Privacy has become a worldwide concern as citizens worry about the safety of personal information stored in databases owned and controlled by private and public organizations.

Recent database hacks that compromised personal information about millions of people have only heightened that anxiety. Names, addresses, phone numbers, birthdates, passwords, and other sensitive information are sold on the Internet. Many people have lost faith in the way their data is collected and protected.

The European Union addressed these concerns with May 2018’s General Data Protection Regulation (GDPR) enforcement deadline. While GDPR is EU-centric, its impacts are global. All organizations must follow the regulations for controlling or processing personal data about any EU citizen.

GDPR places substantial constraints on what were largely uncontrolled data-collection practices. EU consumers can now protect their privacy and control how their data is collected and used by opting in, not out, of a company’s policies. An organization’s failure to comply can result in penalties of up to €20 million or 4 percent of a company’s annual global revenue, whichever is greater.

GDPR’s basic concepts are simple enough; citizens have a right to know the information being collected about them, understand how it is used, and be provided with a simple way to delete their data at any time.

GDPR defines personal data as any information related to an identifiable person. That might include a person’s name, home and email addresses, passwords, birthdate, driver’s license number, gender, race, political affiliations, and other categories, such as security-related data and video.

While the security industry was not the prime target of the regulations, GDPR limits how organizations use and collect video surveillance and access control data. The rules consider video to be the personal data of those seen in live or recorded images. Access control databases contain personal information about employees, as well as that of contractors and visitors who share information about themselves in exchange for a temporary pass.

GDPR requires cybersecurity controls ensuring that access to security-related data is available only to those authorized to view it. Typically, passwords have protected databases. But even the strongest password can be shared with anyone.

A data processor may add workstation card readers or keypads to create a second layer of authentication. Again, cards and personal identification numbers are no guarantee the person accessing files is authorized to do so.

Biometrics. GDPR requires active consent and represents a choice made by the consumer. Biometric identification can play an integral role in providing an active real-time choice for granting the sharing of data.

Biometrics measure physical characteristics, such as iris patterns, fingerprints, or facial features—something only the owner can possess. Two-factor authentication is possible by combining biometric and access card readers or keypads at computers storing personal data. Passwords become virtually obsolete. Database information remains private, accessible only to authorized viewers.

Biometric technologies are now commonplace. They are embedded into most smartphones. Biometrics are used for access control, time and attendance, border crossings, national ID cards, voter registration, and more. Biometric readers can also authenticate consumers registering for websites or making purchases on the Internet.

GDPR is a driver to change old, inefficient business data protection, privacy, and availability practices.

Mohammed Murad is vice president, global development, at Iris ID.