As the implementation date for GDPR approaches, a lot of speculation is going on regarding the potential effects of the regulation. Without doubt, incumbent players must change their current ways of operating; if they desire to comply with the regulation, that is. Previously, we already discussed the more general impacts of GDPR on financial companies. In this article, however, we’re going to dive a little deeper into the topic of personal identity with respect to GDPR.
The incentive to comply
The general gist of the regulation is to give EU citizens more control over their personal data. To stimulate this, the regulation created by the European parliament and council appoints the companies that control the data as the responsible entities for the validity and security of the identity information of their customers. Companies that don’t comply with the regulation will be fined according to the gravity of their breach. However, as this shift will be costly and time consuming, just paying the fines can be a cheaper option for some, although potential damage to the company’s brand can be indelible.
Biometrics as identifiers for financial transactions
These days, biometrics are becoming increasingly adopted in financial services. This can be mainly attributed to the distinctiveness of human biological features combined with the demand originating from younger generations. The use of biometrics for identification is estimated to be one of the main ways, if not the main way, of identifying for financial transactions in 2020. Currently, the use of i.e. fingerprints and eyes are already adopted as identification procedures. Looking forward, user behaviour is also expected to be a means of identification. Here, the way a user behaves replaces the entry of data. A main advantage of this technique is that it doesn’t require additional technology at the user interface and is seen as a potential solution to single factor password authentication. Regardless of the specifics, these identification measures rely on the storage of biometric data and therefore call for adequate data management tools.
GDPR and biometrics
Companies that do wish to comply with GDPR will need to have controls that protect the key identity data of individuals. These controls must ensure the companies responsible have the technical and organisational measures in place to prevent the exposure of any personally identifiable information through weak identity management in their systems and data. These companies’ main concern should be how to meet customers’ expectations and growth in demand of having their data protected, corrected and deleted upon request. To meet these requirements, technology, processes, strategies and marketing aspects must be built into the picture. In doing so, the use of biometric data can play an important role, as also identified in the GDPR. GDPR defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”. Of course,this is only relevant after consent is given by the “data subject”.
Digital Identification Access Management (DIAM) can be a useful tool in minimizing the use of personal data collection. During registration, for instance, data is verified against other sources and therefore not retained. During access, the required information doesn’t need to be exceptionally specific unless necessary; for instance, when only an individual’s region of living is required as opposed to an individual’s exact address. Ultimately, it is only right that an individual’s data should be owned fully and solely by the individual itself, allowing third parties access to specific details of this data if consent is given by the individual. This is where blockchain might play a big role combined with a data storage layer and a key or access grant mechanism.
By Michael Brooijmans