OneTrust_Square Banner_300x250_DD_ROS_01_19

By Jay Cline, CIPP

If you walk into a test center in Europe to take the Graduate Management Admission Test (GMAT), chances are you'll need to scan one of your palms to get in. Used by the Graduate Management Admission Council (GMAC)--publisher of the GMAT--to combat various types of exam fraud, palm vein recognition has been proven to be one of the most accurate and least intrusive forms of biometric authentication. But without GMAC's pioneering efforts to work with EU regulators, palm-vein recognition would still be science fiction for most Europeans.

"It's just not part of European culture," Allen Brandt, CIPP, GMAC corporate counsel and chief privacy official and IAPP board member, told Inside 1to1: Privacy, "Even the bar exam in Italy doesn't collect fingerprints."

Who is GMAC?  Based in Reston, Virginia, the 125 employees of this nonprofit serve 265,000 test-takers each year. These students seek admission to 1,900 graduate schools in 111 countries, including many of the leading universities in Europe and throughout the world. The GMAT's 50-year track record of predicting who will be most successful in graduate school has helped make it the most globally recognized entrance exam.

It was the global dataflows of the GMAT that put the nonprofit on a course leading to the European data protection authorities (DPAs). When Brandt joined GMAC in early 2006, the organization had just transitioned its test delivery to Minneapolis, Minnesota-based Pearson VUE, which operates more than 5,000 test centers in over 165 countries. During the transition, GMAC conducted a privacy impact assessment (PIA) on the GMAT.

According to Brandt, GMAC's PIA process is part of its "privacy by design" approach of incorporating privacy into every new GMAC initiative. "We've moved to an all-opt-in regime for all of our services," Brandt said.

The GMAT PIA told GMAC that it needed to register its exam data practices with 27 EU member state DPAs. Brandt soon found that this was a complex undertaking, varying from country to country. "The UK provided a simple online form," he explained, "but we had to wait for the CNIL (France's DPA) to vote on our in-depth submission."

GMAC obtained all of its necessary approvals for the GMAT exam 30 months after beginning. "We had no problems beginning to test anywhere," Brandt said. But that was the easy part.

At the same time GMAC began registering the GMAT with EU DPAs, it decided to pursue a separate approval path for its sponsorship of biometrics in Pearson VUE test centers. Brandt explained that GMAC calculated that its collection of photographs and fingerprints--Pearson VUE's biometric approach at the time--could require more explaining and follow a longer approval process.

A turning point took place at a January 2007 meeting in London with Phil Jones of the UK Information Commissioner's Office. Along with GMAC representatives were Mark Poole of Pearson VUE and Eduardo Ustaran, partner at London-based Field Fisher Waterhouse. Jones recommended that in order to get broad approval for biometric use, GMAC should deploy a method that captures a biometric imprint that is unique to Pearson VUE and that properly accommodates European concerns about data protection. EU DPAs would resist methods, he warned, that would allow "function creep" over time. Indeed, a year later, the Belgian privacy commissioner released an opinion that established the high standards it would require in approving biometric authentication schemes.

After the meeting, GMAC and Pearson VUE took the advice to heart. Pearson's team conducted a review of available biometric technologies and zeroed in on palm-vein recognition. They found it more stable over time than fingerprinting, more accurate than facial recognition and less invasive than iris or retinal scanning. For its part, Pearson VUE worked with its vendor, Fujitsu, to incorporate European data-protection considerations into its implementation of palm-vein recognition.

"While we're a data processor from the EU perspective," said Michael Nealis, chief security and data privacy officer for Pearson VUE, "we leverage modern technology and position our operations to help clients meet their global regulatory obligations."

How does palm-vein recognition work? When exam candidates arrive at a test center to take a test, a test administrator requires them to present government-issued identification. Next, the candidates place both palms over a small, one-square-inch cube that records their unique vein patterns. This video shows the process. The palm-vein patterns are converted into a non-reversible, encrypted biometric template and then securely transmitted to Pearson VUE's hub.

With the palm-vein template created, candidates can later simply scan their palms to retake a test at any Pearson VUE test center around the world. The system ensures with a high degree of accuracy that only the legitimate candidate is allowed to take the test. Additionally, in the unlikely event that unauthorized parties were to gain access to the palm-vein templates, the templates would be unidentifiable and of no use outside the test centers.

Armed with this new approach to authentication, GMAC began anew its EU-registration efforts. GMAC detailed the critical role that biometrics play in reducing exam fraud, especially with regard to test-taker impersonation and similar schemes to commit fraud using false identities. Its efforts paid off. In June 2009, the CNIL issued a press release approving GMAC's palm-vein recognition scheme. The CNIL stated:

"[T]he palm vein of the hand, with the current state of technology, is a no-trace biometry. In view of this, it is not likely to be captured without the knowledge of the person concerned and, therefore, presents very little risk for the civil liberties and fundamental rights of the individual. It may, therefore, be used to combat identity fraud when recourse to a system of this type is justified by genuine reason and surrounded by the appropriate guarantees."

Hewlett-Packard and the IAPP cited this landmark approval in November 2009 when they awarded GMAC with the 2009 Privacy Innovation Award for Small Organizations.

What advice would Brandt give to other organizations needing to register their data practices with EU DPAs?

"Two things," he said. "Start planning early. It takes longer than you probably think."

"It would also be helpful," he added, "to find the right counsel in each country. It made a huge, huge difference for us."

Because of GMAC's efforts, other organizations have a template to follow in demonstrating how business objectives can be met with advanced biometrics without sacrificing privacy.

Jay Cline is president of Minnesota Privacy Consultants, the winner of the 2010 Privacy Innovation Award for Small Organizations.

For more on the topic of biometrics and data privacy, read "Ubiquitous biometrics" from the June issue of the IAPP's Privacy Advisor member newsletter. (IAPP member login required.)


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»