Biometric Consent: GDPR Requirements, Risks And Practical Steps

If you’re running a small business, biometric tech can sound like a simple win: faster clock-ins, fewer buddy-punching issues, tighter access control, and less admin.

But the legal side can be less straightforward than the sales pitch. In the UK, biometrics can count as special category personal data under UK GDPR where it’s used for uniquely identifying someone, which means you need to take extra steps before you collect, store, or use it.

One of the biggest tricky bits is getting consent right when using biometrics. Many businesses assume consent is the easy route. In reality, consent in workplaces and customer settings is often hard to do properly - and getting it wrong can create GDPR risk, employee relations problems, and potential regulatory action.

Below, we’ll walk through what biometric consent means in practice, when it works (and when it doesn’t), the key risks for small businesses, and a practical compliance checklist you can implement.

What Counts As Biometric Data (And Why It’s A Big Deal Under UK GDPR)

Under UK GDPR, biometric data generally refers to personal data resulting from technical processing that relates to someone’s physical, physiological, or behavioural characteristics, and that allows (or confirms) their unique identification.

Common examples in small businesses include:

• Fingerprint scanning for staff time and attendance or door access
• Facial recognition for entry systems or customer verification
• Voice recognition for call authentication
• Iris/retina scans (less common, but sometimes used for high-security access)
• Palm or vein scanning

The reason biometrics is treated more strictly is simple: if biometric data is compromised, you can’t “reset” your fingerprint in the way you can reset a password.

Importantly, biometric data is only treated as special category data under UK GDPR where it’s processed for the purpose of uniquely identifying someone. If you’re using biometric data in a way that doesn’t uniquely identify a person, different rules may apply - but you should still treat it as high-risk and take care with security and transparency.

From a practical perspective, if you’re using biometrics to uniquely identify people, you should assume you’ll need:

• A clear lawful basis under UK GDPR (Article 6), and
• An additional condition for processing special category data (Article 9), and
• Stronger safeguards (security, retention, transparency, vendor controls, and often a DPIA)

If you’re thinking about deploying workplace monitoring tools alongside biometrics, be careful not to treat it as “just another admin system”. Rules around monitoring can overlap with privacy obligations, and you’ll want your internal documentation and comms aligned (for example, an Acceptable Use Policy can be part of the bigger picture of setting expectations).

Do You Actually Need Biometric Consent To Use Biometrics In Your Business?

This is where many businesses get stuck. The short answer is: not always - but if you rely on consent, it needs to be done properly.

Under UK GDPR, you need a lawful basis for any personal data processing. If the biometric processing is used to uniquely identify someone, you’ll also need a special category condition.

Why “Consent” Sounds Easy (But Often Isn’t)

Consent is appealing because it feels straightforward: “we’ll just ask people to agree”. However, valid consent must be:

• Freely given (no pressure, no imbalance of power)
• Specific (clear, granular purpose)
• Informed (people understand what will happen to their data)
• Unambiguous (a clear affirmative action)
• Easy to withdraw (and withdrawal must not create unfair consequences)

In an employer–employee relationship, there’s often an imbalance of power. That can make “freely given” consent difficult to prove - especially if the employee feels they’ll be treated differently if they don’t agree.

So even if you collect signed forms, the consent may still be challenged if there isn’t a genuine choice.

Workplace Biometrics: Consent May Be The Wrong Tool

If you’re using biometrics for timekeeping or access control, you should be asking:

• Is this necessary, or is it just convenient?
• Do we have a non-biometric alternative that’s genuinely available?
• If someone refuses biometric processing, can they still do their job without being disadvantaged?

As a practical example, if you’re implementing fingerprint clocking for staff, that overlaps with broader employment compliance and data protection expectations. It’s worth reviewing the specific risk areas of biometric timekeeping systems (including transparency and alternatives) when assessing fingerprint clocking in your workplace.

Customer Biometrics: Consent Might Work, But Only With Real Choice

For customers (or members) - for example, using facial recognition for entry to a venue or voice verification for support calls - consent can sometimes be more realistic than in employment.

