March 2, 2021 | Veratad Blog | Category: Regulatory Compliance

How to Verify Identity for GDPR Data Access Requests

Processing consumer data access requests is an essential part of GDPR compliance. In this post, we review what data access requests are and how to verify consumers with identity verification.

What Is GDPR?

The General Data Protection Regulation (GDPR) is a law that gives European Union (EU) consumers more control over the personal information that businesses collect about them. Companies that collect or hold personal data on EU data subjects and meet certain threshold requirements will have to comply with GDPR by following strict regulations about collecting personal data.

GDPR may affect any business that collects user data of EU citizens.

Businesses that fail to comply can expect steep regulatory penalties, up to 4% of their global revenue or €20 million, whichever is higher.

What Are Data Access Requests?

One of the most significant provisions in the GDPR is data access requests. Article 15 of GDPR establishes that data subjects have:

“…the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.”

To this end, consumers have the right to request any of the following in a data access request:

• The purposes of the processing
• The categories of personal data concerned
• The recipients or categories of recipient to whom the personal data have been or will be disclosed
• The period for which the personal data will be stored
• Restriction of processing of personal data concerning the data subject 

Consumers can also make requests for you to delete personal information. And you’ll need to provide all of this information free of charge. For firms with a considerable GDPR footprint, the costs of processing thousands of requests can add up.

Completing data access requests promptly, correctly and cost-effectively is an essential part of GDPR compliance. 

How to Verify Identity for GDPR Data Access Requests

To complete a data access request, you need to be sure that the consumer requesting the data is who they say they are, and that you disclose the personal information to the right consumer. 

For most businesses with GDPR liability, the best way to validate these data access requests is through identity verification.

Identity verification technology uses identity data, identity documents and other methods to ensure your customers are who they say they are. 

For GDPR compliance, identity verification ensures the person requesting the consumer data and the consumer are the same person. It does this by using existing consumer identity data and additional information to run a check of the requester’s identity. The verification technology then verifies that the requester and consumer are the same, allowing you to fulfill the data access request.

Identity data is the primary method for verifying consumer identity. But in some cases, it will make sense to deploy more advanced verification methods such as ID documents or biometrics.

Who Provides Identity Verification?

Identity verification providers offer GDPR compliance solutions that provide the identity verification technology you need to complete data access requests. There are two ways you can get this technology.

First, GDPR compliance software providers offer identity verification integrations in their systems. This allows you to access verification methodologies and general compliance tools you need in one place. 

The second option is to work directly with a verification provider through standalone GDPR compliance solutions. This allows you to verify consumer requests for data by integrating verification technology directly into your workflow. This delivery method is ideal for businesses that already have compliance software or are managing data access requests directly in their own systems.

Either way, deploying identity verification for GDPR is a straightforward process. First you work with the provider to integrate the technology into your systems through an API. Then you configure the criteria you’ll use for verifying consumer data requests. In most cases, you can complete onboarding and start verifying consumer identity in just a few days.

Conclusion

Verifying consumer identity for data access requests is an essential part of GDPR compliance. Fortunately, the availability of ID verification technology and compliance software has made it possible for any business to get GDPR compliant.