# Biometrics DPIAs: Necessity, Proportionality and Alternatives

Canonical URL: https://xpertdpo.com/biometrics-dpias-necessity-proportionality-and-alternatives/

Content type: Article

Published: 2026-06-25T17:44:28+01:00

Updated: 2026-06-25T17:57:10+01:00

Author: Philipa Jane Farley, Head of Legal and Operations

Summary: Practical CPD guidance for DPOs and privacy teams reviewing fingerprint or facial access control, with a worked alternatives analysis, DPIA evidence trail and safeguards record.

## Article

*This article accompanies Hour 5: Blockchain, Biometrics and Emerging Technology under GDPR in our full-day CPD programme on [XpertAcademy](https://xpertacademy.com/cpd-event-b-ai-technical/). Completion of the full one-hour session, including the related learning materials, contributes to the one-hour CPD certificate issued for that session. You can access the course here: [CPD Event B: Full-Day AI, Technical Privacy & Emerging Technology Training](https://xpertacademy.com/cpd-event-b-ai-technical/).*

 A workplace wants to replace its existing access-control process with fingerprint or facial access. The business case sounds familiar: fewer lost cards, faster entry, better security, a cleaner visitor experience and less administrative work for facilities.

 That is not a bad-faith proposal. Many biometric projects begin with a sensible operational problem. Doors need to be secured. Cards are shared. PINs are forgotten. Reception teams are overloaded. Security wants an auditable system that proves the person entering a controlled area is the person authorised to be there.

 For a DPO or privacy team, however, the question is not whether the technology is useful. The question is whether the organisation can evidence that biometric processing is necessary and proportionate for the specific purpose, and that less intrusive alternatives have been considered properly.

 This article is general guidance, not legal advice on a specific deployment. It is written for privacy, legal, governance, procurement, security and workplace teams who need a practical evidence trail before biometric access becomes embedded in a building, site or service.

> A biometric DPIA should not start with "which vendor do we like?" It should start with "what access problem are we trying to solve, and can we solve it without turning people's bodies into credentials?"

### Why the access-control question is hard

 Biometric access can feel more convenient than cards or PINs because the credential is attached to the person. That is also why the privacy risk is different.

 A lost card can be cancelled. A shared PIN can be changed. A compromised mobile credential can usually be revoked and reissued. A fingerprint, facial structure, iris pattern, palm geometry or voice pattern is not replaceable in the same way. Even where the system stores a template rather than a raw image, the privacy team still needs to understand whether the template can be linked, reversed, copied, reused or exposed through a breach.

 GDPR draws an important distinction. Biometric data is personal data resulting from specific technical processing relating to someone's physical, physiological or behavioural characteristics, where that data allows or confirms unique identification. Where biometric data is processed for the purpose of uniquely identifying a natural person, it is special category biometric data. That brings a higher threshold for lawful processing, safeguards and accountability.

 In employment and workplace settings, there is also a practical fairness issue. Employees may feel they cannot refuse a biometric system if refusal affects entry to the workplace, shift start times, pay, status, convenience or manager perception. If the organisation relies on consent or explicit consent, it must be able to show genuine choice and control. A choice that leads to slower access, embarrassment, worse treatment or practical exclusion is not a strong choice.

 This is why the DPIA has to test the operational claim, not just describe the product. "It is more secure" is not enough. More secure than what? For which area? Against which threat? With what error rate? With what alternative route? With what retention period? With what vendor processing? With what evidence that people will not be disadvantaged?

### The legal and governance issue in plain language

 The privacy team should avoid two mistakes.

 The first mistake is treating biometrics as automatically unlawful. That is too blunt. There may be contexts where biometric verification is justified, especially where the access risk is serious, alternatives are demonstrably weaker, and safeguards are strong.

 The second mistake is treating biometrics as a normal access-control upgrade. That is too casual. Biometric recognition usually raises high-risk indicators: special category data, innovative technology, security impact, potential exclusion, potential discrimination, employee power imbalance, vendor dependence and serious consequences if data is compromised.

 Under GDPR, a DPIA is required where processing is likely to result in a high risk to individuals. DPC guidance identifies biometric identification or authentication, when combined with other high-risk criteria, as a mandatory DPIA trigger. ICO guidance on biometric recognition is even more direct in the UK context: organisations must complete a DPIA before using a biometric recognition system. The practical lesson is the same across both positions. Do the assessment early, before procurement and rollout decisions harden.

