Are Regulations Defining the Future of Biometrics?
Data protection and privacy have become buzzwords in the European digital ecosystem in the era of GDPR, introduced in May last year.
Most sectors are having to comply with said rules and conform to industry trends, thus evolving based on the limitations regulations have imposed on them. According to Aravind Srimoolanathan, Senior Research Analyst – Aerospace, Defence & Security at Frost & Sullivan, this is particularly applicable in the biometrics sector, as it progresses in line with regulation presenting increasing opportunities for biometrics to excel in a security driven data world.
The Swedish data protection authorities (DPA) recently levied the first fine of approximately $20,000 to a high school which ran trials of facial recognition technology among a group of students to monitor their attendance. The school authorities argue that the program had the consent of the students, though that did not soften the stance of the regulator. The European data protection board citing the ‘imbalance’ between the data subject and the controller of data. Canvassing the multiple opinions floating on the web1, Frost & Sullivan notes multiple cases of violations reported in Bulgaria and Austria post the incident in Sweden. The regulatory breaches have led to similar fines levied by the respective local data protection agencies tasked to enforce GDPR. Have the flood gates opened? Will this drown the Biometric market? Probably not, but it does raise significant concerns which need to be assessed and responded, to continue bringing the associated benefits of Biometric technologies to business and security operations.
General Data Protection Regulation (GDPR) is designed for the protection of personal data. GDPR emphasises on a person’s right to protect their personal data, irrespective of whether the data are processed within or outside the EU. Any data that could be linked to a person is subsumed into the definition of “personal data”. The regulation comprises of several articles and clauses which require compliance by all forms of agency – public, private or individual, that processes personal and sensitive data of clients, companies or other individuals. The regulations not only addresses data protection and privacy of individual citizens of European Union (EU) and European Economic Area (EEA) but also data transfer outside EU and EEA.
In summary- data is expected to be stored, managed, and shared in an individual-centric approach rather than a collateral approach.
The challenges in managing identity in the modern world through conventional methods such as ID cards and PINs/ passwords are failing to address efficiency, accuracy and security requirements. The exponential demand for biometric-based ID management and access control systems drives the need to overcome such challenges. Biometric technologies (yes, facial recognition is one of them) curtail unauthorised physical and cyber access preventing identity fraud, enhance public safety, and drive seamless and efficient processes ensuring higher safety, convenience, and profits.
The Sweden High School case indicates the extent of GDPR is not just limited to giant corporations such as British Airways but also smaller public and private entities ‘mishandling’ data and hence violating the dictates of the GDPR regulations.
Frost & Sullivan’s collation of perspectives and insights from across the industry indicates that biometric technologies will replace conventional methods of Identity and Access Management in the years to come, not a case of if but when. Continued enforcement of data regulations would drive proper use case definition and regulatory compliance, but for this the suppliers and operators of these technologies need to create compliant secure by design solutions and processes. The first step is ensuring secure operations of the systems, and second is to design robust and verifiable processes for the associated data generated. Thirdly, defining the application of harvested data within the ethos of GDPR and related governance.
In the short-term though, with a surge in biometric technologies adoption, Frost & Sullivan anticipates we will witness an uptick in number of GDPR violation cases, due to partial and/or improper understanding of data privacy regulations. Though there is a risk that the hefty fines may slow down the pace of widespread adoption of biometric technologies, Frost & Sullivan proposed three-step strategy will drive healthy demand. Organisations that are digitally transforming their businesses for enhanced process efficiencies as part of their digital strategy would need to realign strategies to comply with general data protection regulations.
Biometric technologies are gaining infamous popularity with the data breaches, privacy concerns and unethical commercialisation of the associated data. GDPR, the Achilles heel as it may prove to be for the Biometric market, does not necessarily need to be – instead, the principles of GDPR can itself become the value proposition of the future biometric technologies.