If there’s one thing that’s on everyone’s mind, it’s how to be GDPR compliant. With the advent of the EU’s General Data Protection Regulation comes a new level of responsibility for companies around the world. Along with regulating the ways in which companies can collect, use and store personal data, GDPR will radically change the way businesses operate. To be compliant with GDPR, companies must maintain a “ high level of protection of personal data.”
Further, the legislation mandates that “personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorized access to or use of personal data.” What this means is that businesses need to take adequate steps to safeguard personal data, and must also take steps to ensure those safeguards are actually secure.
While GDPR does not mention password policies specifically, passwords are one of the most commonly used methods of “prevention.” But as a recent report from FIDO Alliance shows, in a single year, about 81 percent of data breaches are due to stolen passwords. A strong password used to be enough to keep information secure, but as hacking grows more sophisticated, so to must the technology we use to safeguard against attacks. That’s why industry leaders are turning to alternative forms of authentication. For achieving GDPR compliance and better security, experts say biometric authentication is what will soon replace the conventional password.
How to be GDPR compliant using biometrics
Conventional username-and-password combinations are no longer adequate for keeping information secure. Industry leaders strongly recommend some form of 2FA (two-factor authentication) or MFA (multi-factor authentication) to meet GDPR guidelines, and to prevent data breaches, account takeover and other attacks. The European Union Agency for Network and Information Security (ENISA) gives guidance on putting EU legislation into action, advocates for 2FA, at the minimum.
But, not all 2FA and MFA are created equal; many of these can still be exploited, or are simply too complicated to be reasonable. For many businesses, a streamlined approach to user authentication is going to be what’s most desirable – and biometric authentication fits that bill.
As OneSpan reports, biometric authentication is a key focus for FIDO standards and is included in the framework’s standard-based approach to authentication.
FIDO standards are optimized for GDPR compliance at every level. Under GDPR, biometric data is regulated – but FIDO standards ensure that the way biometric data is used and stored complies with the EU’s legislation.
“FIDO is very focused on biometrics as it perfectly represents the notion of authentication made simple and convenient. The FIDO protocol is set up in such a way that there are no server-side secrets; therefore, biometrics data is never stored in a database. Biometrics are stored locally and never leave the device. By implementing FIDO, business avoid collecting, processing, and managing the data themselves.”
So, how to be GDPR compliant with biometrics? Looking for biometric authentication based on FIDO is a great place to start. Ensuring that your biometric authentication application meets the standards for biometric data, in addition to your authentication needs, is essential to meeting GDPR requirements — but that doesn’t mean it has to be hard. Biometric authentication is a strong but simple solution to a growing problem.