 The DPIA should include necessity and proportionality. Necessity asks whether the biometric processing is genuinely needed for the specific access purpose. Proportionality asks whether the interference with rights is justified by the benefit, taking account of alternatives, safeguards, affected individuals and residual risk.

 In a workplace access project, that means testing the biometric option against cards, PINs, device-based access and process changes. If a less intrusive option can reasonably meet the security need, biometrics may be difficult to justify. If biometrics are still selected, the record should explain why, in practical terms, not generic language.

### Worked example: fingerprint or facial access for a workplace

 Assume a medium-sized organisation has 480 employees across one office and a small lab area. Staff currently use proximity cards to enter the building and a separate card-plus-PIN step to enter the lab. Facilities wants to introduce fingerprint readers or facial access at the main entrance and lab doors. The stated purposes are convenience, reduced card sharing and improved security.

 The privacy team starts with some known facts. The main entrance is used by employees, contractors, visitors and delivery staff. The lab contains valuable equipment and some confidential client material, but only 42 staff need access. Card sharing has been reported twice in the past year. There has been no confirmed unauthorised lab entry. The proposed vendor offers fingerprint templates stored centrally, facial recognition at doors, cloud administration, access logs, analytics dashboards and optional integration with HR records.

 Several facts are still unknown. The team does not yet know whether biometric templates leave the device, whether the vendor reuses data for model improvement, what false rejection rates look like for the workforce, whether employees can use an alternative route without detriment, whether visitors are in scope, whether the facial system scans passers-by, how long templates and logs are retained, or what happens when someone leaves.

 The decision question is therefore narrow: is biometric access necessary and proportionate for the main entrance, the lab, both, or neither?

 The alternatives analysis should be recorded in a way that a reviewer can understand later.

| Option | Security benefit | Privacy and fairness impact | Evidence needed before decision |
| --- | --- | --- | --- |
| Current cards only | Familiar, low friction, easy to issue and revoke. Weak if cards are shared or lost. | Lower intrusion than biometrics, but access logs still identify individuals. | Incident evidence, lost-card rate, card-sharing evidence, access-log controls and card cancellation process. |
| Cards plus PIN for sensitive areas | Stronger than card-only because the card alone is not enough. PINs can be reset. | Still personal data, but no biometric template. Risk of PIN sharing, shoulder-surfing and accessibility issues if poorly designed. | Whether PIN policy, door positioning, anti-passback controls and audit review reduce the specific lab risk. |
| Device-based access | Can use managed phone, passkey, hardware token or mobile credential. Revocable and potentially stronger with device security. | May create bring-your-own-device issues, device exclusion or tracking concerns, but avoids workplace biometric enrolment if designed well. | Device ownership model, fallback route, logs, MDM impact, lost-device process, token revocation and accessibility review. |
| Fingerprint access | Makes credential sharing harder and can be quick for enrolled staff. | Special category biometric data if used for unique identification. Risk from breach, false rejection, disability exclusion and pressure to enrol. | Necessity case, Article 6 basis, Article 9 condition, template protection, storage model, retention, alternative route and staff consultation. |
| Facial access | Can be contactless and fast, especially at turnstiles. | Higher risk where cameras scan people who have not enrolled, where bystanders or visitors are captured, or where monitoring feels unavoidable. | Camera field of view, enrolment model, non-user route, false acceptance/rejection data, bias evidence, signage, live monitoring limits and deletion rules. |

 On these facts, biometric access at the main entrance is weak. The risk evidence does not show a serious main-entrance problem that cannot be managed by improved card governance, visitor controls, faster card replacement, anti-passback rules, reception process changes or device-based credentials. A facial system at the main entrance may also capture visitors or people walking past the camera. The convenience gain is real, but convenience alone is unlikely to justify high-risk biometric processing across the whole workforce and other site users.

 The lab is a closer question. The organisation has a narrower access purpose, a smaller population, a controlled area and stronger security rationale. Even there, the privacy team should not jump straight to biometrics. Cards plus PIN, managed hardware tokens, device-based passkeys, enhanced audit review and better exception handling should be tested first. If those measures can reasonably reduce the lab risk, biometric access may still be disproportionate.

