How to Verify Identity for GDPR Requests

The Reform Team

Verifying identity is a legal requirement under GDPR when handling data access, deletion, or correction requests. This ensures sensitive information is shared only with the rightful individual while protecting organizations from potential penalties and data breaches. Here’s what you need to know:

Why It Matters: Failing to verify identity can lead to fines, like the €12,000 penalty issued in Spain (2019) for improper handling of a request.
Key Requirements: GDPR mandates "reasonable and proportional" verification methods tailored to the sensitivity of the data and the requester’s relationship with the organization.
Verification Methods:
- Start with email or account-based checks for existing users.
- Use knowledge-based questions (e.g., transaction details).
- Request photo ID or proof of address only when necessary.
- For sensitive data, implement multi-factor authentication or secure portals.
Handling Representatives: Verify both the representative’s identity and their authority through signed permissions or legal documents.
Best Practices:
- Collect only the minimum data needed.
- Securely store and promptly delete verification records.
- Regularly review and update your processes to align with GDPR.

A balanced approach ensures compliance while maintaining user trust.

Identifying a Person's Identity for Data Protection

Understanding the identity verification requirements under GDPR is essential for organizations aiming to create processes that comply with the law while safeguarding both their operations and individuals' privacy.

Recital 64 of the GDPR emphasizes the need for controllers to verify the identity of individuals making data requests:

"The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers."

This obligation is particularly critical in digital settings where face-to-face verification isn't feasible. However, GDPR also prohibits controllers from retaining personal data solely for the purpose of potential future requests.

These legal requirements highlight the importance of striking a balance between effective verification and respecting individual rights.

Reasonable and Proportional Verification

GDPR mandates that any identity verification process must be necessary and proportionate. This means organizations must ensure that the verification method is justified based on factors like the sensitivity of the data, potential risks, and the existing relationship with the individual.

During verification, only collect the minimum amount of personal data required. For instance, a case involving DPG Media revealed that asking for copies of official identification documents can be excessive when simpler methods - like email verification or confirming subscription details - are sufficient.

Types of Data Subject Requests

The level of verification needed depends on the type of request being made. Different GDPR requests require varying degrees of scrutiny based on the sensitivity of the data and associated risks:

Access requests: These often require moderate verification since they involve sharing personal data. Accounts containing sensitive information, such as financial or health data, may call for stricter measures than basic accounts.
Rectification requests: These typically need lighter verification as they focus on updating information rather than disclosing it. However, ensuring the requester’s identity is still crucial.
Erasure requests: Stronger verification is usually necessary here, as deleting data is irreversible and could lead to significant consequences if the request is fraudulent.
Data portability requests: These generally require robust verification, as providing structured, machine-readable data could expose valuable information if mishandled.

The UK's Information Commissioner's Office provides clear guidance:

"You can ask for enough information to judge whether the requester (or the person the request is made on behalf of) is the person that the data is about. The key point is that you must be reasonable and proportionate about what you ask for. You should not request more information if the requester's identity is obvious to you. This is particularly the case when you have an ongoing relationship with the individual."

This advice underscores that existing relationships often reduce the need for extensive identity checks. In cases where doubts remain, organizations may request additional proof, such as a photo ID and proof of address. However, such measures should only be used when absolutely necessary and justified by the circumstances.

Methods for Verifying Data Subject Identity

When handling GDPR requests, organizations need reliable ways to confirm the identity of individuals. The chosen methods should align with GDPR's security standards and be proportionate to the level of risk involved.

Standard Verification Methods

The simplest and most effective way to verify identity often starts with existing account data. This method reduces unnecessary privacy intrusions while meeting GDPR standards.

Email verification is a straightforward option. For instance, a recent decision by the Dutch DPA highlighted email verification as a GDPR-compliant alternative to requesting formal documents.

Another approach is knowledge-based verification, where individuals confirm details unique to their account or transaction history. This could include verifying subscription details, usernames, or other account-specific information. The ICO recommends asking for information like a nickname or other details only the individual would know.

If these lighter methods prove insufficient, organizations may request photo identification (e.g., passports, driver’s licenses) and proof of address (e.g., utility bills). However, this should only be done when there’s a genuine need to confirm identity. The ICO advises against requesting formal ID unless absolutely necessary and encourages exploring less intrusive methods first.

When collecting copies of documents, ensure they are logged securely and destroyed immediately after verification.

For cases where standard checks don't suffice, digital and multi-factor methods can provide additional security.

