classic | mobile
Follow us on:
Follow us on Facebook  Share via Twitter  Share via LinkedIn
 

Search...
Hi-Tech Security Solutions Business Directory
Residential Estate Security Handbook 2017


EU GDPR biometric compliance systems
April 2018, This Week's Editor's Pick, Access Control & Identity Management, Integrated Solutions

On May 25, 2018, enforcement of the new European Union General Data Protection Regulation (EU GDPR) begins. The regulation protects natural persons regarding the processing and the movement of their personal data. The regulation covers all forms of personal data (including even genetic, health and biometric data). Biometric data includes physical, physiological, and behavioural characteristics (Chapter I, Article 4).

The regulation provides examples of biometric data: facial images and dactyloscopic (fingerprint) data. The regulation recognises the need to have biometric data to identify uniquely natural persons. The regulation provides conditions for the protection of personal data, such as the consent of the natural persons (Chapter II, Article 9).

Biometric data is a special category

EU GDPR considers biometric data, when used for ID purposes, as a special category data that is more sensitive, requiring special protection.1 GDPR Article 4 defines biometric data as ‘physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic (fingerprint identification) data.’2 Processing of biometric data is prohibited by Article 9(1) of the GDPR, even with employee consent, unless a condition for processing special category data are listed in Article 9(2) applies.

Implementation of biometric data faces a further challenge because Article 9(4) allows EU member states to ‘introduce further conditions, including limitations to the processing of… biometric data…’3 GDPR applies to many companies, including American companies, that process personal data of EU citizens.4 Google is facing a lawsuit in an English court where two anonymous litigants want search results to their old legal convictions ‘forgotten’.5 Publicity surrounding the lawsuit has led 650 000 ‘Right To Be Forgotten’ requests to Google.6 These should be a wakeup call to all companies. As late as February 2018, Jason Rosen of Gigya, an Israel-based SAP Company, has opined that: “There is no product on the market that can make your organisation GDPR compliant.”7

Penalties for non-compliance

While the new regulation is vague and untested, the penalties for non-compliance are not vague. The regulation applies to all organisations collecting or processing personal data of persons in the European Union – regardless of where the organisations are headquartered in the world. Penalties for non-compliance can be as high as 20 million Euros, or 4% of total worldwide turnover (sales) of the preceding year, whichever is higher (Article 83). There can be repeated penalties for different years or for difference instances.

GDPR-compliant systems

Many software companies have responded by announcing their offerings of GDPR-compliant systems. The typical system involves a suite of tools. For example, the regulation includes notification and consent requirements. Many companies will respond to the regulation by designating a data protection officer (DPO). Auditors will be needed to audit the usage of personal data, consent (including withdrawal of consent) practices, and of data privacy notices.

While some of the software companies have acknowledged the existence of biometric data in the regulation, there has been little detailed explanation of how their systems will deal with biometric data. Some software companies might not have any biometric systems to include within their suite. Other software companies rely upon partnerships with biometric software companies to provide a complete GDPR-compliant system.

The Google case relating to the right to consent to data processing and to the right to withdraw consent (or right to be forgotten) is an example of future cases to follow with GDPR enforcement.

Biometric compliance systems

This is a review of some of the software companies offering GDPR-compliant systems with a focus upon whether their suites of software tools include biometric software.

SAP ERP – employee focus

SAP’s current GDPR postings provide details of its SAP SuccessFactors HCM Suite. SAP noted that GDPR compliance would need to include personal data on employees and on potential employees being recruited. For employees, SAP’s system would include: personal details, bank data, human resources data, qualifications and educational details, salary and social security data, system access, system usage, and authorisations. This suite would be deployed in the SAP cloud. All data will be encrypted at rest and during transmission.

Even though employees of companies are supplying personal information to their employers, there remain questions about the consent of employees as to which persons at the employer’s company or at other companies should be able to read and to use the individual personal data. Encryption and passwords are not enough. Companies will need biometric systems to be able to prove exactly who accessed and processed the personal data of employees.

A GDPR-compliant system would need to include extensive solutions for the data of individual customers. Companies may have millions of customers in the EU and online internationally.

SAP ERP has not included in its white papers the names or the details of its approved biometric system partners: valantic bioLock and Fujitsu.

