Back to blog
Compliance

GDPR and Biometric Data Compliance for UK Employers: What You Need to Know

1 April 2026·8 min read

Face recognition time tracking is one of the most accurate and efficient ways to manage employee attendance — but it also puts you in direct contact with some of the most tightly regulated data in UK law. Before you deploy any biometric system, understanding your obligations under the UK GDPR and the Data Protection Act 2018 is not optional. This guide explains what the law requires, what the risks are, and how to implement biometric time tracking in a way that is both compliant and defensible.

Face recognition time tracking is one of the most accurate and efficient ways to manage employee attendance — but it also puts you in direct contact with some of the most tightly regulated data in UK law. Before you deploy any biometric system, understanding your obligations under the UK GDPR and the Data Protection Act 2018 is not optional. This guide explains what the law requires, what the risks are, and how to implement biometric time tracking in a way that is both compliant and defensible.

What Makes Biometric Data Special Under UK Law?

The UK GDPR, which retained the EU GDPR framework after Brexit and is now administered by the Information Commissioner's Office (ICO), categorises biometric data as Special Category Data under Article 9. This is the same category as medical records, religious beliefs, and ethnic origin.

The definition matters: biometric data qualifies as special category only when it is processed for the purpose of uniquely identifying a natural person. Face recognition used for time and attendance absolutely meets this threshold — the entire point of the system is to identify who clocked in and when.

Processing special category data is prohibited by default. You must identify a lawful basis to override that prohibition.

What Legal Basis Can Employers Use?

For employment contexts, the most relevant exemptions under Article 9(2) are:

Explicit consent (Article 9(2)(a)) The employee must give a clear, freely given, specific, informed, and unambiguous statement of agreement. Critically, consent cannot be a condition of employment — if an employee refuses and faces dismissal or disadvantage as a result, the consent was never truly free. In practice, this makes consent a fragile basis for employee data processing.

Substantial public interest (Article 9(2)(g)) This applies in narrow circumstances — typically for public sector bodies, safeguarding, or fraud prevention. It is unlikely to apply to most private-sector time tracking deployments.

Employment law obligations (Schedule 1, Part 1, DPA 2018) This is the most practical route for most employers. Under Schedule 1 of the Data Protection Act 2018, you can process special category data where it is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the employer or employee in connection with employment.

If you are required by law or contract to maintain accurate working time records — which most employers are under the Working Time Regulations 1998 — this provides a legitimate foundation. However, you must have an Appropriate Policy Document in place (required by Schedule 1, paragraph 5) that sets out your procedures for compliance.

What Is an Appropriate Policy Document?

An Appropriate Policy Document (APD) is a specific requirement under the DPA 2018 whenever you process special category data under a Schedule 1 condition. It must:

  • Identify which Schedule 1 condition(s) you are relying on
  • Explain your procedures for securing compliance with the data protection principles
  • Explain your retention and erasure policies for the data
  • Be reviewed and updated periodically

This is a distinct document from your general privacy policy, though the two should be consistent. If you are audited by the ICO or face a data subject complaint, the APD will be one of the first things requested.

Your Key Obligations as a Biometric Data Controller

Beyond the lawful basis, processing biometric data triggers a set of specific obligations:

1. Data Protection Impact Assessment (DPIA)

Under Article 35 UK GDPR, a DPIA is mandatory before you begin processing biometric data for time tracking. A DPIA is a structured risk assessment that documents:

  • What data you collect and why
  • Who has access to it
  • The risks to data subjects
  • The measures you have taken to mitigate those risks

The DPIA is not a one-time exercise. If your processing changes materially — for example, you start storing facial images at every clock-in rather than just a facial template — the DPIA should be revisited.

2. Transparency and Privacy Notices

Employees must be told, in clear language, that biometric data is being collected, why, how long it will be retained, and what their rights are. This means updating your employee privacy notice and ensuring it is provided before biometric data is collected — not buried in an employment contract or handed out on day one.

3. Data Minimisation

Only collect what is strictly necessary. A well-designed face recognition system stores a mathematical representation of facial geometry — a template — rather than the underlying photograph. If your use case does not require storing the actual images, do not store them. If you use the optional "take a photo at every clock-in" feature, make sure this is justified in your DPIA and disclosed in your privacy notice.

4. Retention and Erasure

You must not keep biometric data longer than necessary. Define a retention period — typically tied to employment duration plus a reasonable period for any payroll disputes — and enforce it technically. When an employee leaves, their biometric template should be deleted, not merely archived.

5. Data Subject Rights

Employees have the right to:

  • Access the data you hold about them (Subject Access Request)
  • Rectification if data is inaccurate
  • Erasure in some circumstances (the "right to be forgotten")
  • Object to processing

You should have documented procedures for handling each of these, with response timescales (generally one month under UK GDPR).

6. Data Breach Notification

If your biometric data is subject to a breach — whether through a cyber attack, accidental disclosure, or loss of a device containing templates — you must notify the ICO within 72 hours if the breach is likely to result in a risk to individuals. Biometric breaches almost always meet this threshold given the sensitivity of the data.

What About the Android App and Data Storage?

If you are using a tablet-based face recognition system, consider where data is processed and stored:

  • On-device processing (where the recognition happens on the tablet) is generally lower risk than cloud-side processing, because the raw image is compared locally and only the result — a match or no match — is transmitted.
  • Cloud-stored templates must be encrypted at rest and in transit, held in UK or adequately-protected jurisdictions, and subject to appropriate access controls.
  • Third-party processors (including your software provider) must be bound by a Data Processing Agreement (DPA) under Article 28 UK GDPR. Before deploying any attendance system, obtain a signed DPA from your vendor and verify what data they access, store, and how they handle it.

A Practical Compliance Checklist

Use this as a starting point — it does not constitute legal advice, and you should engage a data protection professional for your specific circumstances:

  • Identified a lawful basis under Article 9(2) for processing biometric data
  • Completed a Data Protection Impact Assessment (DPIA)
  • Prepared an Appropriate Policy Document (if relying on a Schedule 1 condition)
  • Updated employee privacy notices to cover biometric data
  • Obtained a Data Processing Agreement from your software vendor
  • Defined retention periods and automated deletion processes
  • Established procedures for Subject Access Requests and other data subject rights
  • Documented your breach response procedure
  • Trained relevant staff on biometric data handling

The ICO's Position

The ICO has published guidance on biometric data in the workplace and has taken an increasingly active stance on employer use of biometric systems. Their position is that biometric time and attendance systems are lawful when properly implemented, but they expect organisations to demonstrate that the use of biometric data is necessary and proportionate — not merely convenient.

If less privacy-intrusive alternatives (such as PIN-based or card-based clocking) would achieve the same result with equivalent accuracy and security, you should be prepared to justify why biometric identification was chosen instead.

How Punch-In Supports Compliance

Punch-In is designed with these obligations in mind. Each customer environment runs on a segregated, private infrastructure — your data is never commingled with another organisation's. Biometric templates are stored securely in the cloud with encryption in transit and at rest. We provide a Data Processing Agreement on request and can support you in completing your DPIA with documentation of our data handling practices.

For questions about our data processing arrangements, contact our team at punch-in.co.uk.

This article is for general informational purposes and does not constitute legal advice. If you are uncertain about your compliance obligations, consult a qualified data protection solicitor or a registered Data Protection Officer.

Book a demo to see how PunchIn fits your organisation.

Questions about PunchIn for your business? Contact us or read the FAQ.