Every organisation that processes personal data will eventually face a Data Subject Access Request. The request itself is straightforward: an individual asks for a copy of all personal data you hold about them. The hard part is what comes next — redacting the documents before you hand them over.
This guide covers everything you need to know about DSAR redaction: the legal requirements under GDPR, UK GDPR, and CCPA; the practical workflow for redacting documents at scale; the ICO's balancing test for third-party data; common exemptions; and how AI-powered tools reduce processing time from weeks to hours.
What is DSAR redaction and why does it matter?
DSAR redaction is the process of removing third-party personal data from documents before disclosing them in response to a Data Subject Access Request. It is fundamentally different from general redaction because it is selective: you must preserve the requester's personal data while removing everyone else's.
Article 15(4) of the GDPR states that the right to a copy of personal data "shall not adversely affect the rights and freedoms of others." This single sentence creates the entire redaction obligation. You cannot simply dump raw documents containing other people's data — doing so would breach GDPR and potentially constitute a reportable data breach.
The challenge is proportional to the volume. A simple customer DSAR might involve a dozen documents. An employee DSAR — particularly from a departing employee in a dispute — can generate thousands of pages spanning years of emails, HR records, performance reviews, and internal communications. Every document must be reviewed, every piece of third-party PII identified, and every redaction decision documented.
The legal framework: GDPR, UK GDPR, and CCPA
EU GDPR (Article 15)
The right of access entitles data subjects to a copy of their personal data. The response deadline is one calendar month from receipt, extendable by two additional months for complex or numerous requests. You must inform the requester of any extension and the reasons for the delay within the first month. Responses to electronic requests must be provided electronically unless the individual requests otherwise.
UK GDPR and the Data Protection Act 2018
UK GDPR mirrors EU GDPR Article 15 requirements. The Data Protection Act 2018 adds specific exemptions in Schedule 2, including confidential references, management forecasting, negotiations, and legal professional privilege. The ICO's guidance on third-party data provides the practical framework most UK organisations follow.
CCPA / CPRA (Section 1798.100)
California's privacy law gives consumers a 45-day response window with a possible 45-day extension. While CCPA doesn't use the term "redaction," the same obligation exists: when disclosing personal information, you must not disclose other consumers' personal information. The CCPA DSAR process is functionally identical to GDPR for redaction purposes.
The ICO's three-part balancing test
The UK Information Commissioner's Office provides the clearest practical framework for deciding when to redact third-party data in DSAR responses. Every organisation — not just UK ones — should apply this test. It asks three questions in sequence:
1. Can you comply with the request without disclosing the third party's data? If the third-party information can be separated from the requester's data without making the response unintelligible, redact it. This is the default position.
2. Has the third party given consent to disclosure? If you can reasonably obtain consent without alerting the third party to sensitive circumstances, do so. But you are not obliged to seek consent, and in many situations — especially employee DSARs — doing so may be inappropriate.
3. Is it otherwise reasonable to disclose without consent? Consider whether the third party would expect their data to be disclosed, whether they could be identified by the requester regardless, the nature and sensitivity of the data, and any duty of confidentiality owed to the third party.
This balancing test was reinforced by the High Court in Harrison v Cameron [2024], which confirmed that the controller has a "wide margin of discretion" in these decisions — but must exercise that discretion reasonably and document the reasoning. See our detailed ICO DSAR guidance analysis for worked examples.
What must be redacted
Third-party personal data
Names, email addresses, phone numbers, home addresses, job titles (when identifiable in context), employee IDs, and any information that could directly or indirectly identify someone other than the requester. Context matters: a generic job title in a 10,000-person company may not be identifying, but "the Finance Manager" in a 15-person firm almost certainly is.
Confidential references
Employment or academic references provided in confidence. Under UK law (DPA 2018 Schedule 2, Part 3, Paragraph 24), this exemption applies even when the reference is about the requester — it protects the author's expectation of confidentiality.
Legal professional privilege
Communications between the organisation and its lawyers for the purpose of legal advice or litigation. Internal documents may qualify if they were prepared for the dominant purpose of litigation. This exemption is narrower than organisations often assume.
Management forecasting and negotiations
Data processed for management planning where disclosure would prejudice the business — redundancy plans, reorganisation proposals — and records of intentions regarding negotiations with the requester.
Information prejudicing ongoing processes
Active criminal investigations, regulatory proceedings, or disciplinary processes not yet concluded. This exemption expires when the process ends.
What must be preserved
The requester's personal data in its entirety: their name, contact details, employment records, performance reviews, salary and benefits data, communications they sent or received, decisions made about them, complaints involving them, notes or records relating to them as an individual, and the purposes for which this data is processed. Redacting the requester's own data is itself a compliance failure — you're denying a legitimate right of access.
The practical redaction workflow
Step 1: Scope and collect
Identify all systems where the requester's data might exist: email, HR systems, CRM, shared drives, project management tools, instant messaging archives, and paper records. Cast a wide net — regulators take a dim view of incomplete searches.
Step 2: Deduplicate and organise
Group documents by type: emails, HR records, financial documents, meeting notes, system logs, scanned files. Remove exact duplicates. Each document type has different PII patterns and different redaction challenges.
