The EU GDPR has brought greater transparency and control to how organisations process and use personal data. Under the GDPR, and many other laws around the world, individuals have the right to amend incorrect data or request the deletion of data that is no longer relevant. Going forward, individuals are able to learn which data organisations are collecting and keeping on them, why and how that data was collected in the first place, and how it is being used
The upcoming CCPA (California Consumer Privacy Act) takes it a step further. It allows individuals to block any marketing activities undertaken with their data, as well as the sale of their data. And both the GDPR and CCPA provide for a right to data portability, allowing people to take their data from one organisation to another.
So, how do these regulatory changes affect your compliance efforts? In any case, you will need to verify the identity of the data subject, before you provide access to personal data you hold in your databases or make any chases. Authenticating a data subject’s identity must also be done in compliance with applicable data privacy laws.
Authenticating Data Subjects While Remaining Compliant
With the GDPR fully applicable and the CCPA on the horizon, more attention than ever before is being given to the rights of the data subject. Many data subject requests are already being fielded by organisations, but one of the questions remains – how do you identify the data subjects sending the requests and still remain compliant?
An accountable organisation will ensure that internal policies and procedures are in place to deal with the rights of data subjects, and do so while meeting the strict deadlines that exist to provide a response. Especially when giving access to collected data, organisations need to ensure that they are only providing data that belongs to that specific subject, and not to any unauthorized third parties, which would likely constitute a data breach in most jurisdictions.
But how should data subject authentication be handled? Should you always ask for a copy of a passport or identity card? Or is simple confirmation of a name and date of birth sufficient? Neither the GDPR nor CCPA give explicit guidance on this issue. However, the GDPR does stipulate in Article 12(6) that, “where the controller has reasonable doubts concerning the identity of the natural person making [a data subject rights request], the controller may request the provision of additional information necessary to confirm the identity of the data subject.”
The Article implies that the organisation to which the request is directed, the data controller, could be satisfied that the individual making the request is who they say they are, based on the information in the request itself. In such a case where they feel they need additional information, they can request what they deem necessary to identify the subject. At the same time, organisations should bear in mind the general principles of data protection, including data minimization and the application of privacy by design and default. Why? Processing the additional identity data, such as an ID card or a passport, could constitute a request for an excessive amount of personal data – beyond the scope of the original data collected. It would likely contain more sensitive information and be potentially more harmful should a data breach occur. If you need additional information for authentication, ensure that it is the minimum amount and only what is relevant to ensure data minimization, as well as purpose limitation and fairness.
Keep in mind, if you do choose to collect sensitive information, such as an ID or a passport number, you will need to protect it with effective security measures. In many cases these security measures will be higher than those needed for the original data collected, for example, a subject’s browsing and purchasing history. You may even need to conduct a DPIA (Data Protection Impact Assessment) before implementing such an authentication method.
Furthermore, if you make the authentication process too onerous, you could get complaint for making the request process excessively difficult for the data subject. In other words, if you make it too difficult for data subjects to exercise their rights, you will infringe upon their rights to reasonable access to their data.