How to Securely Verify Identity for a DSAR Without Compromising Privacy

Why Identity Verification Matters

Fulfilling a DSAR to the wrong person is a data breach. Sending someone's personal data to an impostor could expose the actual data subject to harm and trigger regulatory liability for the controller. At the same time, overly burdensome verification requirements can deter legitimate requesters from exercising their rights, which also violates GDPR.

The balance is clear: verify identity proportionately, collecting only what is necessary to confirm the requester is who they claim to be.

The Proportionality Principle

GDPR Recital 64 states that the controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services. The key word is "reasonable"—verification must be proportionate to:

• The sensitivity of the data being requested
• The risk if data is disclosed to the wrong person
• The existing relationship with the data subject

Verification Methods by Scenario

Existing Authenticated Users

If the data subject has an existing account with you, the simplest verification is to require them to submit the DSAR while logged into their account. If they contact you via email, match the request to the email address on their account.

Non-Account Holders

For data subjects without an account (e.g., website visitors tracked via cookies), verification is harder. Acceptable approaches include:

• Matching details provided in the request against your records (name, email, date of transaction, etc.).
• Sending a verification email or SMS to the address/number in your records.
• For sensitive data, requesting a government-issued ID (redacting unnecessary details like the photo or ID number).

Requests via Third Parties (Agents/Lawyers)

If someone submits a DSAR on behalf of a data subject (e.g., a lawyer or family member), verify both the agent's authority and the data subject's identity. Require written authorization from the data subject and verify it.

What NOT to Do

• Do not demand unnecessary documentation: Requiring a passport copy for a newsletter unsubscription request is disproportionate.
• Do not collect more data than you hold: If you only have someone's email address, do not ask for their home address to verify identity.
• Do not use verification as a barrier: Overly complex verification processes that discourage DSARs will be viewed as obstructive by regulators.
• Do not store verification documents longer than needed: Delete ID copies after verification is complete.

Digital Identity Solutions

Modern identity verification tools can streamline the process:

• Email/SMS OTP: Send a one-time password to the email or phone number on file.
• Knowledge-based verification: Ask questions based on information only the real data subject would know (recent transaction details, account creation date).
• Digital identity platforms: Integrate with identity verification services for high-risk scenarios.

Jerisaliant's DSAR portal includes configurable identity verification workflows with email/SMS verification, knowledge-based challenges, and secure document upload for high-risk requests.