The DPDP Audit Tool
Compliance for Request Identity Verification Audit
🛡️

Request Identity Verification Audit
Liability Check

🆔

Under the DPDP Act, improper identity verification for Data Principal requests is a double-edged sword: release data to the wrong person, face a ₹250 Crore penalty; collect excessive verification data, also face fines for data minimisation violations.

Why Request Identity Verification Audit is at Risk

Think of a customer support team at a fintech startup in Bengaluru processing a 'data deletion' request. If they don't properly verify the user's identity, they could delete critical transaction history for the wrong person, or worse, expose someone's financial data to an imposter. The DPDP Act mandates 'reasonable security safeguards' to prevent such **unauthorised access or disclosure**. Simultaneously, collecting a full passport scan for a simple email address deletion request violates **purpose limitation** and **data minimisation**, another direct route to a penalty from the Data Protection Board.

Common Violations

  • 1.Fulfilling a 'data access' or 'data deletion' request without adequately verifying the Data Principal's identity, leading to unauthorised data disclosure.
  • 2.Demanding excessive personal data (e.g., Aadhaar, full PAN, or complete biometric scans) solely for identity verification, exceeding the 'data minimisation' principle.
  • 3.Lacking a documented, consistent, and proportionate identity verification policy for all Data Principal Right requests, making your process ad-hoc and risky.

The Immediate Fix

Conduct an immediate audit of your existing identity verification processes for Data Principal requests. Develop a tiered verification policy: for low-risk requests (like basic account info), use data you already have and an OTP. For sensitive data requests, implement robust multi-factor authentication, ensuring you only collect *necessary* data.

Get DPDP Updates for Request Identity Verification Audit

We'll send you compliance alerts and deadline reminders specific to your area. No spam — unsubscribe anytime.

Unbundled consent — the DPDP gold standard. Unsubscribe anytime. Privacy Policy

or
Start 30-Second Audit

Projected Compliance Deadline: Immediate