06 September, 2022
Biometrics and Privacy Law Compliance - Part 2
(This blog is the second part of a series that analyzes Anonybit’s compliance with data protection laws. For part 1, click here.)
Data protection regulations are driving enterprises around the world to rethink how they manage and protect personal data, from photos, to location information, financial, demographic, biographic, crypto assets and more. One key emerging trend as a result is the growth of privacy-enhancing technologies (PECs) which are expected to be adopted in some capacity by roughly 60% of large enterprises by 2025.
Biometrics present a particular challenge given they are defined as sensitive data under many data protection laws, but the fact that these laws are all different raises many questions on what specifically needs to be done to be compliant across the board.
Here are 5 steps to best practices in biometrics privacy compliance
- Active Consent: Most data protection regulations specify some kind of consent or legitimate use requirement for the collection of biometrics. The gray area comes into often what constitutes biometrics. In fact, so many BIPA lawsuits have been generated by parties who believe they are not responsible for collecting consent, or by attempting to limit what constitutes the conditions and the types of data under which consent should be collected. To be on the safe side, any time a facial image, voice recording or other biometric sample is captured, notice and written/active consent should be enabled.
- Data Minimization: Most data protection laws also require limited retention of personal data for the time that it is needed for processing or for the initial purpose for which it was collected. By employing zero-knowledge proofs for biometric matching that automatically discards the original biometric sample and template both for storage and matching purposes, the Anonybit system essentially ensures compliance with this requirement from the get-go.
- Safeguard Personal Data: While the focus of this blog is biometrics, the fact is all personal data that is collected should be safeguarded with the greatest care. Most data protection laws require companies to maintain “reasonable” safeguards against unauthorized access and disclosure to personal data but we have all read the daily headlines to know that attackers still find their way in, via phishing, brute force attacks and other means. Traditional MFA, encryption and traditional centralized storage of personal data with access controls is simply not enough. One way to protect against data breaches is to leverage decentralization techniques like multi-party computing across the board, for images, biographic, demographic, financial, health and other data including biometrics. Advanced PII vaults, such as the one offered by Anonybit, manage this seamlessly and include governance, access and threat detection layers.
- Ensure Data Localization: Many data protection laws limit residency of personal data information. Oftentimes, cloud providers and enterprises translate that into central storage of information in specific geographies. However, despite being decentralized, Anonybit’s system is designed to allow compliance with those requirements, as well as with client-specific concerns. A client can request, and Anonybit can ensure, that a particular deployment of an Anonybit instance is limited to a specified geographic location or environment – the MPC (multi-party computing) network could reside in the United States, the EU, or even controlled by a specific user environment.
- Prohibit Data Sharing and Access to Unauthorized Parties: Fundamentally, companies should abstain from sharing or selling personal data without user consent. Period. End of story. But there are nuances within an organization that should be considered as data management programs get implemented. For example, there are many functions that only require verification of information and that do not necessitate data being transferred, viewed or shared amongst parties. Other functions, like audits and compliance reviews may involve larger scale analyses of information. Defining access protocols on an as-needed basis and developing requisite policies and subsequent technical safeguards around personal data can limit leaks and unnecessary exposures. This is an area where biometrics can shine, because again, they can unequivocally ascertain that someone is who they claim to be when they obtain access.
To request the comprehensive guide to Anonybit compliance with data protection regulations, click here.