 If the organisation can evidence that the lab requires stronger person-bound verification, the DPIA may support a limited biometric pilot for the lab only. The safeguards would matter. The system should avoid facial scanning of non-users. It should avoid central storage unless strictly justified. It should not retain raw biometric samples after template creation unless a documented need exists. Templates should be protected using appropriate technical measures. Staff who cannot or do not wish to use the biometric route should have a practical alternative, such as card plus PIN or security desk verification, without delay or stigma.

 The proportionality outcome may therefore be mixed: no biometric access for the main entrance, further consideration or a limited pilot for the lab, and a clear preference for less intrusive controls wherever they meet the security need.

### What the DPO or privacy team should check

 A useful biometric review is structured, but it should not become a tick-box ritual. The point is to expose the decision.

 Start with purpose. Is the proposal about security, attendance control, convenience, fraud prevention, health and safety, visitor management or something else? Do not let the purpose drift. A system approved for access control should not quietly become a timekeeping, productivity, investigation or behaviour-monitoring tool.

 Map the people affected. Employees, contractors, agency workers, cleaners, visitors, delivery drivers and maintenance staff may have different levels of choice and information. Workplace power imbalance matters, especially where refusal may be treated as awkward or suspicious.

 Define the biometric processing. Is the system using fingerprint, facial geometry, palm, iris, voice, gait or another trait? Does it perform verification against an enrolled template, or identification across a database? Does it process raw images, templates, access logs, device identifiers, analytics or HR-linked data? Are cameras or readers capturing people who are not enrolled?

 Check the lawful basis and special category condition. The controller needs an Article 6 lawful basis and, where special category biometric data is processed, an Article 9 condition. In the workplace, consent and explicit consent need particular caution because choice may not be freely given unless the alternative is genuinely equivalent.

 Test alternatives properly. Cards, PINs, device-based credentials, security staff verification, zoning, better visitor procedures, tighter card replacement, anti-passback rules and audit review may all reduce risk without biometric processing. The DPIA should explain why each realistic alternative is insufficient, or why the biometric option is rejected.

 Assess safeguards and vendor evidence. The team should understand template storage, encryption, key management, on-device versus cloud processing, processor and subprocessor roles, security testing, vulnerability handling, retention, deletion, access controls, support access, international transfers and incident response. Cybersecurity evidence supports the DPIA, but it does not replace the necessity assessment.

 Review fairness, accuracy and accessibility. Biometric systems involve probabilistic matching. False rejection can lock authorised people out. False acceptance can allow unauthorised access. Error rates may vary across groups or physical characteristics. Some people may be unable to use a fingerprint reader or facial system because of disability, injury, religious dress, skin condition, lighting, role conditions or other factors. The project needs a tested fallback route.

 Record escalation triggers. Escalate if the system captures non-users, affects pay or attendance, covers public or publicly accessible spaces, links to HR monitoring, involves large-scale special category data, uses facial recognition across open areas, lacks a valid Article 9 condition, lacks a genuine alternative, or leaves residual high risk that cannot be mitigated.

### When biometrics may be disproportionate

 Biometric access is often disproportionate where the main benefit is convenience. A faster queue at the office door is not usually enough to justify processing special category biometric data across an entire workforce.

 It may also be disproportionate where the same aim can be achieved by stronger card controls, PINs, passkeys, managed devices or operational discipline. If the problem is that cards are not cancelled promptly, a biometric system is a poor substitute for fixing the leaver process. If the problem is tailgating, door design and staff practice may be more relevant than fingerprint enrolment.

 Attendance and timekeeping proposals need particular care. A fingerprint clock-in tool may look efficient, but the power imbalance is acute. If the consequence of failure is lost pay, a disciplinary flag or manager attention, the impact of false rejection and lack of choice becomes much more serious.

 Facial access at open entrances is especially sensitive. If cameras scan visitors, delivery staff, passers-by or employees who have not enrolled, the organisation may struggle to show transparency, choice and minimisation. EDPB materials on facial recognition repeatedly emphasise the sensitivity of biometric data, the risk of false results, bias and discrimination, and the need to consider less intrusive methods where possible.

 Short-term users are another warning sign. It is rarely proportionate to enrol a visitor, temporary contractor or occasional supplier biometrically where a temporary card, escorted access, QR code, reception check or time-limited token would work.

### Safeguards if the organisation proceeds

 If biometrics remain under consideration after the alternatives analysis, the safeguards should be specific enough to change the system.

