Embracing biometrics to prepare for GDPR

By James Stickland | 2 August 2017

Protecting customer’s data privacy is critical for organisations of all sizes and in all industries – but even more so when and where it’s mandated by law. The General Data Protection Regulation (GDPR) is approaching quickly; with the deadline less than a year away, it’s time to think about what complying looks like.

Simply being aware of GDPR isn’t enough though. There is a vast amount of work that must be done to ensure companies adhere to the regulation before the May 2018 deadline. The guidelines are clear, but for financial organisations who haven’t yet started to comply, or who aren’t far enough along yet, the mindset to approaching compliance is just as important as jumping into action.

Preparing for GDPR

The amount of work that must be done to comply with GDPR has been a cause for concern for organisations in all industries. Those who do not comply with the new regulation will face fines of up to 20m euros (about $22m USD), or four percent of their annual sales, whichever is more. It’s no wonder many financial institutions are scrambling to comply before it’s crunch time.

Yes, the early bird usually gets the worm, but there is another silver lining for those who are currently working to comply: The opportunity to strengthen and protect their organisation’s greatest assets – the massive amounts of personal data they collect and store. Institutions have now been handed the mandate they need to “clean out their closet,” as they have the opportunity to comb through every place they store data and reorganize it. It’s this process of “cleaning out the closet” that allows financial institutions a chance to update their existing architecture and make their institutions more secure.

Biometrics: Identifying individuals, controlling access to data

GDPR is a great opportunity to strengthen security and protect the massive amounts of personal data your organisation collects and stores. But where should an organisation start?

First, consider replacing PINs, tokens and passwords. It is abundantly clear that passwords are a problematic way to protect ourselves and our data. In fact, passwords account for 81 percent of hacker-related data breaches, according to the 2017 Verizon Data Breach Incident Report. Embracing biometrics is a way to better identify individuals and control privileged user access to data.

Building a stronger access control environment and enforcing that environment will require more than passwords and tokens; it will require biometric authentication to truly ensure you are who you say you are. Accessing personal or financial information using something you are (fingerprint, iris or face recognition, for example) is always going to be better and more secure than using something you know (password or PIN). Many companies are now beginning to implement multi-factor biometric authentication, that combines multiple identifiers (spoken passphrase, unique device identifier and a biometric scan, for example) to improve security and strengthen legacy systems.

Biometrics will also help in the auditing and forensics process by creating traceability. The ability to reconstruct an event has been a challenge in the banking industry for a number of years already, but it will become especially important under GDPR. By utilising a biometric authentication platform, financial institutions will be able to recreate every step in a process from logging in, to data access and control, to time stamps and location stamps, right through exit and control and even distribution. Having a biometric identity stamp on each of these records will mean financial institutions will have legal non-repudiation that they can stand on in court.

There are other requirements for GDPR compliance that biometrics can assist with as well. The IEEE 2410 Biometric Open Protocol Standard (BOPS)  includes provisions for biometric template storage that can help companies achieve the “right to be forgotten.” The IEEE standard recommends using a distributed data model to break up and store biometrics between the user device and a back-end server. This way, companies can secure the biometric data and provide end users with the ability to control and delete their data as required by GDPR.


It’s important to also note that GDPR isn’t the only regulation causing executives in the European Union to take a second glance at existing processes. PSD2 requires banks to open customer account and transaction data to third parties via open application program interfaces (APIs), while GDPR imposes strict requirements for them to protect customer data as well as rigorous penalties for failing to do so.

These two regulations are closely related, as they are expected to go into effect in the EU within six months of each other – January 2018 for PSD2 and May 2018 for GDPR. Financial institutions have a unique situation, as they are at the intersection of these two regulations. It would be wise for these organisations to take the necessary steps now to implement these regulations in an integrated manner, rather than separately.

 What should we do…now?

The full process of complying with GDPR is going to be a bit like cleaning out one’s closet – something tedious that you’d rather just put off. However, rather than stress and watch the clock tick down to May 2018, now is the time for financial institutions to get educated and use this mandate as an opportunity to strengthen and protect the organisation’s data assets. Don’t delay – hackers are, and will continue to wreak havoc in all industries, but financial institutions can utilise GDPR as an opportunity to evaluate their legacy architecture and create a more secure environment. Consider biometrics as a first step in strengthening data access management and control, and get a head start on GDPR and PSD2 compliance. 

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development