Fully GDPR-compliant Identity Verification software: Verifai compared to alternatives
Back in 2016, Belsimpel’s retail team was looking for an identity verification solution which was fully GDPR-compliant and completely secure. As the largest telecom retailer in the Netherlands, Belsimpel often has to verify the identity of their customer when they are buying a mobile contract at one of the mobile operators. In 2016, Belsimpel has opened seven brand-new stores in the Netherlands, and they worked on improving the identity verification procedure. Printers and plastic masking stencils were used to make copies of identity documents of their customers to comply with the local identity verification requirements. Automation of this identity verification procedures was the next step to improve the verification flow in the stores en to ensure a secure and privacy-proof solution.
Finding a suitable solution was hard, since none of the existing identity verification solutions could meet Belsimpel’s criteria. The most important criterium: full compliance with the GDPR! To achieve this, Belsimpel was looking for a secure solution which provides functionalities to (1) mask personal data with privacy filters, (2) process personal data locally on the mobile device so the data is never processed by a (sub)processor, (3) minimize the processed data to the bear minimum. Belsimpel could not find a suitable solution which met those criteria, so our team decided to build it ourselves. Verifai was born!
I want to start with a background story of Verifai and where our journey began. This is just to show you that being privacy proof and GDPR compliant is part of our DNA. When we started, there was a lack of GDPR-compliant identity verification software. We saw that many parties in the ID Verification industry claimed to be fully GDPR compliant, but this was not the case in our honest opinion. Only signing a Data Processing Agreement (DPA) and providing a Privacy Policy is not enough to become fully GDPR compliant. Privacy-by-design and privacy-by-default principles are required to really achieve this. Therefore, this blog has been written to clarify how we at Verifai provide a fully GDPR-compliant Identity Verification solution.
General Data Protection Regulation
If you are reading this blog, you are probably triggered by the term GDPR compliant. For the readers who do not know, GDPR stands for General Data Protection Regulation. The GDPR came into force on May 25, 2018 in the whole European Economic Area (EEA) and it regulates the privacy rights of European citizens. The GDPR enforces that organizations and governments needs to take appropriate technical and organizational measures to comply with the data processing principles as stipulated in the GDPR; ‘privacy-by-design’ and ‘privacy-by-default’. According to these principles, organizations are only allowed to process specific personal data if the data subject has provided consent or one of the other five out of six legal ground rules applies (e.g., legal or contractual obligations and public interests). With the ‘privacy by design’ and ‘privacy by default’ principles, the GDPR forces organizations to by default process personal data with solutions and technologies with the highest-possible privacy settings.
Privacy and identity verification service providers
To ensure the privacy protection of your end-users, it is always important to ask yourself the question: “have we implemented a solution with the highest-possible privacy settings by default and have we mitigated the privacy risks as much as possible?”. Since there are many identity verification service providers on the market in many different flavours, you need to keep an eye on the design of the provided technologies. While the paperwork around Data Protection Agreements and Privacy Policies is important and covered by almost all identity verification service providers, most buyers do not pay enough attention to the actual functionalities offered to ensure the highest-possible privacy settings by default. Important functionalities to pay attention to are:
1. Local processing instead of SaaS
2. Data minimization
3. Masking sensitive personal data
4. Data retention periods
I will discuss these topics one-by-one in the following paragraphs.
Local processing instead of SaaS
Software as a Service (SaaS) has become an industry standard among Identity Verification Service providers. While the end-user is making or uploading a picture with their own device, the picture(s) of the identity document with sensitive personal data is sent straight to a server inside or sometimes even outside the EEA. The magic of reading the Machine Readable Zone (MRZ) and the text from the document is done on the server by the (sub)processor. This means that all sensitive personal data on an identity document (e.g., Social Security Number/Personal Identification Number, Document number, Nationality and photo of the bearer of the document), will be processed by a (sub)processor which could result in a violation of privacy legislation for some organizations and industries. Remember, the highest-possible privacy settings should be default to minimize the amount of personal data that is processed. When using local processing, the personal data is processed on the device of the end-user. No personal data reaches the servers of the identity verification service provider, and only the data which you are allowed to process will be sent to your own systems. This means that you fully comply with the data minimization requirement.
Data minimization
The privacy-by-default principle dictates that you are only allowed to process personal data which you need to process, based on the six ground rules as mentioned earlier in this blog. According to the GDPR, you are not allowed to process any other personal data. Data minimization is key! However, in some cases it is technically not possible to comply fully with this requirement. In the Netherlands for example, the BSN (Dutch Social Security Number) is part of the MRZ until August 2 2021, which needs to be read fully to calculate the check digits of the MRZ and to verify the authenticity of a document. Using a SaaS solution, the whole MRZ will be processed by an identity verification service provider (including the BSN), whereas local processing allows you to select only the data you are allowed to process. Local processing enables you to only send personal data back to your own systems which you are allowed to process. Nevertheless, it is important to know that there are possibilities to ensure data minimization when you use local processing, as discussed earlier in this blog.
Masking sensitive personal information
In some cases, you are obligated to archive a copy of an ID due to local legislations, while having restrictions on the data you are allowed to process. In the old days, plastic masking stencils and scanners were used to cover sensitive personal data while making a copy of an ID. With the introduction of digital identity verification service providers, this time-consuming approach should not be a problem anymore, right? This is not the case unfortunately, even though privacy is important, masking sensitive personal data is not a functionality that identity verification services providers offer. Only Verifai offers privacy filters to minimize the processing of sensitive personal data.
Data retention periods
Until now, we have discussed privacy-proof processing functionalities. However, the data retention period is something you also need to take into account when choosing an identity service provider. In line with the data minimization requirement, the duration of the storage of personal data should be kept to the minimum too to become fully compliant with the GDPR. The data retention period is industry and country specific. For instance, banks should have a long data retention period to comply with AML and KYC regulations, while liquor stores can use short data retention period of a couple of seconds to perform an age check. As an organization, you need to set up the data retention period to be as short as possible, but suitable for your use case and legal obligations.
Privacy-first identity verification solution
The goal of this blog was to provide you with more insight into privacy-proof functionalities provided by identity verification service providers to ensure full compliance of the GDPR. Verifai provides local processing on their Mobile SDKs in combination with customizable privacy filters to mask sensitive personal data, data minimization options, and changeable data retention periods of up to milliseconds. None of the existing identity verification solutions, beside Verifai, offer this wide range of functionalities to ensure the highest-possible privacy settings by default and mitigate risks of processing privacy sensitive personal data. This is the honest reason why Verifai is the most GDPR-compliant Identity Verification Service provider compared to alternatives.
Are you still interested in learning more about privacy-first identity verification solutions? Keep an eye on this blog or visit our website verifai.com!