Valantic bioLock

Formerly known as realtime, valantic has SAP Gold Partner status. For decades, SAP has used independent partners to provide third-party solutions. In addition to the use of fingerprints, bioLock now provides a platform for Fujitsu’s PalmSecure hand vein technology. You may find detailed explanations of biometric compliance with GDPR at http://www.palmsecurebiolock.com

Fujitsu’s PalmSecure is proprietary technology using unpublished algorithms and sub-surface biometric characteristics. EU GDPR provided examples only of superficial biometric characteristics: fingerprints and facial scans.

Fujitsu

In addition to biometrics, Fujitsu offers guidance on data infrastructure.

Oracle

Oracle has recommended that GDPR compliance will require the co-ordination of many of an organisation’s entities, such as: legal, human resources, marketing, security, and IT. You will need to look in many places to find personal data, such as: databases, unstructured data, files, MAC or IP addresses, and metadata. There will be a need to improve security controls. Oracle provides ‘always on’ encryption via on-chip hardware encryption in the CPU (part of Oracle’s SPARC processors).

While Oracle has a Biometric Authentication Service, Oracle did not mention this service in its explanations of GDPR compliance.

SuperOffice – customer focus

In contrast to SAP’s focus on employees, SuperOffice stressed the importance of complying with marketing activities. Companies may have far more customers than they have employees. Marketing campaigns can include emails, telephone calls, and visits. Some companies use refer-a-friend campaigns. With GDPR, the issue becomes which personal information did you store or process in your system. One of the examples provided by SuperOffice was the 2014 fine levied against Flybe because Flybe had emailed 3,3 million persons who had opted out of marketing promotions with the email: ‘Are your details correct?’

Conclusions

To make matters worse, member states of the European Union will develop detailed laws and penalties consistent with EU GDPR. The explicit recognition of biometric data in the regulation suggests that an important way to increase the protection of personal data is to make more use of biometric systems. While some software companies have responded by offering suites of tools for GDPR compliance, the details of the suites have related to employees or to customers. Biometric tools are critical for the protection, storage, and processing of unique individual data. In evaluating your options for making your system GDPR-compliant, you need to insist that software companies explain the quality of biometric tools beings offered in their suites.

On March 19, 2018, shares of Facebook and of the stock markets tumbled after investors realised that other countries might adopt similar draconian regulations. These regulations could include requiring companies in many countries to require that customers opt into approving the selling or sharing of the personal data of customers. This would have a huge impact on the profitability of many companies.

Sumantra Chakravarty.
Sumantra Chakravarty.

Paul Sheldon Foote.
Paul Sheldon Foote.

References

1. “Special category data,” UK Information Commissioner’s Office, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdplaful-basis-for-processing/special-category-data/

2. “Using Biometric data? Sensitive under GDPR!” Jorden Baily and Matthijs van Bergen, Legal ICT, October 18, 2017, https://legalict.com/2017/10/18/using-biometric-data-sensitive-under-the-gdpr/

3. “Processing of special categories of personal data,” Art. 9 GDPR, https://gdpr-info.eu/art-9-gdpr/

4. “How the GDPR Will Change the World,” Jan Phillip Albrecht, European Law Protection Review, 2(3) 2016, https://edpl.lexxion.eu/article/edpl/2016/3/4

5. “Google Faces England’s First ‘Right To Be Forgotten’ Trial,” Kaye Wiggins, Stephanie Bodoni and Jeremy Hodges, Bloomberg Technology, January 2018, https://www.bloomberg.com/news/articles/2018-01-18/google-braced-for-england-s-first-right-to-be-forgotten-trial

6. “Google has Received 650,000 ‘Right To Be Forgotten’ Requests since 2014,” James Doubek, National Public Radio, February 2018, https://www.npr.org/sections/thetwo-way/2018/02/28/589411543/google-received-650-000-right-to-be-forgotten-requests-since-2014

7. “Three GDPR Myths that Could Cost Your Organization Millions” Jason Rose, Gigya – an SAP Company, https://www.forbes.com/sites/sap/2018/02/22/3-gdpr-myths-that-could-cost-your-organization-millions/#490a796a7504

Resources (Whitepapers and other GDPR content)

• European Union General Data Protection Regulation: https://www.eugdpr.org/

• Fujitsu: http://www.fujitsu.com/fts/solutions/business-technology/security/gdpr/

• Microsoft GDPR: https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/readiness

• Oracle: https://www.oracle.com/uk/corporate/features/gdpr.html

https://docs.oracle.com/cd/A57673_01/DOC/net/doc/NWANO233/ch8.htm

• SAP ERP: https://www.successfactors.com/en_us/lp/gdpr-compliance.html

https://discover.sap.com/gdpr/en_us/index.html

• SuperOffice: https://www.superoffice.com/blog/gdpr-marketing/valanatic bioLock: http://www.palmsecurebiolock.com/

