DSAR redaction failures don't just create compliance problems — they create data breaches. Every failure on this list has occurred in practice, some at the highest levels of government and corporate disclosure. Understanding how they happen is the first step to preventing them.
1. Visual-only redaction (the black box illusion)
This is the most common and most dangerous redaction failure. A user draws black rectangles over sensitive text in a PDF editor. The text looks hidden — but it remains in the document's data layer, fully selectable, searchable, and copyable.
This failure has occurred repeatedly in high-profile contexts. In the Manafort case (2019), attorneys filed court documents with "redacted" sections that journalists recovered in seconds by selecting and copying the black-boxed text. Meta's FTC filing included supposedly confidential business information behind visual overlays that were trivially removable. Multiple government FOIA responses have been returned with black highlighting that left the underlying text intact.
In the DSAR context, this means third-party personal data you thought was removed is fully accessible to the requester. If they extract it, you have a reportable data breach — you disclosed personal data without lawful basis.
Prevention: Use true redaction tools that destroy the underlying data. SafeRedact uses pixel-burn rendering — the page is re-rendered as a new image with the redacted content physically absent. The data doesn't exist in the output file. It cannot be recovered by any method. See our redaction workflow →
2. Metadata leaks
You carefully redact all visible PII from a document, then send it to the requester. But the document's metadata still contains the original author's name, revision history showing tracked changes with other employees' edits, embedded comments, and file path references that reveal network usernames.
Word documents are particularly vulnerable. A .docx file's metadata can include the names of every person who edited the document, the creation date, the last-modified date, the company name, and revision notes. PDF files can contain form field data, embedded attachments, XMP metadata, and layer information.
Prevention: Strip all metadata before disclosure. Purpose-built redaction tools do this automatically. If using manual processes, explicitly check document properties, hidden data (Word's Document Inspector), and PDF metadata (File > Properties in most readers).
3. Inconsistent redaction across documents
You redact Sarah Thompson's name from the performance review on page 12, but her name appears unredacted in the email thread on page 47 and in the meeting notes on page 83. The entire redaction effort for Sarah is now defeated — the requester knows her name from the unredacted instances.
This is almost inevitable with manual redaction at scale. Human reviewers working through hundreds of documents across multiple sessions will miss instances, especially when names appear in different formats (Sarah Thompson, S. Thompson, sarah.thompson@company.com, Sarah T.).
Prevention: AI-powered detection tools that scan the entire document set and flag every instance of each entity. SafeRedact detects PII across all documents in a batch, so you can see every occurrence of a name, email, or phone number and redact consistently.
4. Over-redacting the requester's own data
In the rush to protect third-party data, a compliance team redacts information the requester is legally entitled to see — their own performance ratings, salary data, or details of decisions made about them. This is a compliance failure in the opposite direction: you're denying a legitimate right of access.
This is particularly common in employee DSARs where the requester's data is deeply intermingled with others'. A paragraph discussing the employee's promotion decision might mention the hiring committee's deliberations (third-party) alongside the specific reasons the employee was promoted (their personal data). Redacting the entire paragraph to be safe denies the employee information they're entitled to receive.
Prevention: The selective redaction workflow — identify each piece of PII, determine whose it is, and make a per-item decision. DSAR redaction is granular, not all-or-nothing.
5. Forgetting embedded files and attachments
You redact the body of an email but forget that it has a PDF attachment containing a spreadsheet of employee data. You redact the covering letter but not the enclosed report. You redact the document text but not the images embedded within it (which may contain text visible in screenshots or photos).
Email archives are the worst offenders. A typical corporate email system stores messages with nested attachments, inline images, calendar invitations with attendee lists, and .eml files forwarded as attachments — each of which may contain unredacted third-party PII.
Prevention: Process the complete document package, not just individual files. Extract and redact attachments separately. Use AI detection tools with OCR capability to catch text in images.
6. Sending the wrong version
This happens more often than anyone admits. The compliance team produces a redacted version and an unredacted version (for the audit trail). Someone sends the wrong file. Or a review process creates multiple iterations, and the final version wasn't actually the one that was sent.
If the unredacted version reaches the requester, every piece of third-party personal data in the entire response package has been disclosed. This is a significant data breach that may affect dozens or hundreds of individuals.
Prevention: Use a naming convention that makes versions unmistakable (e.g., "REDACTED_FINAL_" prefix). Implement a two-person verification step before sending — one person prepares the response, another confirms the correct files are attached. Consider using a secure portal for delivery rather than email attachments.
7. No audit trail
A year after responding to a DSAR, the requester complains to the ICO that information was improperly withheld. The ICO asks you to explain your redaction decisions. You have no records of which exemptions were applied, which documents were reviewed, who made the decisions, or why specific information was redacted.
Without an audit trail, you cannot defend your response. The ICO will assess your compliance based on what you can demonstrate, not what you vaguely recall doing. A well-documented response with reasonable redaction decisions will satisfy regulators. An undocumented response — even if the redactions were correct — leaves you exposed.
Prevention: Document every exemption applied (which exemption, which document, which data, reasoning). Record the data sources searched, the tools used, the people involved, and the delivery method. Retain these records for at least three years — the ICO can investigate historical complaints.
SafeRedact prevents failures 1, 2, 3, and 5 by design. Pixel-burn redaction eliminates visual-only failures. Automatic metadata stripping prevents leaks. Batch AI detection ensures consistency across document sets. And the review interface logs every keep/redact decision for your audit trail. Start redacting free →
The cost of getting it wrong
GDPR fines for data breaches can reach 4% of global annual turnover or €20 million, whichever is higher. But the immediate financial penalty is often the smallest cost. Regulatory investigations consume management time and legal fees for months. Reputational damage — particularly in employee disputes that reach tribunal — is difficult to quantify but real. And if the breach triggers further DSARs from the affected third parties (which it often does), you're now processing additional requests with the regulator watching.
The alternative is investing in proper redaction tooling and process from the start. At $99/year for SafeRedact or custom pricing for enterprise volumes, the cost of prevention is negligible compared to the cost of a single redaction failure.