Data Redaction Under GDPR: What Must Be Hidden Before You Respond to a DSAR

If you are subject to the European Union's (EU) General Data Privacy Regulation (GDPR), you will need to fulfill Data Subject Access Requests (DSARs). Certain personal data must be redacted before responding to DSARs.

This legal and operational guide explains what the GDPR is and who it applies to, how DSARs work, what data you need to redact before responding to a DSAR, and how to respond to DSARs to comply with the GDPR.

What Is the GDPR?

The GDPR is the EU's primary privacy and data protection law. It applies to organizations based in the EU that process (use) personal data, as well as organizations located outside of the EU that offer goods or services to individuals in the EU or monitor EU individuals' behavior.

Personal data under the GDPR is information that relates to an identifiable individual, or data subject.

Personal data can include the following:

• Names
• Identification numbers
• Location data
• Online identifiers
• IP addresses
• Biometric data
• Cookie identifiers

Article 4 of the GDPR defines personal data as information that can be used to identify a data subject, including names, ID numbers, and online identifiers.

The GDPR requires applicable companies and entities to process personal data in accordance with its rules.

Businesses subject to the GDPR may need to meet the following requirements:

• Have a lawful basis for processing personal data
• Maintain an accessible Privacy Policy that explains how personal data is used
• Honor data subjects' rights
• Minimize data collection and retention
• Keep the data they collect and process secure
• Fulfill data breach notification requirements
• Maintain records of data processing activities
• Conduct Data Protection Impact Assessments (DPIAs)
• Appoint a Data Protection Officer (DPO)
• Comply with international data transfer regulations

Article 6 of the GDPR outlines the six lawful bases that organizations must choose from before processing personal data, including getting consent from the data subject and processing data in order to fulfill an organization's legitimate purpose.

The GDPR gives data subjects the following rights:

• Right to access their data
• Right to correct inaccurate data
• Right to delete their data
• Right to restrict data processing
• Right to data portability
• Right to object to certain data processing activities
• Rights related to automated decision-making and profiling

Chapter 3 of the GDPR lists data subjects' rights under the law, including the rights to access, correct, and delete their personal data.

A GDPR compliance strategy can involve many components, one of which is responding appropriately to DSARs. Let's take a look at what exactly a DSAR is.

What Is a DSAR?

A DSAR is a formal request that an individual can make to find out what personal information an organization holds about them and how it is processed. DSARs can be submitted in a variety of ways, but are typically submitted via email, postal mail, or an online form.

The United Kingdom's (UK) Information Commissioner's Office (ICO) maintains a subject access request template that small businesses can use as a reference when designing their own data access request forms. The template explains that data subjects have a right to ask for copies of their personal data and includes a link where users can learn more about their right of access under the UK GDPR.

Who Can Make a DSAR?

Any individual can make a DSAR concerning their own information. Third parties can also make a request on behalf of the data subject, including acting through a proxy, as legal guardians, or on behalf of minors.

Children may be able to make their own DSARs, or may need a third party to act on their behalf, depending on their maturity and capacity.

How Do You Respond to a DSAR?

If you receive a DSAR, you'll need to confirm that your organization processes (or has processed) personal data belonging to the data subject and provide the individual with access to and information about their personal data.

Details you'll need to provide the data subject include:

• Your reasons for processing their personal data
• The categories of personal data processed
• Any third parties you have shared their personal data with
• How long you intend to retain their data
• Information about data subjects' rights to correct or delete their personal data, restrict or object to the processing of their personal data, and lodge a complaint with a supervisory authority
• The source of the data (if collected indirectly)
• Whether automated decision-making or profiling is involved, and the reasons for and potential consequences of such involvement
• What safeguards are in place if the data subject's personal data is transferred internationally

You must provide at least one free copy of any personal data you process to the data subject. If the data subject wants more copies, you may charge a "reasonable fee" to pay for administrative expenses.

