How to Verify a User’s Identity During a DSAR
Customers submit data subject access requests (hereafter DSARs) for one of several reasons:
- To see what data you’ve collected on them
- To update or correct any mistakes in the data
- To delete data they no longer wish you to have
- To move their data from your company to another
- To remove their data from your systems
But regardless of the reason, one thing about DSARs never changes: the importance of keeping the data in question private. Obviously, this means your company needs a secure data storage method, access control, solid anti-hacking measures, and other measures to ensure the data isn’t stolen. But don’t stop there. To prevent someone’s private information from going to the wrong person, your organization needs to take care to verify the user’s identity before any information changes hands. Let’s look at a few ways to do this.
Confirming the Receipt of the Request
One of the first steps in managing a privacy request is to confirm receipt of the request to the user. This official confirmation lets the user know that their request has been received and is being processed. A simple message such as, “Thank you for reaching out to us. We have received your privacy request and are working on processing it” can be used to acknowledge receipt of the request. More importantly, this message will also alert the user if someone requested their data without their knowledge and will allow them to stop it.
2 Different Methods of Identity Verification
Verifying the user’s identity is a crucial step in the privacy request process. The two most common methods for verifying a user’s identity: using the device or inbox associated with the user’s identity, or using known points of information about the user. We’ll take a quick look at both.
Inbox Verification
To verify a user’s identity using the device or inbox associated with the user’s identity, the business can send an email to the user and ask them to reply from the same email address to confirm their ownership of the device or inbox. For example, if a user requests access to or deletion of their data for john.smith@gmail.com, the business can send an email to this address and ask the user to reply from the same email address to confirm their identity.
Known Points of Information Verification
In cases where greater caution is necessary, businesses can use a set of fixed questions to verify the user’s identity. For instance, an e-commerce business can ask the user to confirm information only the correct person would know, such as the date and dollar value of their last order. Businesses can also use pre-established security questions or passcodes provided by the user.
Confirming Successful Identity Verification
Once the user’s identity has been successfully verified, the business can confirm that processing of the privacy request will continue. A message such as, “Thank you for confirming your identity. We will now proceed with processing your privacy request” can be used to confirm successful identity verification. This final message also gives the user one more chance to correct any mistakes before the DSAR proceeds.
Prioritizing Identity Verification During a DSAR
These extra security measures may seem unnecessary to some businesses or users, but these approaches are the best ways to prevent someone’s private data from falling into the wrong hands. Users that recognize this will appreciate your caution. By showing them that you prioritize their privacy, your interactions with them throughout the DSAR process will be positive and professional.
Interested in making your DSAR approach faster, safer, and more efficient? Get in touch with us today.