GDPR compels businesses to respond promptly to DSARs (Data Subject Access Requests). Therefore, data controllers must implement robust processes to Verify User Identity to prevent the loss, misuse, or alteration of sensitive information. » Are DSAR regulations the same in all territories? Learn about DSAR compliance under CCPA↗
What is a DSAR?
Under Article 15 of GDPR, data subjects have the right to request a copy of any personal data of theirs that is being "processed" by a "controller" (i.e., an organization that processes their data). Any company that processes personal data should have a mechanism to verify user identity in place for security and efficiency. » How do you protect personal data? Explore the best security practices to protect PII↗
Different Methods of Verification
Here are some strategies your organization can use to verify users while still complying with GDPR:
Test a User's Knowledge
To verify a requester's identity, ask questions based on the information your organization has about them:
- Refer to the security questions a user answered when they created an account: “What street did you grow up on?” or "What is your mother's maiden name?"
- Ask questions based on their basic personal data: birthday, address, phone number, or how they utilize your services. If you own an eCommerce store, for instance, you could ask about a recent purchase they made or the last four numbers of their credit card.
Check Account Information
If your organization's data system requires permission or credentials to access, a person can establish their identity by demonstrating access or possessing the account credentials:
- An individual logs successfully into your app with the relevant credentials.
- An individual makes a request through a verified business email account that matches the data your company has on file.
- You ask the individual to apply a one-time password sent to the email address on file.
Use a Partner
The verification process can be outsourced, either in part or completely:
- You could outsource only the identity verification while your organization handles the rest. Ensure you vet the agency, as they'll rely significantly on existing customer data. It will also require agency coordination.
- If you outsource the entire process, consider that some vendors will also rely on third-party suppliers to perform identity verification for data access requests, which could complicate the process for your customers.
» Looking for a privacy data partner? Explore PieEye's products↗ to find a solution for you
Conclusion
Regardless of the method, you must demonstrate that all DSARs were handled in accordance with GDPR regulations with an uneditable audit trail, including identity verification confirmation as proof. » What is a personal data breach? Discover how to avoid a data breach under GDPR↗
Why Identity Verification Matters for Your eCommerce Store
When a customer submits a DSAR, you're legally required to give them access to every piece of data you hold about them—purchase history, browsing behavior, email interactions, payment information, and more. If you hand over this data to the wrong person, you've just exposed your customer to identity theft and breached their trust.
For Shopify and BigCommerce stores, this is especially risky. Your customer database contains shipping addresses, phone numbers, and transaction history. If someone fraudulently requests this data by impersonating a real customer, you could face regulatory fines and lose customers permanently.
Identity verification protects both your business and your customers. It forces you to slow down, confirm you're actually speaking to the person who owns the data, and maintain clear documentation that you did your due diligence. When regulators audit your DSAR processes (and they do), they'll check whether you verified identity before releasing sensitive information. Weak verification looks like negligence; strong verification looks like a mature compliance program.
For DTC brands that rely on customer relationships, this is non-negotiable. Your reputation depends on keeping customer data safe.
Practical Verification for Different Customer Touchpoints
Your identity verification process should match where customers interact with you. If a DSAR comes through email, you can't use the same method as one submitted through your Shopify account.
Email requests: Send a one-time verification link to the email address associated with their account, or ask them to reply with specific information only they would know (last order date, product purchased, account creation year).
Account portal submissions: If you've built a self-service DSAR portal or integrated one with your Shopify store, require login with existing credentials. This is the strongest verification method because it proves they have access to the account.
Phone or chat requests: Verify the caller's identity by asking for account-specific details (order number, email address, phone number on file). Document the conversation with timestamps.
Third-party requests: If a lawyer or data rights platform submits the DSAR on behalf of your customer, ask for written authorization from the customer themselves. Some platforms like Osano or Transcend provide verification tokens—these are legitimate shortcuts when used correctly.
The key is consistency. Choose your methods based on your customer base and document which method you used for each request. If 80% of your customers access you through mobile, prioritize mobile-friendly verification.
Balancing Security with Customer Experience
Overly aggressive verification can frustrate legitimate customers. If your verification process takes 10 steps or feels invasive, customers may abandon the request or complain publicly.
Ask for the minimum information needed to confirm identity with reasonable confidence. For most eCommerce businesses, two data points (email + last four digits of card, or order number + phone number) is sufficient. Avoid asking for passwords, full credit card numbers, or government IDs unless absolutely necessary.
Keep the process fast. Respond within hours if possible, and confirm identity within 24–48 hours. If you're outsourcing verification to a third party, check their turnaround time beforehand.