In recent weeks, the prestigious firm ARPA Lawyers Consultants, with more than 30 years of experience in legal, economic, tax, and consulting advice, on behalf of Veridas, has completed a Data Protection Impact Assessment (DPIA) for our voice biometrics solution.
The results obtained have been as expected, having passed the DPIA, confirming that the solution as such is secure and allows the processing of voice biometric data with full guarantees.
This, while limited in scope (more on why later), is nonetheless a tool that provides value, utility, and security for our customers and us. Any company wishing to implement biometric solutions, in this case, voice biometrics, and therefore needing to pass a Data Protection Impact Assessment, will have much of the work done if they choose a leading voice biometrics solution such as Veridas.
This assessment is part of Veridas’ explicit and ongoing commitment to data protection, rigorous compliance, transparency, and auditability. Our solutions are private by design and default; this is another example.
What is a Data Protection Impact Assessment (DPIA)?
A Data Protection Impact Assessment is an essential tool to certify compliance with Data Protection regulations. In the European Union, it is defined in Articles 35 and following the General Data Protection Regulation (GDPR) and complemented by some of its Recitals, as well as by state-level regulations such as the Spanish Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD).
What is the difference between an Impact Assessment and a Risk Analysis?
An Impact Assessment should not be confused with a Risk Analysis. As a matter of principle, before starting any activity involving the processing of personal data, it will be necessary to carry out what is known as a Risk Analysis, which, in short, involves a specific study of the measures to be applied to guarantee, within the limits of state of the art, maximum data security.
In contrast, the Data Protection Impact Assessment involves a more in-depth analysis of the security conditions that make up a processing operation or set of personal data processing operations and the degree of compliance with the applicable regulations. It even becomes mandatory when processing may generate a high risk to personal data.
In practice, Risk Analysis is always necessary and will, in turn, be a part of the study that requires a Data Protection Impact Assessment when it is carried out.
Veridas' Impact Assessment for its Voice Biometric Authentication Solution
In the case of Veridas, the Risk Analysis it carried out for its solutions showed that, according to the criteria established by the Spanish Data Protection Agency (AEPD), the use of the solution does not necessarily imply a high risk to the rights of individuals, so in this case, it was not necessary to carry out a DPIA. In any case, each Data Controller must analyze, before implementing the processing, whether the use of this solution in its specific use case requires or not carry out an Impact Assessment.
At Veridas, we decided to carry out a DPIA for our voice biometrics solution voluntarily, with the conviction that it is appropriate to provide it with more transparency. This decision has been part of the company’s commitment to be at the forefront of the reliability and transparency of all its biometric solutions.
In this Data Protection Impact Assessment, we have analyzed the degree of compliance of our voice biometrics solution with Data Protection regulations, and from which we derive several conclusions:
The importance of context in order to determine the scope
First of all, our voice biometrics solution is a solution designed to be integrated into a third-party system, so the scope of the Impact Assessment we have performed is, in itself, limited. In other words, in real-use situations, the solution will be part of a more extensive system, with the controls, security measures, and procedures determined by our customers. Therefore, as mentioned above, the specific use case will determine whether or not a Data Protection Impact Assessment is necessary to analyze the entire system.
Veridas as a data processor and not a controller
On the other hand, it is also important to remember that Veridas acts as a Data Processor by providing its services and licensing its solutions. This implies that, in relation to the aforementioned, if a specific treatment of a client requires, due to its characteristics, the performance of a PIA, the obligation would correspond to the client as Data Controller. In this sense, the Data Protection Impact Assessment carried out by Veridas may support its performance, but given its limited scope, it cannot replace a full Impact Assessment.
Veridas voice biometrics complies with all legal requirements
In essence, the Data Protection Impact Assessment carried out determines that Veridas’ voice biometrics solution “complies with the legally enforceable requirements and also with the guarantees required by the Spanish Data Protection Agency” considering, therefore, that the processing of personal data is adequate for the purpose for which it is intended.
In this sense, the importance of Veridas’ clients analyzing the need to carry out a DPIA according to their specific use case and, if the Assessment must be carried out, to do it for “the whole of the service to be provided to the user,” of which Veridas’ solution is only a part, is highlighted.
It is also relevant to highlight the reference to the controls that Veridas has implemented, from ISO 27001 or the certification of the National Security Scheme to voluntary evaluations at the National Institute of Standards and Technology, NIST (with results typical of a leading solution in the market) or obtaining the second position in the ranking of the Short-duration Speaker Verification Challenge 2020, as well as the rest of controls at a technical and organizational level, “which are considered adequate for the data processing to be carried out.”
This recent achievement adds to many others in the line of transparency and certification, such as having become a pioneer in complying with the ethical principles of our AI or remaining at the top of the NIST evaluations, both for facial biometrics and voice biometrics.