Facial recognition technology (FRT) identifies or otherwise recognises a person from a digital facial image. Businesses can use FRT in a variety of contexts - for example, in allowing access to devices, taking payments, or allowing entry to secure areas.
Depending on the use, FRT involves processing personal data, biometric data and special category personal data. Such technologies can intrude on people's privacy, so businesses need to think carefully when deciding if they should implement them.
If you are a small business looking to begin using facial recognition technology, read the ICO's latest FAQ about using FRT for payment, entry, or other security systems.
The information highlights key issues to be aware of, such as:
- what you need to consider before using this technology;
- when you must complete a data protection impact assessment;
- how to identify and satisfy a special category condition; and
- what to include in your privacy notice if you use FRT. See: [Additional considerations for technologies other than CCTV | ICO](https://ico.org.uk/for-organisations/guide-to-data-protection/key-dp-themes/guidance-on-video-surveillance-including-cctv/additional-considerations-for-technologies-other-than-cctv/#frt)
The Information Commissioner's Office (ICO) has published final guidance on the new ‘charitable purposes soft opt-in’ provision introduced by the Data (Use and Access) Act 2025.
The National Cyber Security Centre (NCSC) announced at CYBERUK 2026 in Glasgow that it will begin recommending the use of passkeys wherever a service supports them, and two-step verification (2SV) where it does not.