What are the steps to respond to a DSAR?

The key steps are: (1) acknowledge receipt, (2) verify the requester's identity, (3) locate all personal data across systems, (4) review and apply exemptions, (5) redact third-party personal data, (6) compile the response with required supplementary information, and (7) deliver securely within the deadline.

Do I need to redact third-party data in a DSAR response?

Yes. Article 15(4) of the GDPR states that the right of access must not adversely affect the rights of others. All third-party personal data must be redacted before disclosure, unless the third party has consented.

What documentation should I keep for DSAR compliance?

Maintain records of: the request date, identity verification steps, data sources searched, exemptions applied, redactions made, response date, and delivery method. This documentation provides a defensible audit trail for regulatory review.

How to Redact Documents for DSAR Responses

Redaction is the bottleneck in every DSAR workflow. You need to deliver the requester's personal data while permanently removing everyone else's. Get it wrong and you've committed a data breach. This guide walks through the practical process: what to redact, what to keep, how to handle edge cases, and how to do it at scale.

Why DSAR redaction is different from general redaction

General redaction removes all sensitive information from a document. DSAR redaction is selective — you must preserve the requester's personal data while removing everyone else's. This makes it significantly harder than standard redaction because you need to make per-item decisions about each piece of PII in every document.

A single email thread might contain the requester's name, their manager's name, an HR representative's email, a client's phone number, and salary figures for three different employees. You need to keep exactly one person's data and redact everything else. Multiply this by hundreds or thousands of documents in a typical DSAR response, and the scale of the challenge becomes clear.

What must be redacted

Other individuals' personal data

Names, email addresses, phone numbers, home addresses, job titles (when combined with small team sizes that make identification possible), employee IDs, and any information that could directly or indirectly identify someone other than the requester. Remember: context matters. A job title alone might not identify someone, but "the Marketing Director" in a 20-person company does.

Confidential references

Employment references provided in confidence, academic references, and any information given with a reasonable expectation of confidentiality. Under UK GDPR, this exemption applies even if the reference is about the requester.

Legal professional privilege

Communications between your organisation and its lawyers, and documents prepared for litigation. This exemption is narrower than many organisations assume — internal legal opinions may not qualify unless they constitute actual legal advice.

Trade secrets and commercial sensitivity

Proprietary business information, pricing strategies, and competitive intelligence that does not constitute the requester's personal data. However, you cannot use this exemption to withhold information about how the requester's data is processed.

Information prejudicing ongoing processes

Active investigations, disciplinary proceedings not yet concluded, redundancy planning, or criminal investigations. This exemption is time-limited — once the process concludes, the exemption typically no longer applies.

What must be preserved

Everything that constitutes the requester's personal data: their name, contact details, employment records, performance reviews, salary history, communications they sent or received, decisions made about them, and any notes or records that relate to them as an individual. The requester has a right to all of this, and redacting it is itself a compliance failure.

The practical redaction workflow

Step 1: Organise documents by type

Group your DSAR documents into categories: emails, HR records, financial documents, meeting notes, system logs, and scanned files. Each type has different PII patterns and different redaction challenges. Emails contain headers with multiple addresses. HR files contain structured personal data for many employees. Meeting notes contain names scattered throughout free text.

Step 2: Apply automated PII detection

Use an AI-powered redaction tool to scan each document and flag all PII instances. Modern tools detect names, addresses, phone numbers, email addresses, SSNs, dates of birth, financial account numbers, and other identifiers. This gives you a complete map of where personal data appears in each document.

Step 3: Selective review

For each flagged item, determine whether it belongs to the requester (keep) or someone else (redact). This is the step that requires human judgement — the AI identifies the PII, but a human decides whose it is and whether an exemption applies.

Step 4: Apply permanent redaction

Use true redaction that destroys the underlying data. Drawing black boxes over text in a PDF editor is not redaction — the text remains in the file and can be extracted. True redaction either removes the text from the document's data layer or renders the page as an image with the sensitive content physically absent.

Step 5: Quality check

Review a sample of redacted documents to verify: all third-party PII is removed, the requester's data is preserved, exemptions are applied consistently, and the output files contain no recoverable hidden data.

Step 6: Document your decisions

For each exemption applied, record: which exemption, which document, which data, and your reasoning. This audit trail is essential if the requester complains to the ICO, CNIL, or other supervisory authority.

SafeRedact handles steps 2–4 automatically. Upload documents, AI detects all PII, you review and approve selectively, and the output is permanently redacted with pixel-burn technology. No cloud uploads, no data retention. Try it free →

Common DSAR redaction mistakes

Using black boxes instead of true redaction. This is the most dangerous mistake. Text hidden behind a visual overlay remains in the PDF and can be revealed by selecting, copying, or using basic PDF tools. High-profile failures include DOJ Epstein file releases, the Manafort case, and Meta's FTC filing — all had "redacted" text that was trivially recoverable.

Over-redacting the requester's own data. In the rush to protect third-party data, teams sometimes redact information the requester is entitled to see. This is a compliance failure in the other direction — you're denying a legitimate access right.

Forgetting metadata. Document properties, revision history, tracked changes, comments, and embedded file names can all contain personal data. Redacting visible text while leaving metadata intact is a common oversight.

Inconsistent redaction across documents. If you redact a person's name in one document but leave it visible in another, the redaction is ineffective. Consistency across the entire DSAR response package is essential.

No audit trail. If you can't explain why specific information was redacted, you can't defend your response to a regulator. Every redaction decision should be documented.

Handling high-volume DSARs

Employee DSARs are often the most demanding. A departing employee's DSAR might cover years of emails, performance reviews, project files, and HR records — potentially thousands of pages. Manual redaction at this scale takes weeks and costs thousands of dollars per request.

AI-powered tools reduce this from weeks to hours. SafeRedact processes each page in seconds, detecting PII automatically so your team can focus on the selective review decisions rather than the mechanical work of finding and removing data.

For organisations processing more than 10 DSARs per month, the ROI of automated redaction tools is immediate. At $1,524 average cost per manual DSAR, even a modest reduction in processing time pays for the tooling many times over.

Frequently asked questions

What happens if I accidentally disclose third-party data in a DSAR response?

It's a data breach. You've disclosed personal data without lawful basis. You must assess the risk to the affected individual, report to your supervisory authority within 72 hours if there's a risk to rights and freedoms, and notify the affected individual if the risk is high.

Can the requester ask for unredacted documents?

No. The requester's right of access does not override other individuals' privacy rights. You must balance these rights, and redaction is the mechanism for doing so. You should explain in your response letter that certain information has been redacted to protect third-party rights.

How do I redact scanned documents?

Use a tool with OCR (optical character recognition) capability. SafeRedact includes Tesseract.js OCR that can detect text in scanned documents, faxes, and photographed pages, then apply AI-powered PII detection to the extracted text.

Is AI redaction accurate enough for DSAR compliance?

AI detection should always be paired with human review. The AI identifies PII candidates; a human confirms which items to redact. This combination is both faster and more accurate than purely manual review, which suffers from fatigue and inconsistency across large document sets.

DSAR & Privacy Compliance Guides

DSAR: The Complete Guide What Is a DSAR? → DSAR Redaction Guide DSAR Compliance Checklist Automate DSAR Redaction DSAR Redaction Cost DSAR Software Comparison CCPA DSAR Guide US State Privacy Laws Subject Rights Requests DSAR Cost Calculator