Skip to main content

Will you get sued for collecting employee biometric data?

Will you get sued for collecting employee biometric data? The answer is "YES" if you're a business in Illinois and you failed to obtain written consent or provide disclosure around how to plan to use and store the biometric data. The full article is in today's Chicago Tribune article, Mariano's, Kimpton Hotels sued over alleged collection of biometric data: 'It's something very personal'.


The article states: "...unlike, say, a stolen company ID, which can be replaced, individuals can't order up a new body part, raising concerns about what could happen if scans of their fingertips' arches, loops and whorls fell into the wrong hands. Those concerns are prompting employees and others to push back against company policies that require collection of biometric data."

Lawyers say that damages to one of the companies in the article, Roundy's (owner of the Mariano's grocery chain) could reach $10 million.

This should give you pause if you are working on compliance with the EU's General Data Protection Regulation. Biometric data is a "special category of personal data" (GDPR Article 9) that requires "the data subject [to give] explicit consent". And the fines for violating the GDPR will be quite a bit higher.

Make obtaining consent and providing full notice a priority in your GDPR preparation.

Comments

Post a Comment

Popular posts from this blog

GDPR Gap Assessment template

It's hard to believe I'm still talking to companies who are only now getting started on GDPR compliance. In fact, Cisco's 2019 Data Privacy Benchmark Study found that only 59% of the 3,206 organizations they surveyed felt they were largely compliant. Nine percent had not even started their compliance work: There are other companies who are thinking to entering the EU market and they are starting down the path of understanding what is required from a GDPR perspective. If I were starting my GDPR compliance journey, the first thing I would do is a gap assessment. There are many outstanding gap assessment tools available, including: Data Protection Self Assessment https://ico.org.uk/for-organisations/data-protection-self-assessment/ ISACA-CMMI GDPR Assessment (requires ISACA membership) http://www.isaca.org/knowledge-center/research/researchdeliverables/pages/isaca-cmmi-gdpr-assessment.aspx Nymity GDPR Readiness Assessment Questions https://info.nymity.com/gdpr-c

Calculating the severity of a data breach

While at the 2019 IAPP Privacy. Security. Risk. conference, I was introduced to the European Union Agency for Network and Information Security (ENISA)'s " Recommendations for a methodology of the assessment of severity of personal data breaches " in Liisa M. Thomas's Data Breach Bootcamp. The methodology allows you to calculate the severity of a data breach from the perspective of a data subject: what's the personal harm? The methodology systematizes and standardizes the calculation “estimation of the magnitude of potential impact on the individuals derived from the data breach”. By answering a few questions about the breach, the methodology produces a severity score: Low : Individuals either will not be affected or may encounter a few inconveniences, which they will overcome without any problem (time spent re-entering information, annoyances, irritations, etc.). Medium : Individuals may encounter significant inconveniences, which they will be able to ove

How to perform a Data Protection Impact Assessment

[Updated! Originally published 2017 September 9] There is a ton of free material in the Internet describing the Data Privacy Impact Assessments (DPIA) process. Some fine examples include: UK ICO's " Conducting Privacy Impact Assessment- Code of Practice Article 29 Data Protection Working Party's " Guidelines on Data Protection Impact Assessment (DPIA) France's CNIL's PIA Manual 1 - Methodology (how to carry out a PIA) ; PIA Manual 2 - Tools (templates and knowledge bases) , and PIA Manual 3 - Good Practices When I actually tried to perform my first DPIA (also called "Data Protection Impact Assessments"), I struggled because the templates were not particularly intuitive. I searched for real-world examples of DPIAs...and found nothing. I looked for templates that were comprehensive and straightforward...and found none. Even the three different versions of a DPIA template I received from IT Governance as part of a GDPR class and a document