Note: This blog post was originally published on 22 June 2023 and has been updated to reflect the current state of the regulatory environment.
The issues involved with the handling of customer data are of paramount importance in today’s digital landscape. Organisations must navigate a delicate balance between using customer data for business purposes and respecting individuals’ privacy rights—or else risk significant financial and reputational harm.
Among the sundry items a business must take into account are obtaining informed consent for processing of biometrics, being transparent about data collection and usage practices, implementing robust security measures to protect customer data, and providing individuals with control over their own data.
Understanding the different states of data is crucial for maintaining its security and integrity. We can categorise data into three distinct states: data at rest, data in transit, and data in use. Each state represents a unique phase in the lifecycle of information, with its own set of considerations and risks. By understanding these states, companies can effectively implement measures to safeguard data throughout its journey.
This 3-part blog series will delve into each state within the context of the identity verification (IDV) industry. We will cover the privacy, regulatory, and ethical questions to ask about:
Data at rest:
– How long the IDV provider retains data
Data in transit:
– The legality of international transfers of data that the IDV provider makes
Data in use:
– How the IDV provider trained its AI
– How the IDV provider uses data after completing the identity check for you
– The BIPA risk
– Common GDPR errors
Having to change IDV vendors after implementation can cost serious time and money. Make the right choice the first time around and buy from a supplier who respects data privacy and ethics at every stage.
Safeguarding your customers’ data
Responsible data retention—in other words, properly handling data at rest—involves appropriate technical and organisational processes to keep it safe. For example using encryption, limiting access, and use of technical tools such as firewalls and intrusion detection systems. But this is not a blog on IT security.
By far the best policy is to only hold on to customer data for as long as necessary and securely disposing of it when no longer needed. The days of storing data for the sake of it should be long gone, yet time and again we hear of organisations keeping data around with no justification.
If your organisation has to keep data then it should consider whether data anonymisation and aggregation can be used to minimise risks associated with data breaches or unauthorised access.
Each company should have an active data management plan which assesses all the data held by the organisation, including by its suppliers, and determines whether that data needs to be held still, where it is stored, and in what state it is stored (encrypted, anonymised, or other). Ultimately, ethical data retention practices foster trust, accountability, and respect for individuals’ privacy rights in the digital ecosystem.
It all comes back to you
Let’s tie these insights back to IDV. As the buyer and de jure data controller of an IDV solution, your organisation, at the end of the day, is the party that’s legally responsible for adhering to data retention standards and regulations.
To reiterate: even if your data is held by a third party, it is you who would be on the hook for damages related to thefts or breaches. So if your IDV provider gets it wrong and is storing your customer data for longer than it should do, it will be your responsibility if anything goes wrong.
The regulators’ perspective
In the EU and the UK, regulators tend to look closely at retention periods, so you need to justify them. Saying you are keeping data in case you need it in the future is not good enough. This approach is being adopted by regulators elsewhere as they become wise to some historic poor practices of companies which have been storing data for much longer than necessary.
There is sometimes a conflict between financial services regulations, which often mandate record keeping periods, and laws and good privacy practice that strongly encourages deletion.
Typically, the trick is to look at the wording of the financial regulations carefully; they mandate the keeping of “records,” but records of an IDV transactions does not have to include the biometrics or even photos of the customer in question from each IDV transaction, just validation that the IDV was performed.
Questions to ask your IDV provider:
- Does your platform allow us to set automated data deletion or redaction rules?
- What is the shortest period that we can set?
- How long is the data retained in your engines themselves? (Data is often held in engines separately to the main platform.)
- What is your data deletion policy for Illinois residents, including any backups?
- Can you prove that you do delete when you say you do?
- Can we delete all biometric and photo data from the records you keep for us?
- Is data held in backup, and for how long? (In order for an organisation to recover data and the results of checks in the event of a severe incident, the organisation will need to make copies of data into backup. Typically the data resides in backup for a set period, say 30 or 60 days. When you delete data from the main platform, the backup data will not usually be deleted. So you need to ask how long that backup retention period is. The risk of storing data in backup is much lower because the backup data cannot be accessed via the platform, which from a security perspective is normally the weakest link, but you still need to ask the questions.)
- Is data held in your training database? If so, for how long?
About the post:
Images are generative AI-created. Prompt: Three little pigs, one sleeping, one running, one working on laptop. Tools: Craiyon (fka DALL-E Mini), ChatGPT.
About the author:
Peter Violaris is Global Data Protection Officer and Head of Legal EMEA and APAC for IDVerse. Peter is a commercial technology lawyer with a particular focus on biometrics, privacy, and AI learning. Peter has been in the identity space for 7 years and before that worked for London law firms.
