Biometrics: the Stumbling Block of GDPR Compliance?

This May we celebrated one year since GDPR came into effect. Designed to protect consumer privacy and keep businesses accountable, this pan-European regulation has drastically changed the way personal data is being used, necessitating great changes for most businesses to remain compliant. At the same time, organisations have come under increased pressure to protect their security perimeter from rapidly multiplying cyber threats.

Some companies are already replacing simple easy-to-guess passwords with a ‘strong’ two-factor authentication ahead of the new EU Payments Services Directive (PSD2) regulation, coming into force on 14th September 2019. Many cutting-edge businesses go even further, deploying facial recognition, fingerprint and voice biometrics as part of their customer service, enabling frictionless, fast and secure authentication.

In reality, not every biometric authentication system is created equally. It is possible to ‘clone’ someone’s fingerprint to break into their device or account. High-resolution images have been known to trick facial recognition. Several controversies have plagued the technology itself, with San Francisco banning facial recognition outright. In light of these weaknesses, the most reliable and practical way to authenticate users could well be voice biometrics – helping companies remain GDPR-compliant and continue keeping customers’ and employees’ personal data of secure.

Yet, when it comes to voice-driven customer services, whether it’s customer authentication or simple information-sharing, they still remain an ‘elephant in the room’ for many businesses, exposing them to business risks – unless they are able to successfully deploy AI-led voice recognition and intelligence tools to ensure their ongoing GDPR compliance. It becomes increasingly important that voice verification happens ‘live’ throughout the conversation, safeguarding against any change of circumstances – or people – on the other side of the line. With voice biometrics, there’s no need for the user to share any personal or confidential data to be authenticated, making the process GDPR-compliant by design.

Another important point to consider is that whenever a customer calls a business, large quantities of personal data are being collected. We willingly and often share our credit card details in order to secure a restaurant booking. We discuss our health and symptoms to reschedule a doctor’s appointment. We still provide responses to “Know Your Customer” (KYC) questions to prove our identity before accessing telephone banking. However, we don’t know how this information is being stored and used the minute we hang up. Under GDPR, consumers have the right to know. And businesses are responsible for ensuring that all personal customer information is protected.

This is where voice technology comes in. Powered by AI, it allows for sensitive information, such as credit card details, to be collected automatically and securely, and to be instantly verified – all outside of the main call agent-customer conversation. Voice-to-text solutions, for example, can immediately take a phone call and convert it into an easily-searchable digital form with personal customer information ‘blacked out’ via a process of ‘data redaction’. Meaning, businesses enjoy an extra layer of protection in case of any hacks or data leaks, while users have more confidence in the ability of an organisation to keep their personal data secure. And perhaps most importantly, speech analytics can be used to demonstrate compliance with GDPR, a crucial aspect of the regulation.

Being an area of potential non-compliance for many businesses, voice-led customer services will only grow in value and volume. The speech and voice recognition market was valued at $5.15bn in 2016 when GDPR was first adopted by the EU and is expected to reach $18.30bn by 2023. Over 50% of analytic queries generated next year are expected to be voice-led, according to Gartner. If UK businesses want to remain GDPR compliant while enabling growth and improving customer experience, they have to focus on securing voice-driven communications – and authentication – first.


Written by Piergiorgio Vittori, Global Development Director at Spitch

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered.