Biometric Data Under GDPR: Is It Personal Data And What Must UK Businesses Do?

byAlex Solo12 March 20269 min read

Contents

What Is Biometric Data Under GDPR (And Why Does It Matter For Businesses)?
- Common Examples In A Small Business Setting
Is Biometric Data Personal Data Under UK GDPR?
- When Does Biometric Data Become “Special Category Data”?
Common Business Uses Of Biometrics (And The Legal Traps To Watch For)
What Does GDPR Require When You Use Biometric Data?
A Practical Compliance Checklist For Small Businesses Using Biometrics
Key Takeaways

If you run a small business, it’s easy to see the appeal of biometrics. Fingerprint clocks can reduce “buddy punching”, face recognition can tighten physical security, and voice verification can speed up customer service.

But there’s a catch: biometric data is one of the highest-risk categories of data you can handle. That means complying with GDPR when using biometric data isn’t just a “nice to have” - it’s often the difference between a useful tool and a serious legal headache.

Below, we’ll walk through what counts as biometric data under UK GDPR, when it’s personal data (and when it becomes special category data), and the practical steps UK businesses should take to stay compliant.

To understand your GDPR obligations around biometric data, you first need to know what “biometric data” actually means in the legal sense.

Under UK GDPR, biometric data is generally:

Personal data resulting from specific technical processing,
relating to a person’s physical, physiological, or behavioural characteristics,
that allows (or confirms) unique identification of that person.

This definition matters because it’s not “anything to do with the human body”. It’s specifically about data used (or intended to be used) to identify someone uniquely.

Common Examples In A Small Business Setting

In practice, biometrics often shows up in workplaces and customer-facing environments. Common examples include:

Fingerprint scans used for time and attendance (“clocking in”)
Face recognition used for door access or CCTV-style identification
Iris or retina scans used for high-security access control
Voice recognition used to verify customers on calls
Behavioural biometrics (eg typing patterns) used for fraud detection

It’s worth pausing here: the more your biometric system is used to identify a person (not just to measure something), the more likely you are to fall squarely within GDPR rules on biometric data.

Yes - in most business scenarios, biometric data will be personal data because it relates to an identifiable person.

If you’re asking “is biometric data personal data?” the practical answer is usually: if it can be linked to an individual (directly or indirectly), treat it as personal data.

For example:

If your time clock stores fingerprints or templates against an employee record, that’s personal data.
If your access system uses face recognition tied to named staff profiles, that’s personal data.
If your customer support team uses voice recognition linked to an account number, that’s personal data.

When Does Biometric Data Become “Special Category Data”?

This is the point many businesses miss: biometric data is not always “special category data”. It becomes special category data when it is processed for the purpose of uniquely identifying a person.

Special category data has stricter rules, and the default position is that processing is prohibited unless you meet a specific condition.

In simple terms:

Biometric data (general) may be personal data.
Biometric data used for unique identification is generally special category personal data under UK GDPR.

This is why GDPR compliance for biometric data tends to involve more paperwork and more careful decision-making than “standard” personal data like names and email addresses.

Common Business Uses Of Biometrics (And The Legal Traps To Watch For)

Biometrics can be legitimate, helpful, and lawful - but you want to be realistic about where businesses get caught out.

1) Fingerprint Time Clocks

Fingerprint “clocking in” is popular because it feels simple and reliable. But from a GDPR compliance perspective, this is often high risk because:

it can involve special category data (unique identification),
it’s used in an employment context (where consent is tricky), and
there may be less intrusive alternatives (PIN, fob, app-based check-in).

If this is relevant to your setup, it’s worth reading about Fingerprint clocking risks and compliance steps.

2) Workplace Monitoring And Security Tech

Biometrics often sits alongside cameras, access control, and monitoring tools. If you’re combining biometrics with surveillance, you should be careful about transparency, necessity, and staff communications.

For example, if you’re also using CCTV, you’ll want to consider whether Cameras in the workplace are set up lawfully - because poor privacy practices can compound risk when biometrics is involved.

3) Customer Verification (Voice Or Face Recognition)

Some businesses use voice recognition to verify customers quickly, especially where fraud risk is high.

Key traps include:

not being clear with customers that biometrics is being used,
keeping biometric templates longer than needed, and
outsourcing to a provider without proper GDPR contracts and due diligence.

4) Recording Calls And Using Voiceprints

Businesses sometimes record calls for training and quality assurance. Adding voice recognition (a biometric identifier) is a step up in risk and compliance complexity.

If you record calls at all, it’s smart to understand the ground rules around recording conversations, and then layer your biometric compliance on top.

If your business processes biometric identifiers, your goal is to set up strong legal foundations from day one.

Here’s what GDPR compliance for biometric data usually involves in practical terms.

You Need A Lawful Basis (And Often A Separate Special Category Condition)

For most personal data processing, you need a lawful basis under UK GDPR (such as contract, legal obligation, legitimate interests, consent, etc.).

But if your biometric processing is special category (which it often is), you generally need two layers of justification:

A lawful basis for processing personal data, and
A special category condition that allows the processing of that sensitive data.

In an employment context, businesses often assume “consent” is the answer. But consent can be unreliable when there is an imbalance of power (like employer vs employee). That doesn’t mean you can never rely on consent - it means you should be cautious and get advice on the right basis for your specific setup.

You Must Be Transparent (Clear Notices, No Surprises)

People should not be surprised that you’re collecting biometric data. As a business, you should clearly explain:

what biometric data you collect (eg fingerprint template, facial geometry, voiceprint),
why you collect it (eg access control, timekeeping, fraud prevention),
how long you keep it,
who you share it with (including service providers), and
what rights individuals have.

