The identification method used in cases of DSARs depends on various factors such as the information you hold about the data subject as well as how the DSAR was received.
For example, if the data subject sends the request via email and the email is already in your database as it was provided by the data subject you can safely assume that the data subject is the one sending the email. If you receive the request via telephone you can just ask the data subject some ID verification questions same as banks do such as ( the last recorded address, the social security number, etc.).
One easy way is to establish a set of identification questions to be used to check the ID of the data subjects whenever a request is received. If the request comes form another person then the data subject you need to ask for a authorization from the data subject by which he empowers anoth er party to submit a DSAR on his/her behalf.
To learn more about how to handle DSARs you can book a seat at our webinar - Data Subject Rights under the EU GDPR - https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/
You can also check out our EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course/