Your Legal Responsibilities When Proving Someone’s Identity

Employment & Immigration

From GDPR and AML regulations, to the new Data (Use and Access) Bill, the UK is entering a new phase of data-led, regulation-driven identity proof.

Identity verification is already regulated under a patchwork of frameworks, depending on your sector:

Home Office guidance under the Immigration, Asylum and Nationality Act 2006

AML & KYC (Finance, Legal, Real Estate)

Failing to do this risks civil penalties of up to £20,000 per illegal worker

Governed by the Money Laundering Regulations 2017, supervised by the FCA, HMRC, or relevant professional bodies

Confirmation that documents are valid and issued to the individual presenting them

Security-Cleared Roles (Airports, Nuclear, Government)

The Data (Use and Access) Bill introduces a regulatory framework for Digital Verification Services (DVS). It doesn’t just encourage better ID checks, it legally formalises how they should happen.

DVS Trust Framework: The bill provides statutory powers to create a regulated environment for digital ID providers

Mandatory registration for providers who want to operate legally in regulated spaces

What’s Changing: The Data (Use and Access) Bill

Trust Mark: A government-backed symbol showing a provider meets official standards

Public Authority Gateways: Enables real-time validation of data (e.g., from DVLA, HMRC)

Power of the Secretary of State to remove, restrict, or approve services

So What Are Your Legal Obligations?

Backed by civil penalties, enforcement rights, and obligations to publish compliance reports

If you're collecting, processing, or acting on identity information, you must ensure that:

You’re using a certified or approved provider if mandated (as is likely under the new DUA Bill)

The Risks of Non-Compliance

Non-compliance doesn’t just risk a slap on the wrist. You could face:

Data protection fines under the UK GDPR (up to £17.5 million or 4% of global turnover)

Loss of license from sector regulators (FCA, SRA, HMRC, etc.)

How Xertilox Helps You Stay Compliant

In the future, as DVS regulations tighten, unverified checks could become a regulatory breach in themselves.

At Xertilox, we’re not guessing, we’re building our verification system in line with:

Use a compliant provider Understand the rules that apply to your sectorAvoid visual-only or unverified checksProvide clear, lawful consent and privacy termsKeep auditable recordsPrepare for the Trust Framework… it’s coming fast

Your Legal Checklist for Identity Verification

At Xertilox, we welcome the introduction of the Data Use & Access Bill (DUA). It marks a pivotal moment for digital identity in the UK moving us from patchwork guidance to a formal, regulated framework that puts trust, transparency, and accountability at the heart of verification.

The establishment of the Digital Verification Service (DVS) and the forthcoming Trust Mark gives providers like us the tools and the responsibility to lead from the front. It’s not just a compliance box to tick it’s a chance to fight fraud head-on, raise the bar for security, and make identity work better for individuals and businesses alike.Because in a world where anyone can be anyone, it's time we start proving identity — not just accepting it.Need to verify identity the right way?Book a quick call with our team to see how Xertilox helps you stay compliant, reduce risk, and onboard with confidence.Schedule a Demo or visit Xertilox.com