Identity Verification and GDPR share an important relationship with each other


Ever since May 25, 2018, the turning point that was the launch of the GDPR policy, businesses have had to make a lot of changes in the way they do business. Post the launch of the GDPR policies, there is an ever increasing need to push the power concentration from the enterprise’s needs to the customer needs.

The launch of GDPR might have been well planned; however, businesses and organizations went head-on into the darkness, without preparing for what was in store. For many companies, the virtual world has become an indispensable selling ground to reach their customers.

Keeping this thought in mind, companies are faced with the imminent needs of establishing trust, especially with the need of connecting a person’s online identity with their real-world identity. But this kind of Identity verification comes with its own set of rules and regulations. Even if companies are outsourcing these roles, certain rules must be followed at all times.

What role does GDPR have in the world of ID verification?

GDPR acknowledges the fact that consumer data needs to be protected while the customer’s digital identity is equally important. ID verification providers are under liability to secure the information procured, while at the same time making this information clear, concise, easy to understand and transparent to the host.

Once personal information has been obtained, the ID verification company has a responsibility to let the consumer know how his/her information will be used going forward. Will their data be deleted, stored or used for further analysis? If the information is stored, how will it be leveraged? Where will it be stored, how will it be used, etc.? While these questions might not seem particularly relevant, the importance of this is manifold as customers have the right to know the status of their personal data.

Questions to ask your data processor for ID verification

Per GDPR, businesses that have outsourced their ID verification activities are considered data controllers. per this directive, since the vendor is a third party in possession of customer data, it becomes equally important for companies to choose their verification vendors carefully. Such vendors are known as data processors, simply because they are involved with the data processing for data controllers.

Most of the time, online verifications are carried out by using well planned algorithms. However, given the use of technology in this domain, a lot of questions have been raised about the authenticity and transparency of this data, which leaves customers in doubt about the use and safety of their data. Many automated solutions have little or no manual intervention, which causes enough doubts around its veracity.

Under GDPR, an individual has the right to request information around the reasoning behind automated decisions as they pertain to the individual’s data. For example, such transactions can be aimed at questioning the automated logics, which could be aimed at granting or denying credit on a credit card account, or even the work performance assessment.

These data controllers have to be able to address the individual’s request and provide the information within 30 days. Failure to address the request in the stipulated time period might result in heavy fines for the data controller and data processor alike.

Does the data controller use GDPR compliant Machine Learning models?

In order to gain efficiency in a model, many data controllers often use various customers’ data to develop their Machine Learning models. However, GDPR limits the use of customer information to develop such models. As an added security measure, these models must also incorporate data privacy and security within every stage to process the data effectively.

In order to remain compliant, here are some key questions to ask your data processors:

  • Are the ID verification procedures based on Machine Learning algorithms?
  • If yes, how is each model created? For example, does the same model cater to all customer needs, etc.?
  • Post the implementation of GDPR, what changes will need to be made in these models?
  • What security is provided to the data centres, where customer data is stored?

Is there a data breach intimation policy in place?

As per the GDPR policies, there is an immediate need for the data processors to make the data controllers aware of any data breaches. Many ID verification vendors lack the required, tried and tested processes for intimating the data controllers of any data breaches. Customers, on the other hand, should have the required assurance that they would be notified of any data breaches in a timely manner. On the contrary, data controllers are required to know how their data processors have tested their data breach intimation policies. If such policies don’t exist, then the vendors can often end up in trouble.

How is personal identifiable information (PII) encrypted and protected from hackers?

Per Chapter 4 – Section 2 – Article 32.1 of the GDPR Act, controllers and processors must have appropriate measures in place to ensure the safety of their stored data, which includes the likes of pseudonymisation and encryption, thereby safeguarding confidentiality, auditing/testing and data access.

Through proper data encryption, the chances of a breach are reduced drastically. As a data processor, it is important to develop and build trust through regulated statuses, coupled with thorough testing. In lieu of this, solution providers are required to address how data is captured, transmitted and encrypted.

Symbiotic relationship between processors and controllers

Data processors or ID verification processors play an important role in the verification procedures. It starts with the comparison between online identities of customers with real life identities. Online ID verification procedures are extremely important and need to be planned in elaborate detail to ensure maximum safety for customers’ data.