Robert Baugh, Founder & CEO of Keepabl, says, ‘Digital ID is rapidly becoming the hot topic in Privacy. Not only did GDPR effectively bring age verification onto the statute books and increase awareness of data subject rights, the lockdown has accelerated digitalisation and remote working, making it more important that you’re confident you’re dealing with the right person. W2 is a leader in this field, with a simple API-driven service. I’m delighted to welcome W2 into the Privacy Stack!’
Warren Russell, W2 CEO & Founder adds, ‘GDPR has effectively promoted digital confirmation of identity, and age, from just affecting certain regulated industries to being a key requirement for any organisation dealing with consumers, handling data subject rights, and offering online services to children. So we’re delighted to join the Privacy Stack and to promote awareness of digital identity solutions as part of GDPR compliance with Keepabl.’
Identity & GDPR
Identity is a core concept in data protection law, in particular for the General Data Protection Regulation, or GDPR, in the UK and the EEA. And Digital ID, in particular, is a key conversation in Privacy, Security, Fraud and related compliance and risk areas in today’s digital world.
Financial Services is perhaps the obvious industry where Identity has a clear importance – KYC (know your customer), AML (anti-money laundering), and measures against financial fraud are well-known areas where heavy lifting is required to prove clients are who they say they are. Technology such as W2’s API-driven solution take that heavy lifting off the shoulders of over-worked compliance teams.
Industries such as Health and Gaming also have their own regulatory reasons to be super confident of the identity of the person they’re talking to. But GDPR made Identity mainstream, in at least two areas: age verification and data subject rights, or DSRs.
GDPR effectively put age-verification into law for any organisation in any industry that provides ‘information society services’ (pretty well anything online whether provided for free or not) to children.
EU GDPR first states that you can only rely on a child’s consent, for the offer of such services to them, where the child is at least 16 years old (the ‘Relevant Age’). Below that Relevant Age, you need the person with parental responsibility for that child to give or authorise that consent.
But the EU GDPR then gives Member States the power to reduce the Relevant Age down to 13, and many EEA Member States have decided to do just that – to different ages. Before Brexit, for example, the UK set that age at 13 and this is now codified in the UK GDPR.
So, if you provide information society services to children in or across the EEA and the UK, you first need to confirm the age of the person you’re dealing with, so that you can make sure you get the right consent.
The UK ICO’s guidance, Children & the GDPR, provides more on this, including in its summary checklist that you use ‘appropriate technology’ and ‘make reasonable efforts’ to verify age and that the person has parental responsibility.
Data Subject Rights
GDPR also raised public awareness of individuals’ rights to ask for access, erasure, correction and other actions regarding their personal data, collectively referred to as data subject rights or DSRs.
When you receive and start managing a DSR, you’ll rapidly come to the question – is this request from the actual data subject or a person genuinely authorised on their behalf?
You should already know who the individual is and have some way of confirming their identity. Perhaps they’re a customer and have an order number, or they’re a user of your service with an email attached to their account.
But if not, or for example if the data or context is particularly sensitive, you’ll want to confirm their identity in a compliant, proportionate way.
If you are interested in hearing more about W2’s Global Partner Network, contact us here.