The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.

Question: How Far Can I Go TO Validate The Identity of An Individual Making a Data Subject Access Request?

Answer: The Article 29 Working Party (an advisory body made up of a representative from the data protection authority of each European Union Member State, the European Data Protection Supervisor, and the European Commission) has confirmed that there are no specific requirements in the GDPR on how to authenticate a person that requests information about themselves and companies are required to establish procedures to ascertain the identity of a requestor to ensure that they do not accidentally disclose personal data to the wrong person.1

It is a balancing act. On the one hand, you need to be satisfied as to the identity of the individual making a request; if you are unable to satisfy yourself and you have reasonable doubts, Article 12(6) of the GDPR provides that you can request further information to confirm their identity. On the other hand, you should only be asking for sufficient information to allow for identity verification (and nothing more).

In the UK, the Information Commissioner's Office has published a 'Subject Access Code of Practice' which provides guidance on (amongst a multitude of other things) how you can go about confirming a requester's identity. In short, you must act reasonably in asking only for enough information to judge whether the person making the request is the individual to whom the personal data relates. What is reasonable may be circumstance specific. For example:

  • If you receive a written request from a current employee you know personally, a phone call may be sufficient to satisfy yourself of the identity of the requester. It would likely be unreasonable to ask them for additional proof of identity.
  • If you receive a written request by email, and in that email the requester provides an address which does not match the address you have on record, it would be reasonable to confirm another detail which you hold on record.

The means by which the request is delivered may also affect your decision about how far you need to go to confirm the requester’s identity. For example, if a request is made from an email account with which you have recently corresponded with the requester, it may be reasonable to assume that the request has been made by the requester. On the other hand, if the request is made via a social networking website or on blank letter paper, it may be more prudent to check whether it is a genuine request.