April 30, 2020

How to use “Reasonable Means” to ensure you are dealing with the right person?

It is vital that no data is released, altered or deleted at the request of the wrong person or that consent is asked of the correct person.  To do so would be a data breach under the legislation – even you had thought the request came from the right person.

To be clear, only the person to whom the data relates, may make such a request (access, alteration, removal, challenge of automated decision making)  – no one else can make this required (other than when there is a legal responsibility  for that other person – such as with a Parent/Child situation or a Carer/disabled person situation).

Thus, it is your responsibility to ensure that you only take the appropriate response once you have identified the individual making the request.  The GDPR guidance states that organisations may use “Reasonable Means” to do this.  There are a range of potential approaches here.

The key is to ensure that you are proportionate to the scope of the request.

Thus, a request for access should be treated as less serious than a request or alteration or removal.

You might choose to have a copy of an identifying document (passport, driving licence, credit card statement, utility bill or whatever works – but with the subsequent responsibility for what you do with that document once it has been received).

There may be other ways that you have that relate the individual making the request to the individual to whom the data belongs – perhaps the individual’s activity history can be asked for and matched to the records, or a specific PIN or password can be used on an online form, perhaps there are staff members that know the individual – it is up the organisation.

You may have to ask for any additional documentation to be forwarded – this should be done as soon as possible once it is realised it is needed.  In this instance, the additional time required will delay the commencement of the timeframe until the time you receive that additional information.  This is something you should mention when you request the extra information so as to keep the individual informed.

Secure Business Data

We are here to help you secure your business data using cutting edge technology.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram