A lot of companies asked for her account login details as proof of identity, which is actually a pretty good idea, Pavur opined. But when one gaming company tried it, he simply said he'd forgotten the login and they sent it anyway.
Presumably not her password? And certainly not by e-mail? Companies have just spent years teaching users that they will never ask for your password!
It seems like there's a simple solution for this in cases where the user has some form of online account (gaming, shopping, etc):
Only send SARs to the e-mail address attached to the account. Want it sent to a different e-mail? Login and change it. Forgotten your creds? Do a password reset. At the very least, this means you're limiting it to the person in control of the account (which could have been hijacked of course, but that's a different matter). You're immediately limiting requests coming in from arbitrary email addresses.
Since you have an obligation to respond to GDPR requests regardless (having established identity), you would then need a fallback process for someone who insists that they want the SAR delivered to a secondary email address and not the one attached to their account - but you can make the process relatively onerous to put people off that option unless they're genuinely serious about it.
Biting the hand that feeds IT
