How do I verify the identity of a data subject?

GDPR has certain rules about how DSARs are to be fulfilled. Recital 64 states that the data controller should verify the identity of a data subject using “all reasonable means”. The standard for what is reasonable is not yet established in the law but organizations are encouraged to consider proportionality when verifying data subjects. In practice this means the criteria for verifying a data subject’s identity when an organization only collects demographic information should be different from an organization that collects credit card + demographic information.

Organizations need to also remember that the response window for a DSAR begins once an organization receives a request, not once an organization verifies someone’s identity.

Remember, if the data subject requests that the DSAR be executed orally, you must take additional steps to verify their identity.

Real World Example

Susan calls your company to request access to her data subject profile. Susan has a visual impairment, and therefore requests that her DSAR be fulfilled orally via the telephone. Prior to fulfilling this DSAR, the company may request that Susan confirm additional identifying details beyond her name and birthdate (for instance). Once her identity is confirmed, and the DSAR executed, the DSAR manager may call Susan within 30 days to fulfill this request. 

Download the GDPR Guide



This article is provided for general informational purposes only and is not intended to be legal advice.  By using the article, you agree that the information on this article does not constitute legal or other professional advice. The article is not a substitute for obtaining legal advice from a qualified attorney licensed in your state. The information on the article may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.