A practical guide to identity verification for DSARs

Identity verification for DSARs is essential to prevent unauthorised data disclosure and avoid unnecessary delays. 

To respond to DSARs in a compliant and effective way, organisations must strike a careful balance between two risks: sharing personal dataInformation which relates to an identified or identifiable natural person. with the wrong person and delaying or obstructing valid DSAR requests by asking for excessive or unnecessary identification, which could lead to poor user experience and complaints.  

The UK Information Commissioner’s Office (ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).) and EU data protection authorities make clear that identity verification should be reasonable and proportionate. However, applying this principle in practice is rarely straightforward. 

Based on common challenges in DSAR handling, this guide covers best practices for DSAR identity verification, including when ID is needed, what to ask for, and how to avoid common pitfalls. 

Key takeaway: Identity verification in DSARs is not a fixed processA series of actions or steps taken in order to achieve a particular end.. Organisations must take a risk-based approach, using reasonable and proportionate checks based on the context of each request.

• Regulator expectations for DSAR identity verification 
• Taking a risk-based approach 
• Verifying authority in third-party DSARs 
• When to delete identity verification documents 
• Best practices for DSAR identity verification 

What do regulators expect for DSAR identity verification?

UK and EU regulators expect identity verification to be reasonable and proportionate to the risk. 

In practice, this means: 

• Only requesting additional information where it is genuinely necessary to confirm identity 
• Avoiding unjustified barriers that delay individuals exercising their rights 
• Continuing to progress the request, even where ID verification is ongoing 

For organisations, this is less about following a rigid process and more about applying informed judgement. You’re not expected to carry out exhaustive checks, but you do need to be confident that the person making the request is entitled to receive the data.  

Read the UK Information Commissioner’s guidance 

Read the European Data Protection Board guidance 

How to take a risk-based approach to DSAR ID verification

A risk-based approach to identity verification starts with one question: what do you need to confirm the request is genuine? 

The answer depends on the context of the request, your organisation’s relationship with the individual, and the nature of the data involved.  

The level of identity verification should always match the level of risk involved. In practice, this typically falls into three main scenarios: no ID check is needed, alternative verification is sufficient, or formal ID checks are required. 

These are explained in more detail below:  

1. When is no ID check needed for a DSAR?

Where an individual’s identity is already known, additional verification may not be required. For example, an employee making a request in person or through an established internal channel. 

Introducing additional checks in these circumstances would be unnecessary and could be disproportionate.  

2. When is alternative ID verification sufficient for a DSAR?

Where there is uncertainty around a requester’s identity, you do not always need to request formal ID documents. In many cases, identity can be verified using information or contact methods already available.  

For example, if a request is received from an unfamiliar email address, you could: 

• Contact the individual using a known phone number  
• Send a message via internal systems (e.g. Teams or HR platforms)  
• Cross-check details, such as date of birth or address, against existing records  

These approaches are often quicker, less intrusive, and more aligned with a proportionate approach. For organisations handling high volumes of DSARs, relying on existing communication channels can also improve efficiency and reduce unnecessary administrative burden. 

Photo ID may be appropriate in certain situations, but it should not be the default. If you cannot meaningfully verify the document provided, it is unlikely to add value. 

3. When are formal ID checks needed for a DSAR?

Higher-risk DSARs require stronger identity verification.  

This applies where the risk of unauthorised disclosure is greater, and may include requests involving: 

• CCTV footage  
• Special category or sensitive personal data  
• Situations where individuals could be misidentified  

In these cases, a higher level of assurance may be required. Photo ID or additional checks may be appropriate to reduce the risk of unauthorised disclosure. 

Organisations should consider not just the identity of the requester, but the potential impact if the data were disclosed to the wrong person. 

How should organisations handle third-party DSARs and verify authority?

Data SubjectAn individual who can be identified or is identifiable from data. Access Requests submitted by third parties, such as solicitors or parents, require additional scrutiny because the organisation is relying on someone else’s authority to access personal data. This increases the risk of unauthorised disclosure if that authority is not genuine. 

Legal representatives should provide signed authority from the data subject. However, this should not be accepted automatically where there are concerns. If anything appears unusual or inconsistent, organisations should consider contacting the individual directly to confirm that they have authorised the request. 

Parents requesting data on behalf of children should be assessed on a case-by-case basis, particularly where the child is mature enough to understand their rights. Organisations should consider whether the child has capacity to make their own request. In these cases, the child’s consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. should be sought before disclosing their personal data. 

Importantly, authority to act should not be accepted at face value where concerns exist. Organisations remain responsible for ensuring that personal data is only disclosed to those who are entitled to receive it. 

How long should identity verification data be kept for DSARs?

Identify verification data should be kept only for the time required to confirm identity and manage the request.  

Under the General Data Protection Regulation (GDPR), personal data must not be retained for longer than necessary. This applies to ID documents collected for DSAR verification, which are often highly sensitive. 

Organisations should set clear retentionIn data protection terms, a defined period of time for which information assets are to be kept. periods and ensure ID documents are deleted once they are no longer needed. Some choose to delete ID immediately after verification, whilst others retain it for a short period to manage follow-up queries. Both approaches can be appropriate, as long as they are proportionate and can be clearly justified. 

When requesting ID documents, organisations must also be transparent. Individuals should be informed why the information is required, how it will be used, and how long it will be kept. Providing this clarity upfront helps build trust and reduces the likelihood of concerns or refusal to provide the information. 

Data retention under the GDPR 

DSAR identity verification best practices for organisations

To build a consistent and defensible approach to identity verification, organisations should:  

• Avoid blanket ID requirements
  Apply checks based on risk, not a fixed rule. Apply stronger checks where the impact of misidentification is greater.

• Only request information you can meaningfully verify
  Focus on data that can be matched against your existing records, such as a date of birth or address.

• Use existing communication channels first
  Verify identity through known contact methods where possible, such as a phone number held on file or via internal messaging systems. 

• Follow-up if you don’t receive ID
  The DSAR clock may be paused, but requests shouldn’t be ignored. If you don’t receive a response, follow up within a reasonable timeframe and consider alternative ways to verify identity. 

• Set and communicate clear ID retention rules
  Ensure ID is deleted once no longer required and communicate retention periods with data subjects. 

• Document your decision-making where needed
  Keep a short record of how identity was verified and why that approach was taken, particularly in borderline or higher-risk scenarios.  

Getting identity verification right can be challenging in practice. Our DSAR Response service provides expert support to help you manage requests effectively, apply a risk-based approach, and ensure personal data is disclosed securely. 

In case you missed it…

• How to explain AI-generated outputs in a DSAR response 
• How social communication channels impact DSARs 
• DSAR exemptions: When can information be withheld?