Teal blue header image

Confronting the challenges of vendor management in biometrics

Data protection should be a key part of ongoing supplier governance, which could include monthly meetings with vendors.

The use of biometric products and solutions poses myriad privacy challenges for organisations looking to implement this technology into their businesses. Key among those challenges is vendor management; building in biometric processes will inevitably require the use of third party suppliers to provide the technology that processes the biometric data. Working with these vendors may mean that organisations lose day-to-day control over the data, but the accountability obligations in the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DP Act) mean that the bulk of the data risk still sits with the organisation.

In a high-risk area that is attracting significant public and regulatory attention,clear and effective supplier management and governance is crucial. So, how can organisations successfully work with biometric tech vendors to ensure that both their data and their reputation are protected?

Controller or processor?

The first step will always be to establish, and record, the data relationships at play between the organisation and the vendor. While this might seem straightforward on the face of it (surely, the vendor is a processor on behalf of the organisation as controller) it is often worth thinking this through in a little more detail. The controller/processor assessment is likely to be correct in the majority of cases, but certain biometrics-use cases may raise questions of joint controllership (for example, if a facial recognition technology vendor is using its own algorithms to match images against central databases over which the customer has no control). It is also not uncommon for vendors to use the biometric data collected to test, analyse and improve their own technology, models and algorithms. It is highly likely that the vendor will bean independent controller for any processing involved in carrying out its own testing; this is a challenging position when the vendor will likely have no direct contact with data subjects.

Early engagement with vendors is essential so that customers can understand exactly how and why vendors will process personal data. Even where the controller/processor assessment seems obvious, a data protection impact assessment (DPIA) should be used prior to any biometrics deployment. A DPIA will be mandatory in projects of this nature to ensure compliance with the GDPR/DP Act.

Conducting a DPIA will also deliver many additional benefits to both the customer and the biometric tech provider. Rather than being seen as a tick-box exercise or a mild inconvenience which potential delays project implementation, the DPIA can be used to give both parties far greater clarity as to the nature of their relationship, foresee how the project will run in practice and help to inform what changes, if any, should be made to the contract before the focus shifts to delivery. In particular, the DPIA can be used to challenge, probe and ultimately record the customer’s assessment (undertaken in consultation with the vendor, ideally) as to whether the parties are acting as controllers, processors or a combination of the two for different processing activities.

Where vendors will undertake some processing (such as testing) as an independent controller, vendors may also expect some commitments from customers,for example flowing through the vendor’s own transparency and consent wording to data subjects. Customers should discuss these issues in detail withvendors to understand exactly what is required and consider how to mitigate the customer’s own risk.

Know your vendor

The GDPR and DP Act impose obligations on controllers to choose only processors providing sufficient guarantees of compliance with the legislation.These effectively require organisations to conduct due diligence on any vendors that process personal data; the obligation becomes even more important when processing special category personal data such as biometric data.

Due diligence is often seen as a way to ensure that a processor’s security measures are sufficiently robust. This is, of course, crucial, but it is important to remember that the obligation requires controllers to satisfy themselves that the vendor’s processing meets all the requirements of the legislation, including ensuring the protection of data subjects’ rights.

Due diligence should therefore not be limited to security. It is equally important for customers to gauge from vendors how they will help the customer to meet other obligations, for example:

  1. How does the vendor assist in complying with data subject rights? Is a platform available for customers to‘self-serve’ by accessing and deleting data themselves? If additional assistance is required, what are the costs and timescales?
  2. What retention procedures are in place and how does the vendor ensure that data is fully deleted? If the vendor carries out some processing as an independent controller, how does this affect deletion?
  3. What accuracy guarantees does the vendor provide and what recourse is there in the event of an incorrect decision being made by the vendor’s technology?
  4. What sub-contractors does the vendor use and what activities are they responsible for? What is the vendor’s process for ensuring that customers have visibility and control of sub-contractors? How are obligations flowed through the supply chain?

If a DPIA leads to the conclusion that the data relationships are more complex than simply “controller/processor”, due diligence should not fall away. Joint controllers are jointly and severally liable for compliance and even in scenarios where the vendor is an independent controller, reputational risk still sits with the customer. Due diligence will therefore be important regardless of the outcome of the controller/processor assessment.

Consider the security position

Although security is not the “be all and end all” of due diligence, investigating a vendor’s security measures and standards is essential. The GDPR and DP Act security provisions raise an interesting question for controllers: given that processors have their own direct security obligations, how much control is it appropriate for the controller to have over the processor’s security measures?