- Limit the deployment to the area and population that need it. Do not roll out site-wide because one sensitive zone has a stronger case.
- Use verification rather than broad identification where possible. Avoid scanning people who have not enrolled.
- Prefer local or on-device processing where it genuinely reduces risk and still leaves the controller able to evidence compliance.
- Protect templates using appropriate measures, including encryption, access control, key management, unlinkability, revocability or other template-protection techniques where available.
- Do not retain raw biometric samples unless there is a documented and proportionate reason. Set deletion rules for templates, failed probes, access logs and leavers.
- Provide a genuine non-biometric route that works in practice, not only on paper.
- Monitor false acceptance, false rejection, complaints, accessibility issues and demographic performance where relevant.
- Make transparency practical at enrolment, at the access point and in staff materials.
- Lock the purpose. Prevent reuse for attendance, investigations, productivity, analytics or HR profiling without a fresh assessment and approval.
- Set review dates and stop criteria, including vendor change, new sensor capability, system expansion, incident, complaint, transfer change or regulator guidance change.

 The point is not to make biometrics impossible. The point is to prevent a high-risk identity system being approved on the strength of a vague promise that it is "secure".

### Concrete evidence that should exist afterwards

 After the review, the organisation should be able to show a clean evidence record.

 The first document is a decision record. It should state the purpose, the decision, the owner, the approved scope, the rejected scope, the conditions of approval and the date for review. If biometrics are rejected for the main entrance but considered for the lab, say that clearly.

 The second is the alternatives matrix. This should compare cards, PINs, device-based access, operational controls and biometric access against the actual security problem. It should not be a vendor comparison dressed up as a DPIA.

 The DPIA should then record the processing description, data flows, people affected, lawful basis, special category condition, necessity and proportionality analysis, risks, safeguards, residual risk, consultation, DPO advice and sign-off. Where residual high risk remains and cannot be mitigated, the controller should consider whether supervisory authority consultation is required.

 Vendor evidence should sit beside the DPIA. Useful evidence includes architecture diagrams, template storage details, cloud and subprocessor information, security testing, breach and vulnerability process, retention controls, deletion process, support-access model, transfer assessment where relevant, and contract terms. For products with digital elements, the European Commission's Cyber Resilience Act materials are useful publication context for security-by-design and vulnerability handling expectations, although they do not replace GDPR accountability.

 There should also be operational evidence: enrolment scripts, staff communications, signage, alternative-route procedure, access-review procedure, leaver deletion process, incident playbook, rights-request route, audit-log controls, training records and an action log showing who will fix remaining issues.

 Finally, there should be a review schedule. Biometrics should be reassessed if the system expands to new doors, moves from fingerprint to facial recognition, captures visitors, links to HR or attendance, changes vendor, adds analytics, changes retention, suffers an incident, receives complaints, shows performance issues or becomes unnecessary because other access controls improve.

### What this means for CPD

 Hour 5 covers blockchain, biometrics and emerging technology because these topics share a governance problem: technical design choices can become hard to reverse once they are operationally convenient. Biometrics make that lesson immediate. A door-entry project can become a special category data project very quickly.

 After working through this example, a DPO or privacy team should be able to ask sharper questions. What is the actual access risk? What data will be created? Who is affected? What less intrusive options exist? What makes the chosen option necessary? What safeguards are real? What evidence will survive audit, complaint or regulator scrutiny?

 This also connects to wider DPIA lifecycle work. Where biometric access forms part of a broader emerging technology or AI-enabled identity system, the DPIA, AI assessment, vendor review, security review and operational decision record should describe the same system. If each record tells a different story, the governance is not ready.

 XpertDPO support can sit around that evidence trail, including [AI Governance and DPIA Lifecycle Support](https://xpertdpo.com/ai-governance-dpia-lifecycle-support/), focused [DPIA Support](https://xpertdpo.com/data-protection-impact-assessment-dpia-support/), [Vendor / Third-Party Privacy Governance](https://xpertdpo.com/vendor-third-party-privacy-governance/) and ongoing [DPO Support](https://xpertdpo.com/dpo-support/). The practical aim is simple: help the organisation reach a decision it can explain, defend and review.