Digital and Multi-Factor Verification

When basic methods fall short, digital tools can enhance the verification process. Secure customer portals allow individuals to log in with established credentials, often providing sufficient proof of identity for many requests, especially for existing customers or employees.

Multi-factor authentication (MFA) offers an extra layer of security by combining something the individual knows (like a password), something they have (such as access to an email or phone), or something they are (e.g., biometric data). This is particularly useful for high-risk scenarios or sensitive data requests.

Digital verification tools can also streamline the process. These might include secure online forms that integrate with existing systems, automated email workflows, or customer authentication portals to track verification progress.

Verifying Authorized Representatives

When a request comes from an authorized representative rather than the data subject, additional steps are necessary. It’s crucial to verify both the representative’s identity and their authority to act on behalf of the individual.

Standard authorization requirements often involve a few key steps:

The consumer provides the representative with signed permission.
The consumer verifies their identity directly with the business.
The consumer confirms they authorized the representative to make the request.

In power of attorney cases, specific legal considerations apply. For example, when a representative holds power of attorney under Probate Code sections 4000 to 4465, some standard verification steps may not be required.

Required documentation typically includes proof of the representative’s identity, evidence of their authorization (e.g., signed permission forms, power of attorney documents, or court orders), and, when possible, direct confirmation from the data subject.

If a representative fails to provide adequate proof of authorization, the business may deny the request. In such cases, the denial should be communicated directly to the data subject.

As with direct verification, the level of documentation required for representatives should reflect the sensitivity of the data and the risks associated with the request.

Up next, we’ll outline a step-by-step guide to implementing these verification methods effectively.

Step-by-Step Identity Verification Process

A well-organized verification process is crucial for meeting GDPR standards while safeguarding your organization and the individuals whose data you handle. Every step aligns with GDPR mandates, helping create a secure and auditable system. According to GDPR guidelines, data controllers must take reasonable measures to confirm the identity of anyone requesting access to their data, especially in online environments. Here’s how to manage this process effectively.

Receiving and Reviewing the Request

When you receive a GDPR-related request, start by creating a detailed record. Immediately acknowledge the request by sending a confirmation that includes a reference number, the date you received it, and an estimated timeline for your response.

Carefully review the request to ensure it includes enough information to proceed. Make sure the requester has clearly stated the data they’re seeking and provided some initial identifying details. Prompt action is essential to meet GDPR's strict response timeframes.

Log all relevant details, such as how the request was received (email, web form, postal mail) and your initial assessment of the requester’s relationship with your organization. Keeping a thorough record is essential for compliance audits.

Choosing the Right Verification Method

The verification method you choose should depend on the sensitivity of the data requested and your existing relationship with the individual. Where possible, rely on information already in your system.

For current customers or users, start with the least intrusive option. For example, if someone has an active account, methods like email verification or account-based authentication are often sufficient. Always prioritize using existing data for verification to avoid collecting unnecessary information.

Tailor your approach based on the requester’s history with your organization. A long-term customer with a detailed transaction record may require a different method than someone who only signed up for your newsletter. The process should match the complexity and sensitivity of the data involved.

A 2019 study by Oxford University revealed gaps in verification practices: 24% of organizations relied solely on email addresses and phone numbers for identity confirmation, while 16% requested identification that could easily be forged.

Once you’ve selected the method, clearly explain the next steps to the requester.

Explaining Verification Requirements

Being transparent about the process builds trust and aligns with GDPR’s fairness principle. Clearly outline the information needed and why it’s required. Explain how the chosen verification method fits the type of data being requested.

If email verification is used, provide a step-by-step guide. For document-based verification, specify acceptable formats and how to submit them securely.

Set clear expectations about timelines. Let the requester know how long the verification process typically takes and when they can expect to receive the requested data after their identity is confirmed.

Reviewing and Confirming Identity

Use consistent criteria to evaluate submitted materials. For knowledge-based verification, ensure the questions are specific and relevant, avoiding overly obscure details.

For document-based verification, check that the materials are clear, complete, and match the information in your records. If necessary, use digital methods like secure portals or multi-factor authentication, following established security protocols. Confirm that the requester has access to the communication channels (e.g., email or phone) linked to their account or request.

If identity verification fails, deny the request in writing. Provide a clear explanation of why verification was unsuccessful and offer guidance on how they can provide additional proof of identity.

Recording the Verification Process

Document every step of the process to demonstrate compliance. Keep a log of all DSAR responses, including the verification method used, the completion date, the reviewer’s name, and the outcome.