Under the new legislative landscape, organisations are starting to move away from forcing suppliers to sign up to the customer’s own security measures. Doing so can lead to concerns that controllers could unwittingly be taking on responsibility for the processor’s own compliance with its direct obligations. Indeed, this approach often prompts processors to request warranties from their controllers that such security measures meet the requirements of the legislation, potentially precluding any claims against the processor if those measures fail, or even allowing the processor to claim against the controller.

Controllers are understandably reluctant to take on any responsibility for the processor’s own direct obligations, but this reluctance should not translate into a complete disclaimer of responsibility for assessing the processor’s security measures. Ultimate accountability for compliance remains with the controller and the higher the risk of the processing, the more the controller will be expected to do to ensure that the data will be adequately protected. It is therefore important for the customer to satisfy itself that the vendor’s security measures are ‘appropriate’ and meet the requirements of the legislation, taking into account the heightened risk posed by the processing of biometric data.

Contract for the practical reality

In the context of such high-risk processing,the contract with the vendor will be critical. Not only is this necessary to demonstrate compliance with statutory requirements to record obligations in writing, having a robust contract helps the parties to understand their respective obligations and can ensure that each party has appropriate recourse in the event of any data issues at the other party’s end.

The GDPR’s introduction of certain processor obligations (Article28(3) will no doubt be familiar to most privacy practitioners), combined with the significantly higher fines, has made negotiating data protection clauses a tricky task at the best of times. What was once routinely considered a boilerplate element of the contract now regularly features on the list of key issues to be resolved in contract negotiations. In an area as high-risk and high-profile as biometrics, the challenge is heightened even further, with matters such as audit and breach management causing particular difficulties. Negotiations of data protection clauses often become most protracted where the parties fail to consider the practical reality of the arrangement.The technology behind biometric processing is complicated, but effective negotiations cannot take place without all those involved having at least a basic understanding of how the particular technology works. A sensible starting point for negotiations would be for the parties (with legal, business and technical representatives) to sit down to discuss the applied workings of the technology and how the vendor intends to manage data protection issues in practice. Setting the scene in this way gives a context to data protection clauses that can help to cut through legal intricacies to reach a compromise that is reasonable for both parties.

Parties will need to be cognisant of any potential need for different sets of data protection obligations depending on the different data relationships at play. A contract may contain both controller-to-processor and controller-to controller clauses. Given the GDPR and DP Act requirements for data processing contracts to set out details of processing, it is important for the parties to develop a thorough understanding of the delineation between different relationships and record this in the contract.

Ongoing management

While contractual protection is critical for compliance and financial protection, it is of limited value when it comes to reputational risk. Given the regulatory and public interest in biometrics, reputation is key and this is a risk that is much more effectively managed through regular vendor engagement than through strict legal provisions. Data protection should form a central part of ongoing governance procedures. Monthly meetings with vendors should include data protection as a standing agenda item and can cover, for example:

  • upcoming proposed supply chain changes;
  • security testing that has taken place during that month, vulnerabilities discovered and remedial measures put in place;
  • any “near miss” breaches that the vendor is aware of and how these have been resolved;
  • changes to vendor policies and plans, including any changes to security measures;
  • upcoming assistance the customer may require, for example if a DPIA update is due imminently, and the scope of that assistance;
  • any wider public policy concerns and considerations that might affect the processing of biometric data.

Maintaining regular oversight of biometric vendors in this way will not only assist customers in demonstrating accountability, but will also help to ensure that potential compliance and commercial issues are picked up as early as possible so that these can be appropriately handled before they escalate into damaging headlines.

Key takeaways

It is clear from the above how important it is for organisations deploying biometric technology to think about how the biometric supply chain is managed. Here are three key takeaways for biometric customers to help manage third party risk in biometric technology:

1. Engage early

Vendors should be involved in privacy discussions and DPIAs from the outset and due diligence processes should be kicked off as early as possible. This helps customers to build privacy by design into biometric strategies and raise concerns with suppliers well before the technology is in use.

2. Think practically

It is easy to get caught up in legal language and intricacies when negotiating complex data protection clauses. Taking a step back to consider the practical reality can help to expedite a compromise that works for both parties.

3. Manage commercially

No amount of contractual protection can defend against reputational risk arising out of a supplier failure to protect biometric data. Data protection should be a key part of ongoing supplier governance, to demonstrate accountability and enable customers to respond quickly and efficiently to issues as early as possible.

This article was first published in Privacy Laws & Business UK Report, March 2020. www.privacylaws.com/reports

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at March 2020. Specific advice should be sought for specific cases. For more information see our terms & conditions.

Insights & events View all