The EU’s General Data Protection Regulation (GDPR) ensures that data subjects can retrieve their personal data from the data controllers promptly. For example, if your business runs an online website which allows customers to create and manage their own account, you should make it easy for customers who forgot their password to retrieve their login information. There are various ways to confirm their identity so that you can send them a new password, give them their current password, or allow them to reset the password themselves. As a GDPR-compliant business, knowing how to craft a data subject access request (DSAR) procedure is essential to ensure that you meet the compliance obligations.
What Is a Data Subject Access Request
Data subject access requests can be in any form; an email, a letter, a phone call, or even a personal request submitted in a store or office. According to the GDPR, a request can be classified into one of many categories, such as the right to object, right to erasure, right of access, right to data portability, or right to restriction of the processing. It’s crucial for the data controller to communicate with the data subject effectively to verify the nature of the request. When processing a request, data controllers need to ensure that it originates from an authorised source. Sensitive data being accessed by an unauthorised entity will result in a breach which violates the rights and security of the original data subject.
How to Verify the Identity of a Data Subject
When receiving a data subject access request, depending on the context of the online service, you should be able to use reasonable measures to verify the subject’s identity. For example, you could use the same method utilised to obtain data in the first place to verify the identity. It could be an email coming from the same address, or through an authentication mechanism which allows the data subject to log into his account. If your organisation needs more information, refer to NIST’s digital identity guidelines for the latest authorisation and authentication methods.
Depending on the sensitivity level of the data being requested, further authentication layers may need to be implemented. For example, if it’s a request to access financial data, more effort to authenticate the subject is required. Many businesses use a set of knowledge-based questions at this stage of verification. These knowledge-based questions are directly related to the data subject and confidential enough that only the subject can answer them. Examples of such questions include “what is the current balance in your account?” or “when was the last time you signed in?”. It should be noted that during the verification process, it’s better to use the information you already have rather than asking for new details. The more sensitive data you hold regarding a subject, the more accountable you are with regards to GDPR.
Once you have verified the identity of the data subject access request, it’s your responsibility to process the request in a timely manner. The GDPR states that received data subject access requests should be dealt with within one month from the date the request is received. To comply with this requirement, businesses need to have a designated first responder who is knowledgeable in GDPR compliance. That person will handle the verification of the data subject and take charge of the initial communication. Once the identity has been verified, the person in charge will need to gather all information related to the subject that the business has in its database, compile it into a concise and easy to understand format and send it back to the requester. Every step taken during the whole process should be recorded.
What If You Cannot Verify the Identity of the Data Subject Access Request?
In case it’s not possible to verify the identity of the person sending the request, you may deny the request unless the person can provide you with more information. In case you decide not to fulfil the request, you are required to inform the requester accordingly and explain the reasons for not meeting the demand. The requester should also be informed about the ability to lodge a complaint with a supervisory authority for further consideration.
If you make it too difficult for the requester to exercise his or her rights by demanding unreasonable requirements, you may risk infringing the fundamental rights of the data subject, which could result in an administrative fine of up to 20000000 euros or up to four per cent of the previous financial year’s worldwide turnover. Due to the strict GDPR guidelines, businesses should consider which type of data they need to keep and to what extent. Unnecessary data doesn’t just take up server space and slow down the connection, but also hold the business liable for potential security risks that may damage the customers’ trust and business image.
If the purposes for which the data controller processes the data do not require the identification of the data subject, the controller is not required by Articles 15 to 20 of the GDPR to verify the identity of the data subject, and should inform him or her accordingly.
A general rule of thumb is, you should not collect more data than needed. Asking for a copy of a passport, birth certificate, or other government-issued documents should be avoided. Hackers and scammers especially target companies with large databases containing personal identification or financial information. Once in possession of such data, the hacker can pose himself as the victim, and if your business is required to collect such data as part of the business process, a strict security mechanism should be in place to protect such data.