Record any challenges and how they were resolved. If additional documentation was needed, note what was requested, when it was received, and how it was assessed.

Track the entire timeline, as GDPR requires a response within one month, with a possible extension to two months under specific circumstances. Detailed records can justify any delays as reasonable and necessary.

Store these records securely, ensuring they’re accessible for compliance audits. At the same time, adhere to GDPR’s data minimization principle by keeping only the information necessary to prove compliance.

This structured approach not only meets GDPR requirements but also ensures the secure and compliant handling of data access requests, protecting both your organization and the individuals you serve.

sbb-itb-5f36581

Reform

Reform simplifies GDPR identity verification with its no-code form builder, making it easier to handle data subject requests securely and efficiently. With Reform, you can create a verification system that safeguards sensitive data while also cutting down on administrative work. Here’s how Reform’s features can enhance every aspect of GDPR identity verification.

Building Secure Verification Forms

Reform provides the tools to design GDPR-compliant forms tailored for data subject requests. Its drag-and-drop interface lets you quickly create secure verification forms. With SSL/TLS encryption, all data transmissions remain protected, while built-in spam filters block fraudulent submissions. Reform also includes email validation to ensure submitted addresses are accurate. You can customize these forms to match your brand, helping to build trust with users.

Using Conditional Logic for Smart Verification

Reform’s conditional routing feature allows you to create dynamic forms that adapt based on user responses. For instance, if a user can’t be verified with basic account details, the form can automatically request additional documentation. A current customer might be prompted to provide their account number or recent transaction details, while a former customer could be asked for identification documents. This step-by-step approach simplifies the process while ensuring all necessary information is collected for proper identity verification.

Conditional logic also helps route specific requests to the right team. For example, access requests can go directly to the data protection team, while deletion requests might be forwarded to both legal and technical teams. Beyond this, Reform integrates seamlessly with privacy and CRM systems, centralizing compliance data for smoother operations.

Connecting with Privacy and CRM Systems

Reform’s integration options ensure it works effortlessly with tools like Close CRM, HubSpot, Google Sheets, and Zapier. These connections enable automated data flow and thorough record-keeping. For example, when integrated with Close CRM, Reform can automatically add verified individuals to your system and enrich their profiles with form data. Custom field mapping ensures verification details are organized and stored correctly for compliance audits.

With HubSpot, contact records are updated with verification status and request details, allowing you to trigger automated workflows such as confirmation emails or alerts for pending requests. Each form submission is saved as a single database row, making it easy to maintain accurate records and generate compliance reports. Additionally, webhook support allows Reform to integrate with specialized privacy tools or custom systems, fitting seamlessly into your existing GDPR workflows. Google Analytics integration offers insights into how users interact with your forms, helping you identify and resolve any bottlenecks.

Starting at $15/month, Reform’s plans include unlimited responses, conditional logic, team access, and file uploads - perfect for managing large volumes of verification requests. By combining secure form design, smart conditional logic, and seamless integrations, Reform helps create a strong and compliant GDPR identity verification process.

When it comes to GDPR identity verification, the goal is to strike the right balance between security, compliance, and user experience. Following best practices not only reduces risks but also helps maintain trust. The key is to implement verification measures that are effective and protective without being overly burdensome.

Collecting Minimal Data and Securing Information

A cornerstone of GDPR is data minimization. According to Article 5(c), personal data must be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed". This principle directly shapes how organizations should approach identity verification.

"Individuals should clearly specify the required information, and proof of their identity should only be requested where reasonable... Controllers should only request the minimum amount of further information necessary and proportionate in order to prove the requester's identity." – Data Protection Commission

In practice, this means organizations should only ask for identity proof when there’s a legitimate reason to doubt the requester's identity or when sensitive data is involved. For customers with an established relationship, additional verification steps may not always be required.

Once verification data is collected, it’s critical to apply security measures that match the level of risk. This includes encrypting sensitive data, restricting access to authorized personnel, and setting clear retention policies for how long verification records are kept.

Failing to adhere to these principles can lead to serious consequences. For example, in 2024, SAF LOGISTICS was fined €200,000 by the CNIL for collecting excessive data during recruitment processes. This serves as a reminder of the risks tied to unnecessary data collection.

As threats and regulations evolve, organizations must regularly update their verification procedures to remain compliant and secure.