But you’ll still need to ensure:

• The customer has a meaningful alternative option (eg QR code entry, PIN, photo ID check)
• They’re not penalised for refusing biometric processing
• Your privacy information is clear and prominent at the point of collection

If refusing biometrics means they can’t access a service at all, you may struggle to show the consent was freely given.

GDPR Requirements For Biometric Consent (And The Other Legal Pieces You Can’t Ignore)

Even if you decide consent is appropriate, it’s only one part of the compliance puzzle. Here are the key legal requirements UK businesses should work through.

1) Identify Your Article 6 Lawful Basis

You need an Article 6 lawful basis for any personal data processing. Common bases businesses consider include:

• Consent
• Legitimate interests (requires a balancing test)
• Contract necessity (limited, and often not suitable for workplace biometrics)
• Legal obligation (rare for biometrics specifically)

Choosing the wrong lawful basis is a common compliance failure. It’s not just a “box-tick” - it affects what rights people have and what documentation you must maintain.

2) Meet An Article 9 Condition (Special Category Data)

If your biometric processing is used for unique identification, you’ll likely need an Article 9 condition as well. Two conditions businesses commonly look at are:

• Explicit consent (note: explicit consent is a higher standard than “normal” consent)
• Employment law / social security and social protection (this only applies in specific circumstances and, in the UK, generally requires you to meet conditions and safeguards set out in the Data Protection Act 2018)

Which one applies depends on what you’re doing, why you’re doing it, and whether there’s a genuine choice.

3) Do A DPIA (Data Protection Impact Assessment)

Biometrics is often high-risk processing, which is exactly when a DPIA is expected (particularly where you’re using biometrics to uniquely identify people, or deploying it at scale). A DPIA helps you document:

• The purpose and necessity of biometric processing
• What alternatives exist (and why you’re not using them)
• The risks to individuals (eg misuse, discrimination, security breaches)
• The controls you’ll put in place (eg encryption, access control, retention limits)

For a small business, the DPIA doesn’t need to be a 50-page legal memo - but it does need to be genuine, considered, and written down.

4) Update Your Privacy Information And Internal Policies

You’ll need to tell people what you’re doing with their biometric data in a clear, accessible way. This typically includes:

• What biometric data you collect (and what you don’t collect)
• Why you collect it and the lawful basis/Article 9 condition you rely on
• Who you share it with (including tech providers)
• How long you keep it
• How people can exercise their rights

For many businesses, this means reviewing (and often updating) your Privacy Policy, plus adding a specific biometric notice or section where appropriate.

If biometrics is used in a workplace context, you should also make sure your employment documents and policies are consistent. For example, an Employment Contract and staff handbook policies can help set expectations around security systems, attendance processes, and workplace conduct - but they won’t replace GDPR compliance.

5) Put The Right Vendor Contracts In Place

Many biometric systems are provided by third-party vendors (timekeeping platforms, access control providers, cloud hosting, etc). If your vendor processes biometric data on your behalf, you’ll typically need a GDPR-compliant data processing agreement and clear instructions around:

• Permitted processing activities
• Security controls
• Sub-processors
• International transfers (if data leaves the UK)
• Deletion/return of data at end of contract

If you’re building out your compliance foundations, a structured approach (policies + agreements + documentation) is often easier than trying to patch things later. This is where a packaged approach like a GDPR package can help bring everything together in a consistent way.

Key Risks For Small Businesses Using Biometric Data (And How To Reduce Them)

Biometrics can create risks that aren’t obvious at the “product demo” stage. Here are some of the main risk areas we see for small businesses, plus practical ways to reduce them.

Consent Challenges And Employee Relations

If staff feel they have no real choice, you can end up with:

• Complaints, grievances, or union concerns
• Higher risk of an ICO complaint
• Low trust in wider workplace monitoring measures

Practical step: Offer a genuine alternative (eg key fob, PIN, staff card) and document it in your DPIA and privacy information. Train managers not to pressure staff.

Security Breaches And High Harm Potential

Biometric data has a “high impact” profile. If it’s leaked or misused, the harm can be serious and long-lasting.

Practical step: Ask your vendor detailed questions about security. Aim for encryption in transit and at rest, strict access controls, audit logs, and strong deletion practices. Also make sure you have an incident plan that matches your risk level (a broader Data Protection Pack can be useful for documenting internal procedures and responsibilities).

