How to Verify User Identity for DSARs

GDPR compels businesses to respond promptly to DSARs (Data Subject Access Requests). Therefore, data controllers must implement robust processes to Verify User Identity to prevent the loss, misuse, or alteration of sensitive information.

» Are DSAR regulations the same in all territories? Learn about DSAR compliance under CCPA

What is a DSAR?

Under Article 15 of GDPR, data subjects have the right to request a copy of any personal data of theirs that is being “processed” by a “controller” (i.e., an organization that processes their data). Any company that processes personal data should have a mechanism to verify user identity in place for security and efficiency.

» How do you protect personal data? Explore the best security practices to protect PII

Different Methods of Verification

Here are some strategies your organization can use to verify users while still complying with GDPR:

Test a User’s Knowledge

To verify a requester’s identity, ask questions based on the information your organization has about them:

• • Refer to the security questions a user answered when they created an account: “What street did you grow up on?” or “What is your mother’s maiden name?”

• • Ask questions based on their basic personal data: birthday, address, phone number, or how they utilize your services. If you own an e-commerce store, for instance, you could ask about a recent purchase they made or the last four numbers of their credit card.

Bulleted List

Check Account Information

If your organization’s data system requires permission or credentials to access, a person can establish their identity by demonstrating access or possessing the account credentials:

• • An individual logs successfully into your app with the relevant credentials.

• • An individual makes a request through a verified business email account that matches the data your company has on file.

• • You ask the individual to apply a one-time password sent to the email address on file.

Bulleted List

Use a Partner

The verification process can be outsourced, either in part or completely:

• • You could outsource only the identity verification while your organization handles the rest. Ensure you vet the agency, as they’ll rely significantly on existing customer data. It will also require agency coordination.

• • If you outsource the entire process, consider that some vendors will also rely on third-party suppliers to perform identity verification for data access requests, which could complicate the process for your customers.

Bulleted List

» Looking for a privacy data partner? Explore PieEye’s products to find a solution for you

Conclusion

Regardless of the method, you must demonstrate that all DSARs were handled in accordance with GDPR regulations with an uneditable audit trail, including identity verification confirmation as proof.

» What is a personal data breach? Discover how to avoid a data breach under GDPR