Do a DPIA before you build, not after
A Data Protection Impact Assessment is required before deploying biometric recognition and is strongly advised where systematic monitoring occurs (e.g., around entrances). Do it early—identify necessity, proportionality, risks, mitigations, and any alternatives (e.g., cards/fobs instead of biometrics). The ICO sets this out plainly in its biometric guidance.
Be transparent: privacy information and signage that people will actually see
Tell people what you’re doing in clear language at the point of capture: who controls the system, what’s collected, why, how long you keep it, how to exercise rights, and who to contact. If cameras are part of the door journey, the ICO’s surveillance guidance covers signage and privacy notice content; it’s a useful benchmark to keep notices concise and compliant.
For visitors, align reception and access control; don’t over-collect. The ICO’s own “Visitors to the office” example shows a proportionate approach (verify ID if needed; don’t routinely record document details; destroy personalised badges after the visit). Update your on-site privacy notice and website page accordingly. (See: Privacy Policy.)
Retention: set it, justify it, automate it
Keep access logs only as long as they’re needed for security, investigations and compliance, then purge automatically. Avoid blanket “forever” retention. The ICO’s surveillance guidance anchors this to the UK GDPR storage limitation principle; write the period into policy, configure the platform to enforce it, and log deletions.
Security of processing: harden the platform and the network
Treat access control like any other critical system. Use role-based admin, strong MFA for administrators, time-synced logs, encrypted data at rest/in transit, and segmented VLANs for controllers/gateways. If parts of your system are cloud-managed, align supplier due diligence and your configuration to the NCSC Cloud Security Principles (identity & authentication, secure service administration, audit for customers).
If you issue mobile credentials to staff phones, apply a sensible BYOD stance (screen lock, current OS, revoke on loss) and follow NCSC/ICO guidance on BYOD so your policies, controls and helpdesk processes are defensible.
Processors, contracts and international transfers
Your installer and platform vendor may act as processors. Put GDPR-compliant data processing terms in place (instructions, confidentiality, sub-processors, security, assistance with rights and breaches). If any personal data leaves the UK (e.g., cloud support or hosting), you need a valid transfer tool—typically the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs—plus a transfer risk assessment. The ICO’s transfer pages explain when a transfer is “restricted” and how to use IDTA/Addendum correctly.
Biometrics governance: proportionality, alternatives and template security
If you adopt biometrics, build proportionality into the design (e.g., reserve biometrics for higher-risk doors; use card+PIN elsewhere), offer a reasonable non-biometric alternative for those who can’t or won’t enrol, and secure templates rather than storing raw images. ICO enforcement in 2024 against an employer using facial recognition/fingerprint for attendance is a clear reminder: you must justify necessity over less intrusive options and provide alternatives.
Workers’ monitoring: set clear boundaries
Access control is for safety and security—not covert productivity monitoring. The ICO’s Monitoring at Work guidance expects organisations to consider fairness, transparency, impact on workers, and to avoid covert monitoring except in rare, exceptional circumstances. If you intend to reuse access data for HR monitoring, you’ll need a fresh assessment and very careful justification.
