Question 1

What is redaction and why is it required for DSAR responses?

Accepted Answer

Redaction is permanently removing information from documents. When responding to a DSAR, you must redact third-party personal data — information about other people mentioned in the documents. This is required because disclosing other people's personal data without consent is a data breach under GDPR.

Question 2

What information should I redact from DSAR documents?

Accepted Answer

Redact: other people's names, email addresses, phone numbers, home and work addresses, employee IDs and customer numbers of others, signatures, and any information that could identify a third party. Do NOT redact: the requester's own data, company/business names (not personal data), generic job titles without names, or genuinely public information.

Question 3

Is using black highlight in Word a proper redaction method?

Accepted Answer

No, black highlighting in Word is NOT proper redaction. The text underneath can often still be copied, searched, or revealed by changing the highlight colour. Correct methods include: professional redaction software, Adobe Acrobat's redaction tool, printing and manually redacting then rescanning, or AI-powered redaction tools that permanently remove the data.

Question 4

What happens if I accidentally send unredacted data in a DSAR response?

Accepted Answer

Sending unredacted third-party personal data is a data breach. You may need to: report the breach to your Data Protection Authority within 72 hours if it poses a risk to individuals, notify the affected third parties, document the incident, and take steps to prevent recurrence. This can result in regulatory fines and damage to your reputation.

Question 5

How do I redact PDFs properly?

Accepted Answer

To properly redact PDFs: use Adobe Acrobat Pro's dedicated Redaction tool (not just drawing black boxes), use professional redaction software like Nuance or Relativity, or print the document, manually black out text with a marker, then rescan as a new PDF. Always verify redactions are permanent by trying to copy text from the redacted areas.

Question 6

What third-party data is commonly found in healthcare records?

Accepted Answer

Healthcare records commonly contain: referring doctor names and contact details, names of staff who treated the patient, family member contact information, emergency contacts, other patient names (in shared appointment records or ward notes), social worker and specialist referral information, and insurance representative details.

Question 7

Do I need to redact employee names from HR documents in DSARs?

Accepted Answer

It depends. You generally need to redact: colleagues' names in performance reviews or complaints, manager names and their personal opinions, witness names in disciplinary proceedings, and emergency contact details. You may not need to redact: generic job titles, department names, or information the requester would reasonably expect (like their direct manager's name in formal correspondence).

How to Redact Personal Data Correctly for GDPR DSARs

⚠ Why Redaction Matters

🚨 Sending unredacted data is a data breach

✏ What to Redact

Third-party personal data includes:

✓ What NOT to Redact

Keep the following visible:

🔧 Redaction Methods

⚠ Common mistake: fake redaction

Correct Methods

Incorrect Methods

🏢 Industry-Specific Examples

Healthcare / Clinics

Schools / Education

HR / Employment

Customer Service

🔗 Related Guides

Just Received a DSAR?

Complete DSAR Guide

DSAR Response Checklist

Missed the Deadline?

Need help with redaction?

Handle DSARs the right way