing to the Aware Biometrics Blog!

Share This

What’s important to know when it comes to biometrics and meeting compliance requirements?

We sat down with Aware Legal Counsel and Compliance Officer, Sarah Eckert, to get insight into the relationship between compliance and biometrics, and what’s essential for organizations to consider when using biometrics.

Q: What is compliance?

A: Compliance covers a wide array of things, including legal compliance, security compliance, financial compliance. Depending on where you’re doing business, you’re subject to different regulations. If you’re talking in the legal sector for the corporate world, you’re looking more along the lines of privacy compliance, security compliance, as well as in the United States as a publicly traded company, like Aware, you’re looking at SEC compliance, financial reporting requirements, etc.

Q: What’s important for the average organization to understand about compliance?

A: It’s important for organizations to make sure that they’re compliant with the regulations that directly apply to their company. Specifically, if you’re a company operating in Europe, you have to comply with the GDPR for data privacy and processing. You have to make sure that you’re handling European data properly. The same thing applies in Brazil where they also have a similar data processing law. Lack of compliance can get an organization in a lot of trouble, resulting in large fines, civil liability, and in some cases criminal liability for officers of the company.

Q: What’ important to consider in terms of compliance when it comes to biometrics?

A: Biometric information is considered across the board, when you look at data privacy regulations, as a special interest or special category of PII (aka personal identifying information). It’s a special interest category since it’s something that cannot be changed. Unlike your Social Security Number or your email address, for example, those are things that you can change if they’re breached. Passwords can be changed that if breached. Biometric information cannot be changed, and so the safeguarding of it is incredibly important. It’s incredibly important for you to have control over where it goes and what companies have access to it. So, it’s covered by specific regulations under GDPR, as well as some data privacy regulations and processing regulations in the United States, such as the CCPA and the CPRA. And then in Brazil, there’s the LGPD, which covers the same sort of information as GDPR.

Q: What role does data privacy and data protection play in compliance?

A: It’s important when you’re looking at data privacy and data protection to ensure that you have the appropriate internal security standards in place so that the data is not accessible to every employee in the company. The data that is accessible should be properly stored and only accessible to employees who need to have access to that data.

Q: And what about the role of data retention?

A: Data retention is important because one of the principles’ of the GDPR is data minimization, which means you should not be storing or handling data more than you need to or longer than you need to in order to perform the processing tasks that you have been assigned. For example, for us here at Aware, that means we will typically store data as a standard in line with fulfilling our contractual obligations for the duration of that contract. This is so we can continue to authenticate users after they have been enrolled in our system. For our customers, however, we have mechanisms in place so that our business clients can have users removed. If that user is no longer active with our business client, or if the data subject wants us to remove the information, we’re able to make sure that information is properly removed.

Q: Can you talk more about the role of transparency and consent in compliance?

A: Transparency is a big part of the reason that the GDPR was passed by the European Union. It’s a lot about consumer rights, making sure that consumers know how their data is being processed, what data is being processed, and what you do with that information once you have it. A lot of it surrounds some less special interest categories of data, like emails, names, addresses, employee information, or other information about your employer that could be used to identify you. All of that is covered by GDPR. And so, as part of making sure that you’re being transparent, you need to inform the consumer or data subject in advance that you’re collecting this data, exactly what you’re doing with it, how it will be stored, how they can ask it to be amended or removed. Explicit consent must also be given by the data subjects.

Key Takeaways:

  • Lock Down Compliance: Ensure your biometric data is managed in line with GDPR, CCPA, and other global regulations. If it’s not, you’re at risk.
  • Control Data Retention: Only keep what you need. Make sure you can delete data when it’s no longer necessary.
  • Demand Transparency: Know exactly how your data is being used, stored, and protected. If you’re not informed, it’s a red flag.
  • Secure Internal Access: Limit who can access biometric data within your organization. Only the right people should have that privilege.
  • Stay Ahead Globally: Be sure your practices are compliant not just locally, but globally. Don’t let overlooked regulations put you in danger.

Looking for a partner that can help you nail compliance when it comes to biometric data?

Get in touch with our team.