“I’m going to need to see some ID for that.” The words that strike fear into every teenager attempting to buy cigarettes and alcohol. But as a recent enforcement action by the Dutch regulator shows, it’s not an approach that works as well for data protection.
Earlier this month, the Dutch DPA fined a media company EUR 525,000 for requiring individuals to provide a copy of their identity document when making a request to access or delete their personal data. This practice was disproportionate and involved excessive collection of data, the DPA said. By my reckoning, this is the third GDPR fine relating to requesting ID verification.
Recital 64 of the GDPR allows the controller to use “all reasonable measures” to verify the identity of data subjects, and regulatory guidance makes clear that there are cases where requesting ID will be reasonable. The challenge for organisations is that exercising GDPR rights in respect of the wrong individual will usually be a personal data breach, so wanting to be sure who you’re dealing with — i.e. by requesting visual ID — is understandable. That’s made harder for multinationals that take a global approach to verification and implement the strictest approach across the board (e.g. matching multiple data points under the CCPA).
There’s no one-size-fits-all approach here, but the following pointers may be helpful in considering how you think about and operationalise this aspect of your compliance programme:
- Ask for enough information so you can be satisfied that you know the identity of the requestor, being reasonable and proportionate in what you ask for.
- Where possible identify individuals based on information you already have — for example, asking them to respond to a registered email or provide confirmation of their last purchase.
- Avoid blanket verification requirements. An employee shouldn’t need to provide ID to access their data, whereas it would be more reasonable to ask for more information in the context of a request from a patient to delete their sensitive health data.
- If you do reasonably need to collect an ID document or additional information, make sure that the requesting individual understands (i) why it is needed, (ii) that it will be used only for the purpose of verification, and (iii) that it will be deleted promptly once that process is completed.
‘You cannot require a copy of an identity document without good reason for doing so. Identity documents include a lot of personal data. Even if parts are redacted, it will often be disproportionate to require a copy of an identity document in order to confirm that a person really is who they claim to be.'