GDPR & DPA2018 Compliance

What is EU’s General Data Protection Regulation (GDPR), and why is it important?

The GDPR came into effect on 25 May 2018, introducing new obligations around the processing of personal data and enhancing the rights for individuals, in order to protect their personal data. This essentially means that any data which identifies an individual or which can be combined with other data to identify an individual counts as personal data.

With face recognition technology (or FRT), the digital images, the fingerprint and any outputs (like reports and profiles), will all be personal data. As FRT collects information of a person’s facial features, it’s classed under biometric data, which is labeled as “sensitive personal data.” The verbatim definition of biometric data in GDPR is…

Biometric Data: means personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

Clearly, the GDPR breaks biometric information into two categories…

Physical Characteristics: facial features, fingerprints, iris characteristics, weight etc.

Behavioral Characteristics: Habits, actions, personality traits, quirks, addictions, etc.

WHAT ARE WE DOING TO COMPLY WITH GDPR’S REQUIREMENTS?

Our Facial Recognition solution, FaceFirst, takes information security, protection, and privacy of customer personally identifiable information (PII) data very seriously and follows software industry best practices. FaceFirst fully supports and abides by the data privacy principles established by applicable local privacy laws and regulations.

PERSONAL DATA STORAGE AND COLLECTION

The FaceFirst platform is designed with privacy and security in mind, ensuring that PII and biometric information is collected and stored, securely and with encryption. All the personal information stored in the FaceFirst system is protected, secured and isolated in multiple ways.

All enrollment images, biometric templates, and PII are stored in a single location on a FaceFirst server. We use either folder level (EFS) or volume level (BitLocker) encryption with at least AES 128-bit to encrypt and protect your data.

Access to all FaceFirst systems requires qualified credentials and rights. All access to the FaceFirst systems are done over secure networking (VPN/SSL/TLS). User passwords are stored using strong cryptographic algorithms with unique salts.

AUTOMATIC BLURRING OF IMAGES

FaceFirst, the leading face recognition platform for retail and public safety, and in 2018 launched Mask-ID, a new privacy feature that helps individuals maintain anonymity within face recognition systems.

Mask-ID instantly blurs facial images without compromising match accuracy, helping individuals maintain anonymity within face recognition systems. This feature may be turned on by customer request.

DATABASE ENCRYPTION

All customer production databases that contain PII are considered sensitive. Access to sensitive data is restricted and protected using a broad set of security controls including, but not limited to, access control and encryption at rest.

FaceFirst uses whole disk encryption and BitLocker which are generally accepted and have an active development community with regular patching/upgrading. FaceFirst also uses the trusted platform module (TPM) for better encryption security. 

ADDITIONAL STEPS WE TAKE TO ENSURE PRIVACY:

ANTI-PROFILING
The FaceFirst system is designed to prevent utilizing the platform for any type of profiling by race, age, gender or national origin.

ENCRYPTION
Image data is encrypted both at rest and during transmission.

DATA BREACH PRECAUTIONS
Biometric templates stored within the FaceFirst system cannot be converted back into a face image in the case of a data breach.

DATA PURGING
Surveillance data can be automatically purged at regular intervals to help protect privacy.

CHECKS AND BALANCES
Role hierarchies ensure that only authorized individuals have the ability to approve and view enrollment images within the FaceFirst system.

SIGNAGE
Although not required by law, we encourage customers to post signage alerting customers when biometric surveillance is being used for public safety purposes.