
Ask HN: What to do with a GDPR deletion request when the user can't verify? - jason_slack
We are starting to get GDPR deletion requests at work. However, there area number of requests where the user cannot verify their e-mail address. They either dont have access to that account anymore or they don&#x27;t remember what e-mail address they used to sign up.<p>What should we do to verify when all we have stored is username, e-mail address, password and various login dates?
======
techjuice
You should consult your GDPR specialized attorney on these matters to insure
you are in legal compliance. When this law came into effect you should have
drafted corporate rules and requirements for user validation and processes for
how to handle users that did not have all of this information to help
determine if their requests could be legally invalidated or other means of
validation. This would also help protect your company insuring you would
exhaust all legal measures allowed to properly process requests while still
protecting your company.

If you are not a company you should consult a GDPR specialized attorney to
help draft up processes for handling these matters to help insure you are in
legal compliance and properly protect yourself legally.

~~~
jason_slack
I understand what you are saying, but there must be guidelines for how to
handle deletion requests when identity can't be verified? Otherwise aren't we
just making up policy?

------
flukus
Send an email (multiple over weeks/months) to their account "you've requested
deletion, if this is incorrect click here". If you can't verify they want you
to keep there data then you probably shouldn't keep it.

------
icedchai
If the user can't verify their email address, how do they even know their
account still exists?

~~~
jason_slack
Because they can login with their user id and password or their email address
and password.

~~~
icedchai
Ok. You can't show them a "delete my account" button after they log in?

~~~
jason_slack
This is what the engineering team is going to do to handle these types of
requests. Thanks for mentioning it. I guess if the user can login, they should
be able to delete themselves.

