Biometric Data and CDD Checks: A Data Protection Perspective

Introduction

Client due diligence (CDD) checking is an important aspect of the work of all law firms and one which the Solicitors Regulation Authority (SRA) in particular regards as a cornerstone of anti-money laundering (AML) compliance.  Historically, law firms have undertaken checks using manual methods such as requiring clients to bring to their office documents to prove their identity including passports, drivers licences, utility bills and copies of bank statements. The problem with such manual, paper-based systems, however, is that not only is the process slow and prone to clerical errors and fraud, it also requires that clients are either available in person to have their identities checked or that they are able to send scans of important documents by email.

With advancements in technology, and spurred on by the need for social distancing when COVID restrictions were imposed, online electronic services such as those provided by Verify 365, Thirdfort and Armalytics became an ever more common means for firms to enhance their checking processes.  Now, these methods have been augmented with the increasingly growing use of biometric data as a tool to verify identities efficiently.

Effective as biometric data is in this process it does not, however, come without issues; not least the lack of willingness on the part of some clients to submit to this form of verification and the need for firms to take steps to ensure that they remain within the bounds of data protection legislation and regulations. For the purposes of the UK General Data Protection Regulation (UK GDPR), biometric data falls within the scope of special category personal data and as such carries with it enhanced responsibilities in terms of how it is used and protected.

What is Biometric Data Checking

Put simply, biometric identity checking is a process that relies on unique physical or behavioural characteristics such as fingerprints, facial recognition, voice patterns, and iris scans to establish the identity of a person.  In the context of AML checks, biometric data plays a crucial role in enhancing security and ensuring compliance, since by leveraging biometric technologies, firms can verify identities more accurately, reduce the risk of fraud and streamline the customer onboarding process. This makes it an essential tool in modern compliance practices.

One of the key advantages of biometric data is its ability to provide a higher level of security compared with traditional identification methods. Unlike passwords or PINs, which can be forgotten or stolen, biometric traits are inherently tied to the individual and are difficult to replicate. This makes them a robust solution for safeguarding sensitive information and preventing unauthorised access.

UK GDPR and Special Category Data

Although biometric data presents an opportunity for improving the ease and accuracy with which AML checks are undertaken, its implementation comes with a range of significant challenges, not least of which are data protection regulations which impose strict requirements on the collection, storage, and processing of sensitive personal data.

UK data protection laws, primarily governed by the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR), establish a robust framework for handling personal data. These outline key principles such as lawfulness, transparency, and accountability, ensuring that firms process data responsibly and ethically. Compliance with these regulations is essential to protect individuals’ privacy and avoid significant penalties for breaches.

Biometric data is classified as special category personal data under the UK GDPR when it is used for identification purposes. Article 9(1) of the UK GDPR imposes a general prohibition on the processing of special category data unless a lawful basis and an additional condition under Article 9(2) are met. The processing of biometric data for AML compliance must therefore satisfy these strict requirements.

The Information Commissioner’s Office (ICO) has made it clear that organisations processing biometric data must conduct a thorough assessment of their legal basis and ensure compliance with data protection laws.

Lawful Basis for Processing Biometric Data

Identifying a Lawful Basis Under Article 6

For biometric data to be processed lawfully under UK GDPR, solicitors must establish a legal basis under Article 6. The most relevant bases for AML compliance include:

Meeting an Article 9 Condition

Since biometric data is special category data, solicitors must also satisfy at least one condition under Article 9(2). The most applicable conditions are:

• • Explicit Consent (Article 9(2)(a)) – The client must give clear and informed consent to the processing of their biometric data. This requires a transparent and accessible consent process, allowing clients to opt out.
  • Substantial Public Interest (Article 9(2)(g)) – The processing is necessary for reasons of substantial public interest, based on UK law. This could include compliance with AML legislation, but firms must ensure that such processing is proportionate and justified.

Additionally, Schedule 1 of the DPA 2018 provides further conditions relevant to processing biometric data, particularly in relation to preventing or detecting unlawful acts.

Risks and Challenges

Data Security Risks

Biometric data is inherently sensitive, as it is unique to individuals and, if compromised, cannot be changed like a password. A data breach involving biometric data could have severe consequences, including identity fraud and reputational damage. Solicitors must therefore implement stringent security measures to prevent unauthorised access, loss, or theft of biometric data.

Client Consent and Transparency

Even when relying on legal obligation as a lawful basis, transparency is crucial. Clients must be fully informed about how their biometric data will be used, stored, and protected. If relying on consent, firms must ensure it is freely given, specific, informed, and unambiguous, with the ability to withdraw consent at any time.

Proportionality and Necessity

Under the data minimisation principle of the UK GDPR, solicitors must ensure that biometric data collection is necessary and proportionate for AML purposes. If less intrusive methods, such as document verification, are sufficient to verify a client’s identity, firms should consider whether biometric data processing is truly justified.

Steps to Ensure Compliance and Avoid Breaches

Conducting a Data Protection Impact Assessment (DPIA)

A Data Protection Impact Assessment (DPIA) is required when processing biometric data, as it presents a high risk to individuals’ rights and freedoms. A DPIA should:

• • Identify the necessity and proportionality of processing biometric data for AML compliance.
  • Assess the risks to individuals’ rights.
  • Outline measures to mitigate potential risks.
  • Document the legal bases for processing under Articles 6 and 9 of the UK GDPR.

Implementing Strong Security Measures

To mitigate security risks, firms must:

• • Use encryption and pseudonymisation to protect biometric data.
  • Restrict access to biometric data to authorised personnel only.
  • Implement multi-factor authentication and secure storage systems.
  • Regularly review and update security protocols to address emerging threats.

Ensuring Data Subject Rights

Solicitors must facilitate individuals’ rights under the UK GDPR, including:

• • Right to be informed – Clients should receive clear privacy notices detailing how biometric data will be processed.
  • Right to access – Clients can request copies of their biometric data and information about its use.
  • Right to erasure – If consent is withdrawn or data is no longer necessary, firms must securely delete biometric data unless retention is justified under AML regulations.
  • Right to object – If firms rely on legitimate interests, clients must have the right to object to biometric data processing.

Ensuring Third-Party Compliance

If biometric data processing is outsourced to third-party providers (e.g., digital identity verification services), solicitors must conduct due diligence to ensure these providers comply with UK GDPR requirements. This includes:

• • Reviewing data processing agreements to ensure compliance with Article 28 of the UK GDPR.
  • Confirming that third parties implement appropriate security measures.
  • Ensuring that data transfers outside the UK comply with international data transfer safeguards.

Conclusion

The use of biometric data for AML client due diligence presents both opportunities and challenges for solicitors in the UK. While biometric technology enhances identity verification, its processing must comply with the stringent requirements of the UK GDPR and DPA 2018. Solicitors must identify a lawful basis for processing biometric data, conduct thorough DPIAs, implement robust security measures, and ensure transparency with clients.

Failure to adhere to data protection principles could result in regulatory action from the ICO, significant fines, and reputational damage. Therefore, legal professionals must take a proactive approach to compliance, balancing AML obligations with data protection responsibilities to maintain trust and integrity in the legal sector.

For those who are subscribers to the Infolegal InfoHub, you will find an amended template privacy policy, revised template terms and conditions,  sample Data Protection Impact Assessment questions for the firm to address, and a template Biometric Data Retention Policy for them to use within their practices.

If you would like to know more about this, or any of the other services offered by Infolegal please contact us at enquiries@infolegal.co.uk .