GDPR and data protection laws:
Personal data privacy is protected by law, The General Data Protection Regulation (GDPR), whilst applying to European (and UK) citizens is similar to laws in most countries, and applies to storage, disclosure, responsible transmission, and accountability for customer data. This includes photographs and their transmission. Failure to comply with these laws can result in penalties for your business
+ What is the GDPR?
The GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union. it applies to any organisation within or outside of the European Union. The personal data, including biometric data of EU citizens is protected by this law.
+ How does the GDPR affect my company?
'Personal data' could be anything from a name, a photo, an email address, and so on. Data processing could be anything from obtaining, recording or holding the data or carrying out any actions with it. Companies that do not comply with GDPR could face sanctions of up to 4 percent of their global turnover or up to EUR 20 million....these rules apply regardless of where the operations are based, including New Zealand and Australia.
+ Is a Passport/Visa considered personal information?
By photographing and processing a passport/Visa of an EU citizen, your operation is subject to the GDPR rules in so far as the images are personal data, as are email addresses and other customer details. Whilst ID passport Express uses Biometric data to process the image it does not store this data, (which would give unambiguous identification of the subject) and as such avoids Article-4(14) of the GDPR. The collection and storing the image and other data has to be protected from unauthorized access, as such, sending emails with these details is not recommended - a third party could access their mailbox, (or yours), or they could be sent to the wrong email address. (it may also require personal data outsourcing agreements with each or the email providers). By Collecting the data you are responsible for it's security.
+ What do you need to do to comply?
- The GDPR checker included in ID Passport Express v188.8.131.52 onwards lists the possible areas where you may be exposed to risk. Use this to set he number of days that the customer data is stored before being automatically deleted, and to restrict access and anonymize statistical data etc. Keeping the software up to date is essential to ensure that you are compliant with the latest rules.
- A consent must be obtained from a customer only when you want to use their data for the purposes other than the performance of the agreement. For example, consents are necessary to use photographs in a portfolio or a publication. Communication via e-mail requires their consent with the exception of when it is necessary to perform the agreement — in such cases, the e-mail address may be used for this purpose only. As the sender, you are responsible for breaches in the GDPR if the email is mis-used, because of this you may want to consider Secure Cloud Storage.
- Use the Secure Cloud Storage service within ID Passport Express which has been designed to ensure secure and GDPR-compliant delivery of digital biometric photographs to individuals. Secured Cloud Storage provides secured, coded transfer of photographs to a server localized in the European Union. Customers have access to their photographs thanks to special Code valid for a certain number of days, and they decide to remove the photographs from the server themselves.
- Decide how many days you wish to keep the customer's information, and set the system to automatically delete it after that period. A period of 3 days is a safe option. Keep in mind that you are responsible for the data you have collected and must provide safe and secure protection of this data.
- it is recommended to create a personal data processing policy which describes the rules of processing personal data in your company. This policy should include document templates (such as: obtained consents, information sent to persons whose data was processed, authorizations) and principles of acting in case of requests or questions raised by customers.