If your business hopes to comply with the GDPR, CCPA, and growing list of data privacy laws, having a system to verify your data subject’s identity is essential.
Depending on your business, hundreds, thousands, or even millions of people visit your website every day. Some percentage of those individuals will request that you send them the Personal Identifiable Information you have collected, which is their right. And while most of these individuals and their accounts are authentic, unfortunately, some are not. How can you distinguish between a valid consumer and someone impersonating them to ensure you are not surrendering someone’s PII to an unauthorized individual? By following a few straightforward steps.
Why Do I Have to Verify Data Subjects?
According to Recital 64 of the GDPR, controllers should use “all reasonable measures to verify the identity of a data subject.”
Verification of your “data subjects”—a more encompassing term than consumers—is crucial and must be done in an airtight manner, or you may find yourself paying steep fines and incurring significant brand damage. You could even be liable to repay the authentic data subject for damages and any goods or services the bad actor purchased using your data subject’s credentials if it is determined that reasonable and required due diligence on your behalf was not fulfilled.
Best Practices For Verifying Data Subjects
To help thwart the efforts of those who intend to request and obtain valid credentials illegally, the best practice is to verify the identity of a requester within seven (7) days of the privacy request submission. Industry analyses indicate a higher likelihood of illegitimacy if the requestor cannot verify within that duration. This is not a hard and fast rule, so determine what feels best for your company.
Makings of a Good Verification Process
Typically, companies initiate the verification process using a previously confirmed method of engagement and validation, such as an email address or phone number.
Common verification questions include:
- What is the last piece of content the subject downloaded from your website?
- What is the last interaction the subject had with a representative of your business?
- What is the last item the subject purchased, its price, or the shipping details? (if your company is a retail organization).
As a business, you should also identify the scenarios in which you’d reject a request based on missing or incorrect information. The sensitivity of the data requested should guide your decision on whether the information verified is sufficient.
Note: Avoid collecting additional personal information in the process of verifying a requester. Privacy regulations encourage the principle of data minimization, so it’s best to leverage existing data already on file to verify a requester.
What To Do If You Cannot Verify a Data Subject Identity
It’s perfectly normal to be unable to verify your data subject for legitimate reasons. The most important thing to do if you find that you cannot prove a data subject’s identity is to notify the requestor that you’ll be unable to proceed with their request.
Use a technology tool, such as DataGrail Smart Verification, that leverages various levels of verification and geolocation-specific legal frameworks to ensure data subjects are verified at all times and according to applicable privacy regulations.