AI Summarize

Share

Businesses are increasingly required to walk a fine line between two competing responsibilities: allowing data subjects to exercise their legally-granted privacy rights under laws like the GDPR, and preventing unauthorized access to personal information that could lead to identity theft, fraud, or data breaches.

When someone submits a request to do something like access, rectify, or erase their personal data, how can you be sure they are who they say they are?

This article will explain how to verify a data subject's identity in a legally compliant and proportionate way, explore how much verification is appropriate, and clarify what types of information you should and shouldn't ask for.

We'll also look at guidance from regulatory bodies like the UK Information Commissioner's Office (ICO) and the European Data Protection Board (EDPB) to help you implement verification processes that strike the right balance.


Why is Identity Verification Essential for Data Subject Requests?

Data protection laws give individuals important rights over their personal data, such as the right to access, rectify, erase, or restrict processing of that data. But if organizations don't verify the identity of the person making a data subject access request (DSAR), they run the risk of disclosing data to someone other than the actual data subject. And that's a data breach waiting to happen.

For example, consider receiving a DSAR and then, without proper identity checks, disclosing sensitive medical or financial information to an impersonator. The damage to both the individual and the business can be severe.

The GDPR allows for identity verification to ensure that rights are being exercised by the correct person. Article 12 states that "where the controller has reasonable doubts concerning the identity of the natural person making the request," they may request additional information that's necessary to confirm the identity of the data subject.

First let's look at some regulatory guidance, then we'll go step by step through the identity verification process.

What Guidance Do Regulators Give For Identity Verification?

Regulators have offered guidance to help clarify what's acceptable when verifying a data subject's identity. Both the ICO and the EDPB have provided frameworks that emphasize reasonableness, proportionality, and risk-based thinking.

ICO Guidance (UK)

The ICO provides guidance on handling DSARs under the UK Data Protection Act 2018 and the GDPR. Its recommendations focus on ensuring that identity verification is justified, transparent, and efficient.

Key points of the ICO's guidance include the following:

  • Reasonable doubts as a trigger: The ICO specifies that businesses should only request additional information if they have "reasonable doubts" about the requester's identity. For example, if a DSAR is received from an unfamiliar email address or contains inconsistencies, further verification is warranted. However, if the requester is a known customer with a verified account (e.g., through a secure login), additional checks may not be necessary.
  • Transparency and communication: Businesses must clearly explain why additional information is being requested and how it will be used.
  • Proportionality in requests: Verification measures should be proportionate to the risk and sensitivity of the data involved.
  • Data minimization: The ICO emphasizes the GDPR's data minimization principle, which requires businesses to collect only the data necessary for verification.
  • Secure handling and disposal of data: Any personal data collected during verification, such as ID documents, must be handled securely and destroyed once verification is complete. Retaining copies unnecessarily increases the risk of data breaches and violates the GDPR.
  • Timeliness and the one-month rule: The ICO mandates that DSARs must be responded to within one month, though this period can be paused if identity verification is pending. However, businesses must not use verification as a delay tactic. The verification process should be completed promptly, and the one-month clock resumes once identity is confirmed.
  • Documentation and accountability: Businesses must document their verification processes and decisions to demonstrate compliance if challenged by the ICO. This includes recording why additional information was requested, what was collected, and how it was handled.

EDPB Guidelines (EU)

The EDPB, which oversees GDPR compliance across the EU, provides guidance that aligns closely with the ICO's principles but offers additional clarity for multinational businesses operating across EU member states. Key points include:

