How to verify user identity for data subject access requests (DSARs)

• What is a data subject access request (DSAR)?
• What is identity verification?
• Why is identity verification important for DSARs?
• Methods of identity verification for DSARs
• Perform identity verification for DSARs with Ethyca

What is a data subject access request (DSAR)?

A data subject access request (DSAR) is a legal right for consumers to request access to the personal data a company holds on them. The General Data Protection Regulation (GDPR) in the EU, was the first major privacy regulation to codify DSARs into law. 

Article 15 of GDPR defines an access request as a request that an individual can make for a complete record of their personal data that’s ‘processed’ by a “data controller,” or a business that decides how and why consumer data is processed.

Access rights like in the GDPR are also mirrored in other global privacy laws. For example, consumers are granted access request rights under the California Consumer Privacy Act (CCPA) and Brazil’s Lei Geral de Proteção de Dados (or LGPD), 

Thanks to the rise of privacy laws in recent years, companies have been forced to rethink how they view the data they process. Now, organizations must respect consumers’ choices about how their data is stored and used. DSARs enable consumers to exercise this choice. 

For this to happen, though, it’s crucial for an organization that processes personally identifiable information (PII) to have some form of identity verification in place to ensure that the person requesting access to the PII is indeed who they say they are.

What is identity verification?

Identity verification is a way of proving a person’s identity. In a digital sense, it’s a method of ensuring that the user matches their profile by providing extra information that only the right person knows and has.

Online identity verification is commonly done through multi-factor authentication (MFA), where a user provides at least two forms of evidence that prove their identity. Forms of proof can be a password, date of birth, phone number, address, etc. 

One of the most common forms of MFA is two-factor authentication (2FA). For example, you can strengthen your bank account log-in by enabling 2FA, where you’ll receive a one-time verification code through your email or phone number. That way, the only person who can access the account is you – the real owner.

Why is identity verification important for access requests?

Under global privacy laws, it is within the business’ responsibility to verify the identity of a requester before processing an access request. This is meant to prevent data from being shared with an unauthorized individual.

Recital 64 of GDPR states that:

“The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular, in the context of online services and online identifiers.”

Under GDPR, state bodies can be fined up to €1 million for failure to meet their obligations, and multinationals can be fined up to €20 million, or four per cent of their previous year’s turnover.

Under the CCPA, businesses are also required to facilitate access requests. Those found to be in breach of the CCPA can be fined per individual affected, per violation. The maximum fine can be as high as $7,500 of statutory damages.

Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD) follows suit with a fine of up to 2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil for the prior fiscal year (excluding taxes) up to a total maximum of 50 million Brazilian reals.

When the possibility of receiving such heavy penalties is on the line, organizations must ensure best practices to protect themselves against risk and privacy violations. We’ve outlined some identify verification methods you can use to verify DSAR requests below.

Methods of identity verification for DSARs

Here are a number of methods that an organization can use to make sure they’re practicing identity verification correctly. Each method has its pros and cons, and the right approach depends on the needs and capabilities of your organization.

Method 1 – Knowledge-based authentication

One of the easiest methods of identity verification is using the PII your company already possesses about a user. This is a basic level of verification that involves asking them questions that relate to the information you store about them. Some examples of this method are:

• Asking a series of questions about the individual’s personal information, i.e. date of birth, home address, phone number, etc.
• Asking a series of questions based on their use of your services, i.e.  an online store asking for the last 4 digits of the credit card they have saved on file.
• Getting the individual to answer specific personal questions when they set up an account, i.e. What is your favorite book? What is your mother’s maiden name? What was the name of your first pet?

Pros	Cons
– Makes use of existing information. – Requires little additional investment.	– Basic security level. – Can be a manual, time consuming process. – Could be exploited by bad actors who gain access to the informationRisky to perform manually as it exposes personal information about the data subject to company employees.

Method 2 – User login & account credentials

Depending on your business’ data systems, the individual making the access request may be able to prove their identity by virtue of having access to your company’s services or account credentials. Some examples of this method include:

• The individual has a user account with secure login credentials they can use to login to your application. From there, they can make the request, having already been verified.
• The individual makes the request from a business email address that matches a record your company already has stored.
• The individual is an employee of your company and makes the request from a company email address. The response could then be sent to that same email address.

Pros	Cons
– Secure. – Efficient. – User-friendly experience – Requires very little additional investment.	– Could be exploited by bad actors who gain access to the account credentials. – Can require an additional step of friction (account creation) for users filing access requests. – Does not support ‘semi-anonymous’ users such as guest checkout from e-commerce or users that do not have a registered account.

Method 3 – Multi-factor authentication

Multi-factor authentication (MFA) is one secure way of verifying a users’ identity. By sending the user a one-time passcode, you can securely and easily confirm that they are the person that is making the access request. More examples include:

• Using information that you possess, such as the user’s phone number or email address to send them a one-time passcode which they can use to verify their identity. 
• If your company has a software application, you can send a push notification to the user, which requires a one-time passcode or prompt to verify their identity.

Pros	Cons
– Very secure. – Efficient. – User-friendly experience.	– Implementing multi-factor authentication initially can be costly and cumbersome. – The device or email inbox used by the individual for multi-factor authentication could be compromised.

Method 4 – Outsource identity verification to a third-party

If maintaining identity verification for DSAR compliance is not something your company wants to do themselves, you can outsource the workload to third-party specialists that can implement and manage this system for you. 

You could choose to outsource just the identity verification process to a third-party and still maintain control over the rest of the access request process. These third-parties typically verify identity using existing information, such as a credit reference agency. 

However, this method is costly and inefficient. And, your company will also still need to process the rest of the access request once identity verification is complete.

Alternatively, your company could decide to fully outsource DSAR processing. This could, however, further convolute the process for your users, and lead to a poor user experience.

Regardless of the method that you choose to implement, it is crucial that your organization stores an audit trail of all DSARs that they process, including identity verification confirmation, so that you can prove that they were carried out in compliance with global privacy laws.

Pros	Cons
– Industry leaders are highly trustworthy. – Access to expertise and infrastructure of specialist third-party. – Frees up internal resources.	– Third-party services are expensive. – May create a poor, disjointed user experience. – The questions asked by third parties may feel excessive or intimidating to the individual as they are often unrelated to the service being provided by your company.

Perform identity verification for DSARs with Ethyca

Processing DSARs in a compliant manner is often costly, time-consuming, and tedious. That’s why we built the Fides privacy intelligence automation platform. 

Fides can easily embed into your tech infrastructure and connect with all major third-party SaaS providers. Through the Fides Privacy Center, users can easily submit a DSAR request and immediately verify their identity. This allows your business to streamline DSAR processing and fulfillment.

If you’d like to learn more about how Ethyca can help your organization verify user identity for DSAR automation, schedule a free 15-minute call today.