Tough new European Privacy Laws become fully operational in May 2018

From 25 May, the European Union’s tough new privacy law, the General Data Protection Regulation (GDPR) comes into force and will operate with substantial penalties, such as 4% of an offending organisation’s total worldwide turn-over. The law strengthens requirements relating to informed consent, the right to be forgotten, data breach notifications and other central privacy concerns. Even if the organisation is based outside the European Union, it is still covered by the GDPR provisions if, for example, it collects personal data of EU citizens or has an office within the EU. The UK has essentially followed the EU rules.

The Biometrics Institute’s Privacy Guidelines

The Biometrics Institute’s Privacy Guidelines have been extensively compiled to give our members a thorough understanding of the principles behind best practice, regardless of where their organisation is based or which sector they operate in. To ensure the Guidelines remain current, they are updated every two years by the Institute’s Privacy Expert Group, which consists of a number of experts from many sectors. They were most recently reviewed in May 2017 to align with the important principles of GDPR.

It is important to remind our members of the good-practice principles the Guidelines contain. In this instance, we will concentrate on Guideline Principle 3, Informed Consent and Guideline Principle 9, Accountability.

We would like to remind all our members that informed consent means just that; the person providing their data has a right to know how it will be collected, stored, used and transferred. It is not acceptable to allow other parties to have unfettered access to personal data collected from an individual. Our Guidelines make it clear that even if the personal data (including biometrics) is transferred to another party for say, app development or secondary processing, it is still the primary collector’s responsibility to ensure the individual’s data is not going to be misused and that their privacy won’t be invaded.

To ensure continuing responsibility, a contract should be exchanged between both the primary and secondary organisations, outlining the same strong principles of informed consent that were established in the first place. Organisations should have a trained officer or external consultant who is accountable for the design and management of privacy protection. Audits should also be conducted to ensure ongoing compliance.

The Biometrics Institute is holding a half-day seminar on “GDPR and Biometrics” https://www.biometricsinstitute.org/events/gdpr-biometrics-seminar in Brussels on Tuesday, 17 April 2018 and a webinar on “Good-practice for Implementing biometrics” https://www.biometricsinstitute.org/events/virtual-meeting-good-practice-for-implementing-biometrics.

From the Biometrics Institute

The GDPR can be found at www.eugdpr.org.

The Biometrics Institute Privacy Guidelines can be found at https://www.biometricsinstitute.org/privacy-charter