How to Comply with the GDPR’s Identity Verification Requirements Requirement
Although there are many facets of the GDPR, this article focuses on the “Right to Be Forgotten”, the “Right to Access” one’s own personal information, and the “Right to Correct” that information, as well as the obligations of businesses to verify that persons exercising these rights are who they claim to be.
The GDPR’s “Right to Be Forgotten” or “Right of Erasure”
The GDPR refers to identifiable natural persons who are in the EU or EEA as “data subjects”. Under Article 17 of the GDPR, “the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.”
This means that customers who are in the EU or EEA have the right to compel businesses to delete personal information collected about them upon request. This deletion must be completed within one month of the date of the request, absent extenuating circumstances.
Under Article 17 and its “right to be forgotten,” personal data held by a company must be deleted if:
- The data is no longer needed for its intended purpose
- The data subject withdraws consent
- The data subject raises a legitimate objection about how the data was processed
- The data is determined to have been collected or processed illegally The laws of an EU Member State require the data to be erased
- The data is subject to GDPR Article 8’s rules about personal data of children
The consequences of failing to comply with such a request can amount to serious fines and penalties under the GDPR.
Why Was This Needed?
For decades, businesses with an online presence were able to do almost anything with regard to the collection, storage, and sharing of their customers’ information.
For example, a BBC story about a man whose personal financial information from a less fortunate time in his life kept appearing in web searches about him, even though he had long since recovered from his financial difficulties, serves to highlight how maintaining out of date and irrelevant information can be potentially damaging.
Yet, prior to GDPR, there was no mechanism in place to avoid these unfortunate circumstances. GDPR is an attempt to limit what businesses can do with customer information, and to shift the power of information back towards the customer.
If there were any question as to whether or not there was a call for such a law, the fact that Google received removal requests from almost 2.5 million URLs since the time that the GDPR went into effect in May of 2018 should sufficiently answer it.
What Data Needs to be Removed?
Proper compliance with a customers’ right to be forgotten requires understanding where and how you may have used the information, as well as any third-party vendors with whom you might have shared it.
The nature of a business relationship with the information is crucial. Are you a data controller or a data processor? The controller collects the data and decides how the information is used. The data processor is tasked by the data controller to process the information in whatever form that may take. Although these can be separate entities, the data controller is generally responsible for any actions undertaken on its behalf by the data processor.
That said, should noncompliance result from both the data controller and the data processor, both the controller and the processor could be fined.
The best way to avoid noncompliance is to have meticulous data management practices and procedures – i.e., organization and tracking of what customer data your business collects and stores, where it is, the purposes for which it is used, and where and when it may have been sold or otherwise shared.
Additionally, businesses should have a method in place for its easy and systematic deletion. Regular audits are advised to make sure the company is always aware of exactly what information it possesses. The deletion of information can be a deceptively involved process, especially in a timeframe as relatively short as one month.
The GDPR’s “Right to Access” and “Right to Correct”
Under Article 15 of the GDPR, consumers have “the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.”
Stated differently, persons on the EU or EEA must be allowed access to personal data that has been collected pertaining to them.
Moreover, it entitles such persons to information not just on what was collected, but also the purpose for which it was collected, the categories of data being processed, the recipients, including information if these are in third countries, how long the data is expected to be stored, and whether the data has been used in automatic decision-making such as for profiling.
Similarly, customers in the EU or EEA also have the right to correct or “rectify” their information. More specifically, Article 16 of the GDPR allows customers to require a company to correct any mistakes or incompleteness in the information a company has about them.
Why is this needed?
You may be questioning the necessity of a separate provision for accessing information when it can be deleted upon request. As it turns out, there are a few scenarios where merely obtaining the information is preferable to deleting it outright.
The biggest reason is that deletion may just be an unnecessary step. A customer might just be curious about what information a business has retained about them over a period of time.
On the other end of the spectrum, customers may want to make sure the data that the company has about them is accurate and complete.
The point is, it’s the customer’s data and GDPR empowers them to regain a large degree of agency over it.
How does it work?
Too often, companies have made it difficult for customers to retrieve information that the company has regarding them, especially once the company already has their money. GDPR is designed to rewrite that narrative.
To get the process started, a customer need only send a subject access request (SAR) to the entity that collected the data. This can be done using pretty much any modern form of communication, so long as it leaves a paper trail.
The GDPR provides companies with only one month to respond to the request barring extenuating circumstances.
Just as with requests to delete or erase information, companies should develop action plans in order that they are not scrambling should a request to correct or for access come along.
The Problem of Fake and Fraudulent Requests
Another important aspect of complying with these obligations under the GDPR is the verification that the request is actually coming from the true person.
There is a very real concern of fraudulent requests from bad actors, who might use a customer’s data for nefarious purposes. Equally troubling are nuisance requests from impostors that would harass companies with fake requests, wasting valuable time and resources. These fake claims could not only damage the customer and the company, but in the cases of requests to delete or correct information, the quality and accuracy of the company’s data could be compromised.
Taking a GDPR request at face value, with no steps taken to verify the identity of the requester, could lead to serious problems. The need to verify whether the requests are authentic is paramount.
Under the GDPR, the company “should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.” In addition, the GDPR also specifically provides that a company may “request the provision of additional information necessary to confirm the identity of the data subject.”
Applications like Konfirmi provide solutions to verify the identity of the person claiming to exercise their rights under the GDPR. For example, these apps allow both small businesses and large companies to use multi-factor authentication to make sure the person making the request is who they claim to be.
In this way, these applications can both stop fraudsters and discourage harassers.
For businesses that have customers who may be in the EU or EAA, noncompliance is not a viable option. The GDPR sets clear guidelines with clear punishments.
However, with the proper planning and operational foresight, companies can bring themselves into compliance quickly and easily.