Updating Verification Procedures

GDPR compliance isn’t a one-and-done process - it requires ongoing effort. Regular security audits are essential for identifying weaknesses in verification systems. These audits should examine methods used for verification, how data is stored, and whether staff are adequately trained.

To strengthen security, organizations can implement advanced verification methods like multi-factor authentication, knowledge-based questions, or even biometric verification when it’s appropriate.

Recent enforcement actions emphasize the importance of staying up to date. In November 2024, the Dutch Data Protection Authority fined a streaming service €4.75 million for failing to provide clear details about data retention and security measures in its privacy statement. Similarly, a ride-sharing app faced a €290 million fine for transferring personal data without proper safeguards.

Another critical step is conducting regular data reviews to identify outdated verification information and securely delete it. This aligns with GDPR’s storage limitation principle and minimizes security risks.

Balancing User Experience and Compliance

While ensuring security and compliance is critical, the user experience should not be overlooked. A well-designed verification process can build trust, encourage legitimate requests, and discourage fraudulent ones.

Transparency plays a big role here. Organizations should clearly explain why verification is needed, what information is required, and how long the process will take. Privacy statements must also accurately describe how data will be processed and stored.

The verification process should be tailored to the type of request. For instance, basic account updates might only need simple authentication, while requests for sensitive data could require additional steps. Using conditional logic to create dynamic verification flows can help ensure the process is proportionate to the situation.

Access controls are equally important. Only employees with a legitimate need should have access to verification data, and all access should be logged for auditing purposes.

Finally, organizations should continuously review their procedures to eliminate unnecessary friction. Monitoring metrics like completion rates, user feedback, and processing times can help refine the process, making it secure yet accessible for legitimate users.

This guide has explored the key components of secure GDPR identity verification, emphasizing the balance between meeting legal obligations, maintaining robust security, and delivering a smooth user experience.

The stakes are high for non-compliance, with potential fines reaching up to $21.6 million or 4% of annual global turnover, whichever is greater. Beyond the financial risks, weak verification processes can undermine customer trust and leave organizations exposed to data breaches.

To meet GDPR standards, organizations should focus on three core principles: collecting only the data that’s absolutely necessary, implementing strong security measures, and clearly communicating the purpose of verification. As highlighted by the ICO:

"You should not request more information if the requester's identity is obvious to you. This is particularly the case when you have an ongoing relationship with the individual".

The GDPR also encourages a proactive approach by embedding security and privacy into the foundation of organizational practices. This philosophy ensures that every step of the verification process aligns with compliance requirements.

Verification processes should be tailored to the level of risk involved. For simple updates, basic authentication may suffice, while sensitive requests might require additional layers of verification. Tools like Reform can simplify this by using conditional logic to create dynamic, situation-specific verification flows.

Modern solutions make secure verification more accessible. Features like email validation, multi-step forms, and secure CRM integrations streamline identity confirmation. Reform also enhances security with built-in spam prevention and real-time analytics.

Sustained GDPR compliance requires more than just tools - it demands ongoing effort. Regular audits, staff training, and process reviews are critical to maintaining effective verification systems. Assigning dedicated staff to oversee these processes ensures they remain aligned with evolving regulations.

FAQs

Failing to properly verify identity under GDPR isn’t just a compliance misstep - it can have serious consequences. Organizations risk fines of up to $23 million or 4% of their global annual revenue, whichever is greater. But the impact doesn’t stop at financial penalties. Non-compliance can trigger legal battles, interrupt operations, and tarnish your organization’s reputation.

On top of that, neglecting GDPR requirements can erode customer trust, making it tougher to keep existing clients and win over new ones. A robust identity verification process isn’t just a legal necessity - it’s a way to safeguard your business and preserve your credibility with customers.

To ensure identity verification aligns with GDPR requirements, organizations must focus on secure and trustworthy authentication methods. This means using tools like multi-factor authentication (MFA), obtaining clear and explicit consent from users, and keeping thorough records of all identity verification activities.

Conducting regular audits of data access procedures and utilizing centralized identity management systems can further reinforce compliance. Staying up-to-date with any changes to GDPR rules is equally important, enabling you to adjust your processes as necessary to meet new standards.

If someone files a GDPR request on behalf of another person, it’s crucial to confirm both their identity and their legal authority to act on the data subject’s behalf. Begin by asking for proof of authorization - this could be a power of attorney or a signed authorization letter. Next, verify the identity of the data subject through reasonable methods, such as checking a government-issued ID. These precautions ensure the request is valid, protect personal data, and align with GDPR compliance standards.