Trust Stamp executive argues biometrics need consistent definitions and standards to flourish
Legislators face an urgent challenge to regulate biometrics in a way that both protects privacy and promotes growth, but consistent definitions and standards can guide the process, Trust Stamp EVP John Bridge writes along with Dr. Chaminda Hewage in a LinkedIn post.
The post begins by describing a tension between the privacy and security aspects of biometrics, which are becoming more prominent as the technology’s use grows. The authors then consider definitions in legislation on the books, including the California Consumer Privacy Act (CCPA), Europe’s General Protection Data Protection Regulation (GDPR) and state laws in Washington, New York, Illinois and Arkansas. Some jurisdictions specifically include behavioral biometrics, while others explicitly do not, in one example of the confusion.
Complying with the various definitions for businesses in a global economy can be highly challenging, according to the article. Creating a more standardized definition of biometric data and aligning data laws with best practices, meanwhile, can improve compliance and provide a framework for regions that are catching up on biometric regulation.
Bridge and Hewage then review the existing regulations and standards that apply to biometrics, including a range of ISO/IEC standards for information technology and personally identifiable information (PII). The guidance provided by NIST to help government organizations protect biometric data are also noted.
ISO/IEC 27701:2019, the latest privacy standard from the groups, is an extension to ISO/IEC 27001 and ISO/IEC 27002, and has the potential to act as a de facto privacy standard, according to the authors. The standard also provides mapping of its guidelines to GDPR and other ISO/IEC standards, as well.
“The privacy standards such as ISO/IEC 27701 will be a one stop shop for any organizations who would like to follow best privacy practices,” Bridge and Hewage state. “The mapping with other standards and regulations provide additional advantage for the practitioners to comply with other related standards, laws and regulations.”
The article concludes with the observation that even within the United States, a lack of federal legislation makes the compliance landscape fragmented and difficult. If the potential gains in identity verification, security, travel, immigration applications, financial inclusion and other areas are to be realized, it is imperative for lawmakers to provide assurance to people that their data and privacy are safe.