Biometric data and their regulation
You probably already know that we are a security systems integrator company. Our activities include sanctioned access systems, which in turn include electronic biometric devices and systems. In the opinion of a certain part of the society (the vast majority), it is in conflict with the law that regulates this issue. There are many speculations and differences of opinion regarding this.
Let’s try to clarify this issue together
What is biometric data:
“Biometric data is a physical, mental or behavioral characteristic that is unique and permanent to each physical
For the person and with whom it is possible to identify this person (fingerprint, ankle print, eye color
Membrane, retina (image of the retina), facial features).
It should also be noted that according to the Law of Georgia on Personal Data Protection, biometric data is a special category of data only when it allows the identification of a natural person with a specific category of data, such as race or ethnicity, health status, conviction and others. Accordingly, when processing them, it is necessary to have at least one of the grounds provided for in Article 6 of the Law – for example, the written consent of the data subject. (Specifically defined in which case the written consent of the data subject is required).
(Pursuant to Article 2 (c) of the Law of Georgia on Personal Data Protection)
What does biometric data processing mean:
According to Article 2 of the Law of Georgia on Personal Data Protection, processing means any action taken on data, for example, data collection, recording, photo printing, audio/video recording, organizing, storing, modifying, restoring, using, disclosing, grouping, combining, Block, delete, destroy and more. Processing can be done either automatically (using a computer program) or not automatically (log production, data entry manually) or semi-automatically.
Biometric data processing methods:
Two main methods of biometric data processing are used in world practice, they are verification and identification, the difference between them is essential. Most often, these two methods are used to process biometric data to control access to both physical and virtual space (access to a specific server or system).
The identification method involves checking the authenticity of biometric data with the information in the database and is often referred to by name as one-to-many, which involves the biometric system determining whether specific biometric data (fingerprint, voice, handwriting, etc.) belongs to a particular person. Accordingly, the system compares specific biometric data with all samples in the database.
In the case of the identification method, the existence of a database in itself represents a relatively low level of security as there is a risk of using the data illegally.
The verification method involves checking the authenticity of biometric data without using a database. In particular, the biometric data entered on a train containing biometric data (for example, a business card made for a specific person and containing the biometric data of that person) is compared by the system to the biometric data in the database, specifically to the holder of that card.
This method is referred to by name one by one. It is considered that the verification method is more secure because the database through which the system operates does not allow access to specific data, every data contained in it is encrypted and activated only by the data subject using the above train. Processing biometric data with this method is more expensive than with the identification method, however it provides a higher level of security and requires appropriate software support. However, during verification, the individual owns a device containing their own biometric data (business card, ID card, etc.), which reduces the risk of unauthorized access to it.
How the products we offer to our customers meet the requirements of the regulation:
First of all, we say that and we think no one will be surprised that the regulation of personal data security by law is not invented and developed by the legislation of our country. Attempting to introduce the experience and standards of others is in our case. Here we say that all our products are GDPR certified and comply with the Euro regulation:
General Data Protection Regulation – The European Data Protection Regulation will apply from 25 May 2018 in all Member States to enforce data protection.