For more information, contact Professor Paul Sheldon Foote, California State University, Fullerton, pfoote@fullerton.edu


  Share via Twitter   Share via LinkedIn      

Further reading:

  • Aggregation, automation and augmentation
    April 2018, Milestone Systems, This Week's Editor's Pick, CCTV, Surveillance & Remote Monitoring
    Memoori Market Research interviewed Milestone CTO Bjorn Eilertsen, who spoke about future trends in the video surveillance Industry.
  • The IQ of a shrimp
    April 2018, Naxian Systems, This Week's Editor's Pick, Integrated Solutions, IT infrastructure, Security Services & Risk Management
    Amidst all the talk and confusion, Hi-Tech Security Solutions talks to Bernard Senekal to get a better understanding of what artificial intelligence really is.
  • How deep learning benefits the security industry
    April 2018, Hikvision South Africa, This Week's Editor's Pick, CCTV, Surveillance & Remote Monitoring
    Artificial intelligence and deep learning are taking video analytics into a new era of improved recognition and potentially creating a revolution in pre-event alerts.
  • The cybersecurity of physical ­security
    April 2018, This Week's Editor's Pick, Cyber Security
    Being aware of the dangers is one thing, but actually knowing what you need to look out for and do to secure your surveillance infrastructure, is quite another.
  • Tiers of remote monitoring
    April 2018, Stallion Electronic Security, CCTV, Surveillance & Remote Monitoring, Perimeter Security, Alarms & Intruder Detection, Integrated Solutions
    Hi-Tech Security Solutions spoke to Kevin Monk, MD of the electronic security division of Stallion Security to find out what the options are when retaining a third party as a remote monitoring service provider.
  • See evil, hear evil, raise the alarm
    April 2018, CCTV, Surveillance & Remote Monitoring, Integrated Solutions
    Audio analytics is a stand-alone solution, but it enhances the security operation when integrated with video surveillance solutions.
  • Making smart cities see
    April 2018, Milestone Systems, CCTV, Surveillance & Remote Monitoring, Integrated Solutions, IT infrastructure
    Cutting-edge technology is required to make a city work and video management software plays an important role in making the establishment of a smart city a success.
  • Local is illuminated
    April 2018, GIS-SA, This Week's Editor's Pick, Products
    Local surveillance lighting company, Green Illumination Systems (GIS) has launched the latest in its line of locally designed and manufactured lighting products.
  • Drones identify people on the ground in real time
    April 2018, CCTV, Surveillance & Remote Monitoring, Integrated Solutions
    Cortica’s unique self-learning technology, backed by more than 200 patents, is the first AI company capable of human-level image understanding.
  • The question of value
    April 2018, Technews Publishing, This Week's Editor's Pick, CCTV, Surveillance & Remote Monitoring, Cyber Security, Integrated Solutions
    How do you know your surveillance installation is delivering value? Do your service providers deliver value?
  • Surveillance-friendly storage
    April 2018, Capsule Technologies, Seagate Technology, This Week's Editor's Pick, CCTV, Surveillance & Remote Monitoring, IT infrastructure
    Storage solutions for surveillance must be designed for intense sequential writing to the disk and random reading. Your average desktop hard disk won’t do the job.
  • Beyond the hype: tomorrow’s surveillance, today’s reality
    April 2018, Technews Publishing, This Week's Editor's Pick, CCTV, Surveillance & Remote Monitoring, Cyber Security, Integrated Solutions, IT infrastructure, Conferences & Events, Training & Education
    iLegal 2017 once again lived up to its reputation and saw a host of presenters offering insights and advice into a range of aspects related to the surveillance world.

 
 
         
Contact:
Technews Publishing (Pty) Ltd
1st Floor, Stabilitas House
265 Kent Ave, Randburg, 2194
South Africa
Publications by Technews
Dataweek Electronics & Communications Technology
Electronic Buyers Guide (EBG)

Hi-Tech Security Solutions
Hi-Tech Security Business Directory (HSBD)

Motion Control in Southern Africa
Motion Control Buyers’ Guide (MCBG)

South African Instrumentation & Control
South African Instrumentation & Control Buyers’ Guide (IBG)
Other
Terms & conditions of use, including privacy policy
PAIA Manual
         
    Mobile | Classic

Copyright © Technews Publishing (Pty) Ltd. All rights reserved.