 *This article is intended to support the learning covered in Hour 5 of our [XpertAcademy](https://xpertacademy.com/cpd-event-b-ai-technical/) CPD programme. The relevant CPD certificate is issued for completion of the full one-hour session on XpertAcademy, rather than for reading this article on its own. You can return to the course here: [CPD Event B: Full-Day AI, Technical Privacy & Emerging Technology Training](https://xpertacademy.com/cpd-event-b-ai-technical/).*

### Sources

- Information Commissioner's Office, Biometric data guidance: Biometric recognition: [https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/biometric-data-guidance-biometric-recognition/](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/biometric-data-guidance-biometric-recognition/)
- Information Commissioner's Office, How do we demonstrate our compliance with our data protection obligations? Biometrics: [https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/biometric-data-guidance-biometric-recognition/how-do-we-demonstrate-our-compliance-with-our-data-protection-obligations/](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/biometric-data-guidance-biometric-recognition/how-do-we-demonstrate-our-compliance-with-our-data-protection-obligations/)
- Information Commissioner's Office, How do we process biometric data lawfully?: [https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/biometric-data-guidance-biometric-recognition/how-do-we-process-biometric-data-lawfully/](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/biometric-data-guidance-biometric-recognition/how-do-we-process-biometric-data-lawfully/)
- Information Commissioner's Office, How do we keep biometric data secure?: [https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/biometric-data-guidance-biometric-recognition/how-do-we-keep-biometric-data-secure/](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/biometric-data-guidance-biometric-recognition/how-do-we-keep-biometric-data-secure/)
- Information Commissioner's Office, When do we need to do a DPIA?: [https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/when-do-we-need-to-do-a-dpia/](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/when-do-we-need-to-do-a-dpia/)
- Data Protection Commission, What are "personal data" and when are they "processed"?: [https://www.dataprotection.ie/en/dpc-guidance/what-is-personal-data](https://www.dataprotection.ie/en/dpc-guidance/what-is-personal-data)
- Data Protection Commission, Data Protection Impact Assessments: [https://www.dataprotection.ie/en/organisations/know-your-obligations/data-protection-impact-assessments](https://www.dataprotection.ie/en/organisations/know-your-obligations/data-protection-impact-assessments)
- Data Protection Commission, Guide to Data Protection Impact Assessments (DPIAs): [https://www.dataprotection.ie/sites/default/files/uploads/2019-10/Guide%20to%20Data%20Protection%20Impact%20Assessments%20%28DPIAs%29_Oct19_0.pdf](https://www.dataprotection.ie/sites/default/files/uploads/2019-10/Guide%20to%20Data%20Protection%20Impact%20Assessments%20%28DPIAs%29_Oct19_0.pdf)
- Data Protection Commission, DPC announces conclusion of investigation into use of facial matching technology in connection with the Public Services Card by the Department of Social Protection, 12 June 2025: [https://www.dataprotection.ie/en/news-media/press-releases/dpc-announces-conclusion-investigation-use-facial-matching-technology-connection-public-services](https://www.dataprotection.ie/en/news-media/press-releases/dpc-announces-conclusion-investigation-use-facial-matching-technology-connection-public-services)
- European Data Protection Board, Biometrics topic hub: [https://www.edpb.europa.eu/our-work-tools/our-documents/topic/biometrics_en](https://www.edpb.europa.eu/our-work-tools/our-documents/topic/biometrics_en)
- European Data Protection Board, Guidelines 3/2019 on processing of personal data through video devices: [https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201903_video_devices_en_0.pdf](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201903_video_devices_en_0.pdf)
- European Data Protection Board, Opinion 11/2024 on the use of facial recognition to streamline airport passengers' flow: [https://www.edpb.europa.eu/system/files/2024-05/edpb_opinion_202411_facialrecognitionairports_en.pdf](https://www.edpb.europa.eu/system/files/2024-05/edpb_opinion_202411_facialrecognitionairports_en.pdf)
- European Data Protection Board, Guidelines 02/2025 on processing of personal data through blockchain technologies, adopted version for public consultation: [https://www.edpb.europa.eu/public-consultations/guidelines-022025-on-processing-of-personal-data-through-blockchain_en](https://www.edpb.europa.eu/public-consultations/guidelines-022025-on-processing-of-personal-data-through-blockchain_en)
- European Commission, Cyber Resilience Act: [https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act](https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act)

## General Information Only

This article is provided for general information and does not constitute legal, regulatory, or professional advice. Data protection obligations depend on the specific facts, context, and jurisdiction involved. You should not rely on this content as a substitute for advice tailored to your organisation.

If you would like support with a specific issue, please contact us: https://xpertdpo.com/contact/