Function Creep (Using Biometrics For More Than You First Intended)

A common compliance issue is “function creep” - you start with timekeeping, then later someone suggests using the same biometric data for performance management, location tracking, or disciplinary investigations.

Practical step: Lock down your purpose from day one. If you later change the purpose, reassess your lawful basis/Article 9 condition, update privacy information, and consider whether a new DPIA is needed.

Workplace Surveillance Overlap (CCTV, Monitoring, Audio)

Biometrics is often deployed alongside CCTV, door entry logs, and device monitoring. Each of those comes with its own compliance expectations, and together they can significantly increase privacy risk.

If you’re using CCTV, you’ll want to ensure you’re compliant with workplace rules and transparency requirements (including signage and policies) - see the practical considerations around CCTV in the workplace.

If you’re considering audio recording as part of “security”, be cautious. Audio is often more intrusive than video, and you’ll want to think carefully about necessity and notice - including the risks highlighted with CCTV with audio.

Getting The Retention Period Wrong

Keeping biometric data “just in case” is a common mistake. UK GDPR requires you to keep personal data only as long as necessary for the purpose you collected it for.

Practical step: Decide your retention rules upfront. For example:

• Delete biometric data promptly when a staff member leaves (unless there’s a documented reason to keep it briefly)
• Set review periods (eg every 6–12 months) to confirm the system is still necessary
• Make sure your vendor contract supports deletion in practice (not just in theory)

A Practical Compliance Checklist For Biometric Consent (Step-By-Step)

If you want an actionable plan, here’s a practical sequence that works well for many small businesses.

Step 1: Define The Purpose And Confirm You Really Need Biometrics

• What problem are you solving (time theft, site security, member access)?
• Is there a less intrusive solution?
• What’s the impact if someone refuses biometrics?

Step 2: Choose Your Lawful Basis And Article 9 Condition

• Confirm your Article 6 lawful basis
• Confirm your Article 9 condition (special category processing)
• If relying on consent, confirm how you’ll make it freely given and easy to withdraw

Step 3: Carry Out A DPIA

• Document risks and mitigation steps
• Record the alternatives you considered
• Decide who internally “owns” compliance for the system

Step 4: Implement “Consent Done Properly” (If Consent Is Your Route)

• Use a standalone consent form (not buried in a contract)
• Use clear wording (what data, what purpose, how long, who gets it)
• Offer a real alternative and explain it
• Explain how to withdraw consent and what happens next (eg swap to PIN entry)
• Keep records of consent (who, when, what they were told)

Step 5: Update Your Privacy Information And Internal Policies

• Update your Privacy Policy and/or add a biometric notice
• Implement a clear internal policy for managers and admin staff
• Train staff handling the system (especially HR and operations)

Step 6: Lock Down Vendor Risk

• Put a GDPR-compliant processing agreement in place
• Confirm where data is stored and whether any overseas transfers occur
• Confirm deletion processes (including backups)
• Check who can access biometric templates and under what controls

Step 7: Review And Audit

• Reassess every 6–12 months (or sooner if you change the system)
• Revisit your DPIA if you expand use cases
• Test withdrawal and deletion processes (don’t assume they work)

Key Takeaways

• Consent for biometric processing isn’t a “quick fix” for GDPR compliance - in many workplace settings, consent may not be considered freely given, so you need to think carefully about alternatives and fairness.
• Biometric data used for unique identification is typically special category data under UK GDPR, meaning you generally need both an Article 6 lawful basis and an Article 9 condition.
• A DPIA is often expected for biometric systems because the privacy risk profile is higher than standard personal data processing.
• To reduce risk, you should focus on data minimisation, strong security controls, clear retention rules, and transparent privacy information from day one.
• If you use third-party biometric providers, your vendor contracts and practical deletion/security processes are just as important as the consent form itself.
• Biometrics often overlaps with broader workplace monitoring concerns (like CCTV and access logs), so consistency across policies and communications matters.

If you’d like help setting up biometric consent processes, reviewing your GDPR compliance, or putting the right documents and policies in place, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.