Step 3: Automated PII detection
Use an AI-powered redaction tool to scan every document and flag all PII instances. Modern AI detection identifies names, addresses, phone numbers, email addresses, national insurance numbers, SSNs, dates of birth, financial account numbers, and other identifiers — including context-dependent items that regex-based tools miss entirely.
Step 4: Selective human review
For each flagged item, a human reviewer determines whether it belongs to the requester (preserve) or a third party (redact), and whether any exemption applies. This is the step that requires judgement — the AI identifies the PII, the human makes the legal decision.
Step 5: Apply permanent redaction
Use true redaction that destroys the underlying data. Black boxes drawn over text in a PDF editor are not redaction — the text remains in the file and can be copied, searched, or extracted. True redaction uses pixel-burn rendering or text-layer removal. See common redaction failures for examples of what goes wrong.
Step 6: Quality assurance
Sample-check redacted documents: all third-party PII removed, requester's data preserved, exemptions applied consistently, output files contain no recoverable hidden data or metadata leaks.
Step 7: Document decisions
For each exemption applied, record: which exemption, which document, which data, and your reasoning. This audit trail is essential if the requester challenges your response with the ICO, CNIL, or other supervisory authority.
SafeRedact automates steps 3–5. Upload documents, AI detects all PII with category labels, you review and approve selectively, and the output is permanently redacted with pixel-burn technology. Browser-based processing means no cloud uploads and no data retention — your DSAR documents never sit on a third-party server. Try it free →
Common DSAR redaction mistakes
Visual-only redaction. The most dangerous error. Drawing black rectangles over text creates an illusion of redaction while the data remains fully extractable. This has caused high-profile breaches in government documents, court filings, and corporate disclosures. Read our full analysis of real-world DSAR redaction failures.
Over-redacting the requester's data. Teams racing to protect third parties sometimes remove information the requester is legally entitled to see. This denies a legitimate right of access and is a compliance failure in the opposite direction.
Inconsistent redaction across documents. Redacting a person's name in one email but leaving it visible in another makes the first redaction meaningless. Consistency across the entire response package is essential.
Forgetting metadata. Document properties, revision history, tracked changes, comments, and embedded file names can all contain personal data. Redacting visible text while leaving metadata intact is a common oversight.
No audit trail. If a regulator asks why specific information was redacted, you need a documented answer. Every redaction decision should be traceable to a specific exemption or legal basis.
DSAR redaction at scale
Employee DSARs are typically the most demanding. A departing employee's request might span years of emails, performance reviews, project files, HR records, and internal chat messages — potentially thousands of documents. Manual redaction at this scale costs $600–$2,000 per request for in-house processing, or $3,000–$10,000 when outside counsel is engaged.
AI-powered redaction tools reduce this from weeks to hours. SafeRedact processes each page in seconds, detecting PII automatically across PDFs, emails, spreadsheets, and chat transcripts. Your team focuses on the selective review decisions — whose data to keep, whose to remove — rather than the mechanical work of finding and flagging every instance.
For organisations choosing between platforms, our DSAR software comparison breaks down the market into three categories: full-platform automation (OneTrust, DataGrail), dedicated redaction tools (SafeRedact, Redactable), and legal technology platforms (Relativity, Exterro).
Choosing the right approach for your organisation
Under 10 DSARs per year: A structured manual process with spreadsheet tracking can work for intake and workflow. But the redaction step still requires proper tooling — attempting document redaction with basic PDF editors creates serious compliance risks. SafeRedact's free tier handles individual documents without signup.
10–100 DSARs per year: You need a repeatable workflow with documented procedures, consistent redaction tooling, and an audit trail. A dedicated redaction tool like SafeRedact ($99/year) paired with a simple tracking system covers this range effectively.
100+ DSARs per year: At this volume, full-platform DSAR automation ($30K–$500K/year) handles intake, routing, and deadline tracking. But most platforms rely on external tools for the document redaction step — which is where SafeRedact Enterprise integrates, processing thousands of files per batch with selective PII preservation.
Frequently asked questions
What is DSAR redaction?
DSAR redaction is the selective removal of third-party personal data from documents before disclosing them in response to a Data Subject Access Request. Unlike general redaction (which removes all sensitive data), DSAR redaction preserves the requester's personal data while removing everyone else's.
What data must be redacted in a DSAR response?
All personal data belonging to individuals other than the requester: names, email addresses, phone numbers, addresses, employee IDs, and any information that could directly or indirectly identify a third party. Additional categories include legally privileged material, confidential references, trade secrets, and information prejudicing ongoing processes.
How long do you have to respond to a DSAR?
One calendar month under GDPR and UK GDPR, 45 calendar days under CCPA. Both allow extensions for complex requests (two additional months under GDPR, 45 additional days under CCPA) with prior notice to the requester.
What happens if you accidentally disclose third-party data?
It constitutes a personal data breach. You must assess risk to the affected individual, potentially report to your supervisory authority within 72 hours, and notify the affected individual if the risk to their rights and freedoms is high.
Can AI tools handle DSAR redaction?
AI dramatically accelerates the detection phase — finding every instance of PII across thousands of documents in minutes rather than days. However, the selective review step (deciding whose data to keep) still requires human judgement. The optimal approach combines AI detection with human review. Learn more about automating DSAR redaction →