Saikali and Paine Explain the Catch-22 of GDPR's Subject Access Requests

Shook Partner Al Saikali and Associate Kate Paine have authored "Subject Access Requests and Identity Verification: Navigating a Data Controller's Catch-22" for Financier Worldwide. The article offers practical advice for how companies can respond to subject access requests, through which individuals can request data a company possesses under the EU's General Data Protection Regulation (GDPR). If an individual requests data, Paine and Saikali explain, the data controller must verify the individual's identity, but it must not request more identifying data than necessary.
"The keys to identity verification are the existence of reasonable doubt about the requester’s identity, and requesting only what additional information is 'necessary' – keeping in mind the GDPR’s bedrock principles of data minimisation and proportionality – and that can be obtained by 'reasonable measures,'" the authors explain. "Ensuring that the information requested, and the measures employed to obtain that information, are reasonable turns on a more nuanced context-driven and risk-based approach. In many situations, the most reasonable method of confirming the requester’s identity will be to use data already in the controller’s possession."