020 8004 8625
contact@dsar.ai
DSAR Redaction Under GDPR: What You Can and Cannot Disclose
One of the most common challenges in DSAR processing is managing strict timelines as request volumes continue to rise.
In many cases, delays are not caused by a lack of resources, but by inefficiencies across the workflow — from data collection and classification to redaction and final review.
In this blog, we’ll break down why DSAR volumes are increasing, what it means for compliance teams, and how organisations can adapt to manage growing demand effectively.
Redaction in DSAR responses is where most compliance risks actually sit.
It’s not just about removing information. It’s about making the right decision on what should and should not be disclosed — and being able to justify that decision if challenged.
Under GDPR, the right of access is fundamental, but it is not absolute. Every DSAR requires a careful balance between transparency and protecting the rights of others.
What does GDPR require organisations to disclose in a DSAR?
Under Article 15, organisations must provide:
- Confirmation of whether personal data is being processed
- Access to the individual’s personal data
- Details such as purpose of processing, categories, recipients, and retention periods
They must also provide a copy of the personal data being processed.
However, this does not mean providing every document in full. The obligation is to provide access to personal data, not unrestricted access to entire records.
When should data be redacted in a DSAR response?
Data should be redacted when disclosure would negatively impact the rights and freedoms of others or reveal protected information.
Common scenarios include:
Third-party personal data
Names, contact details, or identifiers of other individuals should be redacted unless consent is obtained or disclosure is reasonable.
Confidential business information
Trade secrets or sensitive internal information can be withheld where disclosure would harm the organisation.
Legally privileged content
Communications involving legal advice are typically exempt from disclosure.
Internal discussions and opinions
Certain internal communications may be redacted if disclosure would reveal confidential processes or impact decision-making integrity.
The key principle is not whether the data exists, but whether it is appropriate to disclose it.
Can organisations refuse to disclose certain information entirely?
Yes, but only in specific situations.
Under Article 12(5), organisations can refuse requests that are manifestly unfounded or excessive.
They may also limit disclosure where:
- it would adversely affect the rights of others (Article 15(4))
- legal exemptions apply (e.g., under the Data Protection Act 2018)
In such cases, organisations must still provide as much information as possible without breaching these protections.
How should organisations balance transparency with protecting others’ rights?
This is where most DSAR redaction decisions are made.
Organisations must carry out a balancing exercise for each request:
- Does the data belong to the subject?
- Does it also identify someone else?
- Can it be anonymised without losing meaning?
- Would disclosure cause harm or breach confidentiality?
There is no one-size-fits-all rule. Each case must be assessed individually and documented clearly.
Regulators expect to see not just the outcome, but the reasoning behind it.
What are the most common mistakes in DSAR redaction?
Most issues arise not from intent, but from poor execution.
Superficial redaction
Simply blacking out text visually without properly removing underlying data can expose sensitive information.
Inconsistent redaction
Names or identifiers removed in one place but left visible elsewhere creates risk and undermines the response.
Over-redaction
Removing too much information can result in non-compliance, as the data subject is not given meaningful access.
Lack of documentation
Failing to record why something was redacted makes it difficult to defend decisions if challenged.
Missing embedded data
Metadata, attachments, and hidden fields are often overlooked, leading to incomplete or risky disclosures.
Why is DSAR redaction one of the highest-risk stages?
Redaction sits at the intersection of legal judgment and operational execution.
Errors can lead to:
- accidental disclosure of third-party data
- breach of confidentiality
- regulatory complaints
- reputational damage
Unlike earlier stages, mistakes at this stage are often irreversible once data is shared.
How can organisations improve DSAR redaction accuracy?
Improving redaction is less about speed and more about consistency.
Standardise redaction rules
Define clear guidelines for what should be removed and why.
Ensure consistency across documents
Apply the same logic across all files, formats, and stages.
Train teams on edge cases
Most errors occur in grey areas, not obvious ones.
Maintain audit trails
Record what was redacted, by whom, and on what basis.
Review outputs before release
A structured final check helps catch inconsistencies or missed data.
Frequently Asked Questions
Do organisations have to provide full documents in a DSAR?
No. Organisations must provide access to personal data, not necessarily full documents if they contain third-party or protected information.
Can third-party data be disclosed in a DSAR?
Only if consent is obtained or if it is reasonable to disclose without adversely affecting the individual’s rights.
What happens if redaction is done incorrectly?
Incorrect redaction can lead to data breaches, regulatory action, and reputational damage.
Is redaction required for internal communications?
It depends. Internal communications may be redacted if they contain confidential or legally protected information.
Final Thought
DSAR redaction is not just a compliance task.
It is a judgment call.
Organisations that approach redaction with clear processes, consistent standards, and careful documentation are far better positioned to meet GDPR requirements without exposing themselves to unnecessary risk.
