Trust but verify — what are we talking about here? Asking which of two pups tore apart the couch pillows? My teenager’s story of why they missed their curfew? An individual’s identity for a Data Subject Access Request (or individual rights request based on your privacy geography)? Or, maybe it’s a vendor’s claim of protecting your customer’s personal information. Some are easier to verify than others. Some may dig you deeper into the privacy hole than desired.
How can you verify identity in the privacy space and when does the verification satisfy the need? There are going to be some bad actors that will be able to convincingly assume an individual’s identity, but for the everyday requests, will your process stand the test of time? For instance, the California Consumer Privacy Act or CCPA grants individual rights, in part, to consumers to access and correct their personal information. What is your organization doing to prepare? Have you considered any design elements that would facilitate such requests? If a consumer has an account with a retailer and is signed in, would that be sufficient verification to act on for an individual rights request? Should it depend on the type of data that’s being requested? Should additional steps be required if the data is considered sensitive?
If you haven’t started already, reviewing and developing processes and procedures to respond to access rights requests is critical in forming a compliant response and streamlining the process. If you need help determining your organization’s CCPA readiness, or what constitutes a compliant response, Privacy Ref can help.