  • Facilitating access rights: The EDPB stresses that identity verification must not create unnecessary obstacles to exercising data subject rights. Overly complex or burdensome processes could violate GDPR Article 12, which requires organizations to facilitate access requests.
  • Balancing rights and security: Businesses must balance the data subject's right to access their data with the need to prevent unauthorized disclosures.
  • Data minimization and redaction: When requesting identity documents, businesses should ask for the minimum information necessary and encourage redaction of sensitive details. For instance, a passport's photo and name may be sufficient, while the passport number or issue date could be redacted to reduce data collection.
  • Avoiding excessive requests: The EDPB warns that requesting excessive data, such as full ID documents for routine DSARs, can breach the GDPR's data minimization principle. In 2020, the Dutch DPA fined DPG Media €525,000 for requiring ID copies for all DSARs, highlighting the importance of proportionality.
  • Transparency in process: Businesses must inform requesters why verification is needed and provide clear instructions. For example, a privacy notice or DSAR response letter should explain that a driver's license is required due to the sensitive nature of the requested data.
  • Handling third-party requests: If a DSAR is submitted by a third party, like a lawyer or family member, the EDPB requires businesses to verify the third party's authority, typically through written consent or a power of attorney. This ensures that the data subject has explicitly authorized the third party to act on their behalf.
  • Manifestly unfounded or excessive Requests: The EDPB allows businesses to refuse DSARs that are fraudulent or excessive. However, refusals must be justified, and identity verification should not be used as a reason to deny legitimate requests.

While the UK ICO permits narrowing search scope in some cases based on proportionality, the EDPB takes a stricter view. In its draft guidance on access rights, it emphasizes that controllers must search all reasonably accessible media (e.g. emails, backups) even when burdensome, if technically feasible

Note: As of this writing, the EDPB's guidance on identity verification forms part of broader draft guidelines on DSARs (January 2022). Businesses should follow updates from their national DPA to track final adoption.

Step 1: Assess Whether Verification is Necessary

Before jumping right into ID requests, it's important to evaluate the context of the request. Not all data subject requests require strict identity verification.

If the requester is logged into a secure, authenticated account, for example, an online customer portal or mobile app, then you already have a sufficient level of assurance that the person is who they say they are. But if the request comes in through an anonymous email or contact form, or if the request concerns highly sensitive information, you may need to verify identity further.

Step 2: Choose an Appropriate Verification Method

Once you've established the need for identity verification, the next step is deciding how to verify.

The method you use should be both effective, and compliant with data protection principles like data minimization, purpose limitation, and security. In other words, don't collect more data than you need, don't use it for anything other than verification, and keep the data you collect secure.

Common methods of identity verification include the following:

Using Existing Personal Information

The simplest and least intrusive method is to verify identity using personal information the organization already holds. This could include:

  • Basic personal information: Ask the data subject to confirm details like their full name, date of birth, address, or phone number.
  • Service-related information: Request details specific to the individual's interaction with your business, such as a customer reference number, the last four digits of a payment method, or details of recent transactions.

For example, an online retailer might ask a requester to provide the order number of their most recent purchase or the email address used for their account.

This method is cost-effective, quick, and minimally invasive, as it leverages data already in your possession. However, it may not suffice for high-risk or sensitive data, as fraudsters could have access to basic personal information.

Multi-Factor Authentication (MFA)

For organizations with digital platforms, MFA can enhance security. This involves requiring at least two forms of evidence to confirm identity, such as a password or PIN code, a one-time code sent to a registered email or phone number, or answers to security questions set during account creation. MFA is widely used in secure environments like banking and provides a robust layer of protection.

For example, a bank processing a DSAR might require the requester to log into their secure online banking portal and confirm their identity with a one-time code sent via SMS. However, this method requires users to have registered accounts and access to their registered contact details, which may not always be the case.

Identity Documents

Requesting copies of official identity documents, such as a passport, driver's license, or utility bill, is a common practice but should be used cautiously.

The ICO and EDPB warn against routinely requesting such documents, as this can be disproportionate and lead to the unnecessary collection of additional personal data.

This method is appropriate when:

  • The data is highly sensitive (like medical or financial records)
  • There are reasonable doubts about the requester's identity
  • Other verification methods are insufficient

If you go this route, follow these best practices:

  • Request only the minimum information needed, and redact ID numbers or other sensitive details that aren't necessary.
  • Have users submit their information via secure methods, such as encrypted portals, to help avoid data breaches.
  • Do not retain copies of ID documents longer than necessary, and securely destroy them after verification.

Third-Party Verification Services

Businesses can outsource identity verification to certified Digital Verification Services (DVS) or Identity Providers (IDPs). These services cross-reference personal information against trusted databases, such as credit bureaus or government records, to confirm identity. These third-party services are efficient and use advanced technology, such as biometric verification or database checks. However, they can be costly, and businesses are still responsible for ensuring the service complies with the GDPR and other regulations.

Biometric Verification

Advanced methods like facial recognition or liveness detection can be used for high-security scenarios. These technologies compare a selfie or video to an identity document to confirm the requester's presence.

While biometric verification is highly secure and effective against fraud, it requires sophisticated technology, and could exclude individuals without access to compatible devices. It also may raise concerns around privacy and consent to collect and use the biometric data since biometric verification is outsourced to a third party that specializes in this process. If you choose to use this verification method, you'll need to ensure you get proper consent to use biometric data, and disclose this in your Privacy Policy.

Biometric verification is less common currently, but this may change in time as technology advances even further.

Step 3: Decide How Much Information to Ask For

This is where many organizations run into trouble. Requesting too much information can backfire, both legally and reputationally. When verifying a data subject's identity, organizations must request only the information necessary to confirm identity.

The ICO and EDPB provide clear guidance on this:

  • Proportionality: The verification process should be proportionate to the sensitivity of the data and the context. For example, low-sensitivity data may require only basic information, while sensitive data may justify stricter measures.
  • Minimized data collection: Avoid collecting additional personal data unless absolutely necessary. For instance, requesting a full passport copy when a name and address suffice could violate GDPR's data minimization principle.
  • Using existing data first: Make use of any information already held by your business before requesting new documents or data.
  • Secure handling: Ensure that any requested information, especially ID documents, is transmitted and stored securely to prevent breaches.

Here are some example thresholds based on risk:

  • Low-risk requests: Confirm identity with an email address or customer ID.
  • Medium-risk requests: Require additional details, such as a date of birth or answers to security questions.
  • High-risk requests: Request official ID documents, especially for sensitive data like health or financial records.

Always consider alternatives first. Could you ask for a utility bill, security question, or account-specific transaction history instead? Can the same outcome be achieved with less intrusive data? Remember: if you're going to ask for sensitive documents, you also take on the responsibility of securely storing or promptly deleting them. You'll need to inform the individual about how their data will be used, for how long, and who will have access.

Know What Not to Ask For

Just because someone has submitted a data subject request doesn't give you the right to ask for anything you want. Certain types of data are almost always considered too sensitive, disproportionate, or unnecessary for identity verification.

Avoid asking for the following things:

  • Excessive personal data: Avoid requesting sensitive information like Social Security numbers, full credit card details, or passwords unless absolutely necessary.
  • Irrelevant documents: Don't ask for documents unrelated to identity verification, such as medical records or tax returns.
  • Unnecessary copies of IDs: Don't do this routinely, and consider redacting sensitive details like the ID numbers, or accepting partial information, if you do this.
  • Login credentials: Never ask for passwords or security question answers, as this could compromise the data subject's account security.
  • Biometric data: Don't do this unless you absolutely have to.
  • Multiple forms of ID when one is enough: Minimize the data you collect by only requesting exactly what you need. If someone can prove identity with one photo ID, don't ask for two.

Step 4: Communicate Clearly With the Data Subject Making the Request

If you determine that additional identity verification is necessary, tell the data subject the following things:

  • Why verification is required
  • What information you need
  • How the information will be used and stored
  • What happens if they decline or fail to provide the requested information

Make this communication as clear and concise as possible. Avoid legalese.

You should also inform them of any impact on timelines. Under the GDPR, you generally have one month to respond to a data subject request. However, if you need more time due to complex verification, you may extend this by an additional two months, but you must notify the requester of this within the initial month.

