Implementation of Privacy by Design in face-recognition software

Customer
Client
A non-EU company supplies software to corporate clients, which are located in the EU. Many products are designed to work with biometric personal data. One of these clients needs to identify a large number of its visitors at the same time for additional sale of services. Obtaining a written consent for the processing of sensitive data (facial recognition) would be difficult and expensive, while other exceptions of Article 9 of the GDPR were not applicable.
Goals and objectives of the project
Project goals and objectives
  • Defining the responsibilities of the controller and processor in terms of processing and providing access to biometric data.
  • Auditing software for compliance with the GDPR rules.
  • Assessing the possibility of implementing Privacy by Design.
  • Protecting the company from the risk of a fine or a complaint for violation of the GDPR.
  • Brief description of the project
    Project summary
    There are only a few exceptions to article 9 of the GDPR, which prohibits the processing of biometric data. The DPO consultant analyzed the purpose, scope and nature of the planned processing, the organizational and technical capabilities of the customer and came to the conclusion that the client can use the exceptions mentioned in paragraph 2 (a) of article 9 of the GDPR. An individual solution has been developed that guarantees the privacy of visitors, taking into account Privacy by Default. Among other things, the possibility of anonymizing data, using other categories of personal data, and ways to transfer the processing to the visitors' devices were considered.
    Results of the project
    Project results
    A solution that allows obtaining explicit consent to the processing of sensitive data of 100+ thousand customers in one day has been developed. The solution does not involve large financial cost, but consists in an organizational change. Visitors express their consent without filling out any documents, but at the same time it meets all the requirements of the GDPR (voluntary, not a prerequisite for the providing of services, easily revoked, informed).

    Consultant

    Co-Founder & CEO of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant
    MBA, Certified Information Privacy Professional (CIPP/E), Certified Information Privacy Manager (CIPM). Started to work with the GDPR draft version, in 2015, in Munich. Defended his MBA thesis about the Regulation, in Bremen, in 2016

    Siarhei delivered hundreds of consultations on GDPR issues to companies around the world. He helped to implement the GDPR program as an external project manager in over 50 companies.

    Recommended services

    Аудит
    Audit
    We can audit your compliance with GDPR. External and internal audits of projects, processes or instances of processing.
    Software
    Software
    Data protection SaaS products, recommended by our company.