This is where a properly drafted Privacy Policy and internal notices can really matter, especially if you’re dealing with customers as well as staff.

You Must Follow The “Data Minimisation” Principle

UK GDPR expects you to collect only what you need and not use it for unrelated purposes. For biometric systems, that often means:

use biometric data only where it is genuinely necessary (not just “because we can”),
avoid storing raw images/audio if a template will do,
avoid reusing biometric data across different systems unless you have a clear legal justification.

You Need Strong Security Measures

Biometric data is hard (or impossible) to change if compromised - you can reset a password, but you can’t reset a fingerprint.

That means you should take security seriously, including:

encryption at rest and in transit,
access controls and role-based permissions,
secure vendor management and audits,
incident response planning for a suspected data breach.

Many small businesses also forget the “people” side of security. If employees can access sensitive systems, your internal rules matter too - for example, having an Acceptable Use Policy can help set clear expectations around workplace tech and security behaviours.

A Practical Compliance Checklist For Small Businesses Using Biometrics

When you’re busy running a business, you don’t need legal theory - you need a workable plan.

Here’s a practical GDPR checklist for small businesses using biometric data that you can use to sense-check your approach.

1) Confirm What Biometric Data You’re Actually Processing

Are you collecting raw biometric data (eg images/audio), or templates?
Is the system used to uniquely identify a person?
Does it link to names, payroll records, access logs, or HR files?

2) Check Whether You Have A Less Intrusive Alternative

If the same goal can be achieved with a swipe card, PIN, or app check-in, you should think carefully before defaulting to biometrics.

This question matters because “necessity” and “proportionality” are key themes in ICO guidance and GDPR decision-making. If biometrics is overkill, it can be harder to justify.

3) Choose Your Lawful Basis And Special Category Condition Carefully

Document your lawful basis for processing.
If special category data applies, document the condition you rely on.
If you rely on consent, make sure it is freely given and can be withdrawn without punishment.

This is a good time to get tailored advice - choosing the wrong basis can undermine your entire compliance approach.

4) Do A DPIA (Data Protection Impact Assessment) Where Required

Biometric systems often involve higher-risk processing, so a DPIA may be required depending on your setup - for example, if you’re using biometrics for unique identification at scale, monitoring individuals, or deploying new technology in a way that could significantly impact people’s rights and freedoms.

A DPIA should cover:

the purpose of the processing and whether biometrics is necessary,
risks to individuals (misuse, breach, false matches, exclusion),
controls and safeguards you’ll implement.

5) Put The Right Contracts In Place With Suppliers

If you use a biometric system provider (most businesses do), you’ll usually be sharing personal data with a “processor”. UK GDPR requires you to have a compliant written agreement in place.

In plain English: if your provider is handling biometric data for you, your contract needs to cover data protection obligations properly - not just pricing and service levels.

6) Update Policies And Employee Documents

If biometrics is used internally, you should ensure your staff documents reflect how your systems work in practice. Depending on your setup, that can include:

HR privacy notices and onboarding materials
Workplace policies about security and monitoring
IT and device use rules

Biometrics can overlap with other monitoring practices too - so if your workplace has broader monitoring tools, it can help to understand the limits around monitoring internet history at work and ensure your approach stays proportionate and transparent.

7) Set A Retention Schedule (And Stick To It)

One of the easiest GDPR mistakes is keeping data “just in case”. For biometric identifiers, decide:

how long you keep biometric templates,
what happens when an employee leaves or a customer closes their account,
how you securely delete or decommission biometric data.

8) Check Whether You Need An “Appropriate Policy Document” Under The Data Protection Act 2018

If you’re processing biometric data as special category data and relying on certain conditions (which often comes up in employment-related scenarios), you may also need to meet additional UK requirements under the Data Protection Act 2018 - including having an “appropriate policy document” in place, and keeping extra records.

Key Takeaways

GDPR compliance for biometric data is usually higher-risk than standard personal data because biometric identifiers can be special category data when used for unique identification.
If you’re wondering “is biometric data personal data?” - in most business contexts, yes, because it relates to identifiable individuals and is often linked to HR or customer accounts.
Common small business uses include fingerprint time clocks, access control, face recognition, and voice verification - but you should consider whether a less intrusive alternative could work.
To process biometric data lawfully, you typically need a lawful basis, transparency notices, strong security, and (often) a special category condition. Depending on the risk, you may also need a DPIA and (for some conditions) an appropriate policy document under the Data Protection Act 2018.
Supplier contracts matter: if a third-party system provider processes biometric data for you, you’ll usually need GDPR-compliant processing terms in writing.
Policies and communications aren’t optional - clear internal rules, privacy notices, and retention schedules help you stay compliant and reduce risk.

If you’d like help setting up your biometric data compliance (including reviewing your lawful basis, drafting privacy wording, or putting the right supplier terms in place), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.

Alex Solo

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Proceeding confirms you agree to our Privacy Policy

How To Declare Your Company Dormant In The UK (And What It Means)Terms Of Business Template: What To Include And How To Use It In The UK Joint Data Controllers Under UK GDPR: What Businesses Need to Know Buying a Restaurant in the UK: Legal Checklist for Owners GDPR Disclaimers: What UK Businesses Must Include and Where to Use Them Offering Credit to Customers: Legal Risks and Terms in the UK

Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get Started Book A Call