GDPR has certain rules about how DSARs are to be fulfilled. Recital 64 states that the data controller should verify the identity of a data subject using “all reasonable means”. The standard for what is reasonable is not yet established in the law but organizations are encouraged to consider proportionality when verifying data subjects. In practice this means the criteria for verifying a data subject’s identity when an organization only collects demographic information should be different from an organization that collects credit card + demographic information.
Organizations need to also remember that the response window for a DSAR begins once an organization receives a request, not once an organization verifies someone’s identity.
Remember, if the data subject requests that the DSAR be executed orally, you must take additional steps to verify their identity.
Real World Example
Susan calls your company to request access to her data subject profile. Susan has a visual impairment, and therefore requests that her DSAR be fulfilled orally via the telephone. Prior to fulfilling this DSAR, the company may request that Susan confirm additional identifying details beyond her name and birthdate (for instance). Once her identity is confirmed, and the DSAR executed, the DSAR manager may call Susan within 30 days to fulfill this request.