Here's an example of an email you might send to someone:

Dear [Data Subject's Name],
We've received your request to access your personal data. To protect your privacy, we need to verify your identity. Please reply with your customer ID or the email address associated with your account. Alternatively, you can click the secure link below to confirm your identity. If you have any questions, contact our Data Protection Officer at [email].
Thank you,
[Your Company Name]

You can also use your Privacy Policy to communicate how your identity verification process may involve requesting personal information. Here's how Zapier informs users that it will take steps to verify identity before fulfilling user requests in order to protect user privacy:

Zapier's explanation of user verification process in privacy policy

Step 5: Keep Verification Data Secure

Once you've collected verification data, you're responsible for keeping it safe. This means:

  • Storing it securely, with access limited to authorized personnel
  • Only retaining it for as long as necessary to complete verification
  • Deleting or anonymizing it once the purpose of verifying identity has been fulfilled

Remember: if you're collecting scanned IDs or other sensitive documents, consider redacting or obscuring unnecessary details before saving.

Best Practices for Balancing Access and Fraud Prevention

To strike the right balance between facilitating DSARs and preventing fraud, consider these best practices:

  • Adopt a risk-based approach: Tailor your verification process to the sensitivity of the data and the risk of harm. The more sensitive the data, and/or the greater the risk of harm, the more robust your verification process can and should be.
  • Make use of existing data whenever possible: Use information already in your systems, like user account details, before requesting new information.
  • Automate where possible: Use secure, automated tools like email verification links or 2FA to streamline low-risk requests.
  • Train staff: Ensure your team understands GDPR requirements and can handle DSARs efficiently and securely.
  • Review your processes regularly: Update your verification procedures to reflect changes in regulations or technology as needed. What's compliant today may be in violation tomorrow.

Here's a summary of various identity verification methods by risk levels:

Risk Level Data Sensitivity Example Recommended Verification Methods Notes & Best Practices
Low Basic contact details, non-sensitive account info

Email confirmation

Customer ID or username

Secure login confirmation

Use existing account data or basic details already held. Avoid new data collection. No need for ID docs or MFA.
Medium Contact preferences, order history, subscription data

Email + additional account info

Security questions

Last 4 digits of card or billing address

Ensure proportionality. Don't request ID unless justified. Use layered checks when in doubt.
High Financial, health, employment records

Government-issued ID (redacted if possible)

Utility bill with address

One-time password to known contact info

Minimize data collected. Redact unnecessary info. Store securely and delete promptly. Consider encrypted upload channels.
Very High / Exceptional Sensitive special-category data (e.g. biometric, medical, legal claims)

Multi-factor authentication (MFA)

Verified legal authorization (e.g. power of attorney)

Biometric + ID verification

Only when strictly necessary. Requires strong justification and DPIA. Outsourced services must be GDPR-compliant. Avoid if alternatives exist.

Common Mistakes to Avoid When Verifying Identity

Even well-meaning businesses can easily make mistakes if they don't apply identity verification practices carefully. Here are some of the most common mistakes that you should strive to avoid:

  • Asking for excessive information by default, rather than assessing on a case-by-case basis.
  • Rejecting requests without properly explaining what's needed for verification.
  • Using the verification process as a delay tactic.
  • Storing ID documents indefinitely without clear justification.
  • Failing to document your verification policies.

Avoiding these mistakes both protects your business from legal risk and shows that you respect the data rights of individuals.

Summary

Verifying the identity of a data subject is an important step in safeguarding data you hold against unauthorized access, but it must be done carefully. The key is proportionality: verify when you must, but don't over-collect verification data. Follow a risk-based approach, document your reasoning, and use the least intrusive verification method that still meets your security needs.

Rely on guidance from regulators like the ICO and EDPB, and don't forget to treat your verification data as sensitively as the information it protects.

When done correctly, identity verification can safeguard privacy, reduce the risk of fraud, and strengthen trust between you and your data subjects without creating excessive hassle for either of you.

Privacy Policy Generator
The first step to compliance: A Privacy Policy.

Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.

Generate Privacy Policy