Table of Contents
Facial recognition technology (FRT) is becoming a standard tool across many industries, and we often see it used to enhance security and streamline retail operations. While the benefits can be significant, it is essential to remember that using FRT comes with serious obligations. The UK General Data Protection Regulation (UK GDPR) places strict obligations on businesses that process personal data. If you are considering implementing FRT in your business or are already using it, staying on the right side of data protection law is crucial. The use of this technology gives rise to a range of privacy concerns, which means FRT use and FRT systems need careful consideration. This article explores some critical legal data protection considerations when using FRT.
Does Your Business Use FRT?
Facial recognition technology typically captures and analyses digital images of people’s faces, creating a unique biometric template for each individual. This template can then identify, verify, or categorise individuals based on facial features.
For example, FRT might unlock a mobile app or allow someone to pass through a security gate by scanning their face. When you process facial images for this purpose, the data constitutes ‘special category data’ under the UK GDPR. This classification means it is highly sensitive and subject to stricter rules due to the significant privacy risks associated with its potential misuse.
Which Data Protection Considerations Should You Consider for FRT?
Compliance with the UK GDPR is essential for any business handling personal data. Failing to meet these obligations can result in severe consequences, including fines of up to £17.5 million or 4% of your global annual revenue. Beyond financial penalties, data breaches can cause lasting damage to your company’s reputation and damage customer trust.
If your business uses or plans to use FRT, ensuring that your activities fully comply with the UK GDPR is essential. Given the complexity and sensitivity of FRT, it is advisable to seek expert legal advice if you need clarification on your obligations. Non-compliance can lead to significant legal challenges, such as enforcement action and reputational damage.
Here are some key points to consider:
Conducting a Data Protection Impact Assessment (DPIA)
Before you roll out FRT in your business, conducting a Data Protection Impact Assessment (DPIA) is critical. A DPIA is a risk assessment that helps you identify and mitigate risks to the privacy of individuals whose data you plan to process.
Under the UK GDPR, a DPIA is mandatory when data processing likely results in a high risk to individuals’ rights and freedoms, which is the case with FRT. As part of your DPIA, you will need to define clearly why you are using FRT, assess its necessity, and evaluate the potential privacy risks, such as data breaches or unauthorised access.
Once you have identified the risks, you must implement measures to mitigate them. This could involve using strong encryption, strict access controls, and ensuring you only collect the data necessary for your intended purpose. Conducting a DPIA is a detailed process that requires careful attention, including consulting with your Data Protection Officer, where applicable and relevant stakeholders.
Considering Rules on the Use of Biometric Data
Special category biometric data is a specific type of personal data defined by data protection law. It refers to information derived from technical processes that analyse a person’s physical, physiological, or behavioural characteristics and uniquely identify them. The use of FRT falls under this ‘special category personal data’ category. This classification brings with it additional rules and obligations.
Using biometric data to identify an individual uniquely is generally prohibited under the UK GDPR unless a party meets specific conditions in Article 9.
This factsheet sets out how your business can become GDPR compliant.
Businesses often rely on explicit consent to process FRT data, but obtaining this consent is not simple. In contexts with an imbalance of power, such as employer-employee relationships, consent may not be considered freely given. If your business relies on explicit consent for FRT, you must ensure that consent is freely given, informed, specific, and unambiguous.
Documenting Your Decisions
Compliance with data protection rules, such as the UK GDPR, is not just about getting the processes right but about being able to prove it. This is where thorough documentation is critical. Your business should document the reasons for using FRT, including the decision-making process behind these reasons.
These are some key considerations when using FRT, but this is a complex topic with additional legal rules you may need to follow. A data protection lawyer can discuss how your specific use of FRT will impact your legal obligations.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
Key Takeaways
FRT offers significant business opportunities but also brings serious responsibilities, particularly concerning data protection and privacy compliance under the UK GDPR. As FRT often involves processing biometric data, organisations must comply with strict legal rules. Given the high-risk nature of FRT, seeking legal advice from a data protection solicitor is a sensible action if you need clarification on your obligations.
If you need legal advice on using FRT, contact LegalVision’s experienced data, privacy, and IT lawyers as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
1. Do I need to conduct a DPIA for facial recognition technology?
Yes, under the UK GDPR, you must conduct a Data Protection Impact Assessment (DPIA) if you plan to use facial recognition technology. Since FRT involves processing biometric data, which is considered high-risk, a DPIA will help you identify potential risks and outline measures to mitigate them, ensuring compliance with the UK GDPR rules.
2. Can I use an opt-out mechanism to obtain consent to use facial recognition technology?
No, an opt-out mechanism for obtaining consent when processing biometric data with FRT does not comply with the UK GDPR. The law requires explicit consent, which must be freely given, informed, specific, and unambiguous. Individuals must take clear, affirmative action to consent to processing their biometric data when you are relying on consent.
We appreciate your feedback – your submission has been successfully received.
