Robert Baugh, Founder & CEO of Keepabl, says, ‘Digital ID is rapidly becoming the hot topic in Privacy. Not only did GDPR effectively bring age verification onto the statute books and increase awareness of data subject rights, the lockdown has accelerated digitalisation and remote working, making it more important that you’re confident you’re dealing with the right person. W2 is a leader in this field, with a simple API-driven service used by customers in Gaming like the Tote, Finance like Caxton FX and Law like Brabners. I’m delighted to welcome W2 into the Privacy Stack!’
Warren Russell, W2 CEO & Founder adds, ‘GDPR has effectively promoted digital confirmation of identity, and age, from just affecting certain regulated industries to being a key requirement for any organisation dealing with consumers, handling data subject rights, and offering online services to children. So we’re delighted to join the Privacy Stack and to promote awareness of digital identity solutions as part of GDPR compliance.’
Identity is a core concept in data protection law, in particular for the General Data Protection Regulation, or GDPR, in the UK and the EEA. And Digital ID, in particular, is a key conversation in Privacy, Security, Fraud and related compliance and risk areas in today’s digital world.
Financial Services is perhaps the obvious industry where Identity has a clear importance – KYC (know your customer), AML (anti-money laundering), and measures against financial fraud are well-known areas where heavy lifting is required to prove clients are who they say they are. Technology such as W2’s API-driven solution take that heavy lifting off the shoulders of over-worked compliance teams.
Industries such as Health and Gaming also have their own regulatory reasons to be super confident of the identity of the person they’re talking to. But GDPR made Identity mainstream, in at least two areas: age verification and data subject rights, or DSRs.
GDPR effectively put age-verification into law for any organisation in any industry that provides ‘information society services’ (pretty well anything online whether provided for free or not) to children.
EU GDPR first states that you can only rely on a child’s consent, for the offer of such services to them, where the child is at least 16 years old (the ‘Relevant Age’). Below that Relevant Age, you need the person with parental responsibility for that child to give or authorise that consent.
But the EU GDPR then gives Member States the power to reduce the Relevant Age down to 13, and many EEA Member States have decided to do just that – to different ages. Before Brexit, for example, the UK set that age at 13 and this is now codified in the UK GDPR.
So, if you provide information society services to children in or across the EEA and the UK, you first need to confirm the age of the person you’re dealing with, so that you can make sure you get the right consent.
The UK ICO’s guidance, Children & the GDPR, provides more on this, including in its summary checklist that you use ‘appropriate technology’ and ‘make reasonable efforts’ to verify age and that the person has parental responsibility:
GDPR also raised public awareness of individuals’ rights to ask for access, erasure, correction and other actions regarding their personal data, collectively referred to as data subject rights or DSRs.
When you receive and start managing a DSR, you’ll rapidly come to the question – is this request from the actual data subject or a person genuinely authorised on their behalf?
You should already know who the individual is and have some way of confirming their identity. Perhaps they’re a customer and have an order number, or they’re a user of your service with an email attached to their account.
But if not, or for example if the data or context is particularly sensitive, you’ll want to confirm their identity in a compliant, proportionate way.
W2 provide a wide range of screening tools and services to help organisations to check who they are interacting with. They enable organisations to achieve regulatory compliance by conducting Know Your Customer (KYC), Anti Money Laundering (AML) and Fraud prevention due diligence. Including, but not limited to, Age & ID verification, PEP and Sanctions screening, Enhanced Due Diligence, device location and a wide range of professional services. You can find out more at w2globaldata.com and contact them at firstname.lastname@example.org.
Here at Keepabl, we often say that the Privacy sector, kickstarted into life by GDPR in 2018, is 30 years behind Security as a practice and industry. Compared to Security, with well-established roles and remits within an organisation and well-established categories of vendors and advisors, organisations are still trying to determine what help and resources they need to build out and maintain their Privacy compliance. Many are still looking for a kettle … that’s a fridge .. that’s a toaster … that’s an oven!
That’s why we at Keepabl created the Privacy Stack! It’s a really helpful methodology for organisations to identify the services and solutions they need to consider for their Privacy compliance. And it’s a great way for us to identify leading solutions that address compliance in a simple, user-focused way.
We’re very proud to announce that Richard Tubb, the face of the UK MSP industry, is now an adviser to Keepabl! As you will know if you’re a managed service provider…