Importantly, the data subject's right to obtain a copy of their personal data cannot negatively impact the rights and freedoms of other people.

Article 15 of the GDPR explains that data subjects have the right to know whether an organization processes their personal data and to access that data, as well as information about the organization's reasons for processing the data, the categories of personal data that are processed, and recipients of the data subjects' personal data, among other information.

Keep in mind that you do have the right to refuse a DSAR if the request is unjustified or excessive, such as if a data subject requests access to the same information each week but nothing has changed.

Additionally, if you are processing a large amount of information about the data subject, they may need to specify the types of data processing or information they want to access.

However, you cannot deny a DSAR just because it takes time or effort to fulfill.

Data controllers (those who decide how and why to use personal data) should have internal policies in place for responding to DSARs. Check our step-by-step guide at the end of this article for practical guidance on responding to DSARs.

Why Do You Need to Redact Data Before Responding to a DSAR?

Redacting personal data relating to third parties before responding to a DSAR can help you protect third-party personal data and confidential information and comply with GDPR principles and other state and global privacy and data protection laws.

According to the UK Information Commissioner's Office (ICO), when responding to a DSAR that involves third-party data, controllers must consider three key questions:

1. Can you comply with the request without disclosing the third-party's data?
2. If not, has the third party given consent to disclosure?
3. If not, is it otherwise reasonable to disclose the data without consent?

This balancing test ensures you respect the rights of the requester without unfairly exposing others' personal data.

GDPR Principles

Redacting third-party personal data from DSAR responses can help you comply with the GDPR's personal data processing principles.

GDPR personal data processing principles include:

• Data minimization. Providing the data subject with only the information relevant to their DSAR helps you ensure that third-party data isn't unnecessarily disclosed.
• Purpose limitation. When you redact third-party data, you help ensure that the information disclosed is limited to fulfilling the DSAR and not used for unrelated or unauthorized purposes.
• Confidentiality and integrity. Redaction helps protect third-party data by preventing access by unauthorized individuals.
• Accountability. You can demonstrate your adherence to the GDPR by ensuring that only essential information is shared in DSAR responses.

Article 5 of the GDPR lists its principles for processing personal data, including limiting the processing of personal data to that which is necessary to fulfill an organization's purposes.

State and Global Privacy Laws

Redacting personal data before disclosure is essential in protecting data subjects' privacy and complying with applicable laws.

In addition to the GDPR, you may need to comply with state privacy laws such as the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (VCDPA), and the Colorado Privacy Act (CPA), and global data protection laws, including the UK GDPR, Brazil's Lei Geral de Proteção de Dados (LGPD), and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

The privacy laws that apply to you can depend on many factors, including your location, the location of the people whose personal data you process, the nature of your business, and the volume of the data you process.

You'll need to check the laws that apply to you to find out how to comply with their specific requirements, but it's generally a good idea to protect third parties' privacy rights by redacting their personal data before responding to DSARs.

Principle 9 of the PIPEDA explains that organizations may not be able to provide individuals access to personal information in certain situations, including if the information is too expensive to provide, contains references to other people, can't be shared because of legal, security, or business purposes, or is subject to legal privileges.

While not a response to a DSAR, the 2025 JFK assassination records release demonstrates the importance of striking a balance between protecting personal data and providing transparency when disclosing information.

In March 2025, the U.S. National Archives and Records Administration (NARA) released the unredacted JFK Assassination Records, which included personal data. U.S. attorney Joseph diGenova–whose personal information was revealed in the documents–said he intends to sue NARA for violating privacy laws.

A JFK assassination-related document released in 2017 by NARA redacted the name of the Acting Chief of Station, protecting their personal data.

What Types of Data Need to Be Redacted Before Responding to a DSAR?

Before responding to a DSAR, you should analyze the data and ensure that certain types of information are redacted from the copy supplied to the requester. Types of data that you may need to redact can include third-party personal data, irrelevant systems data, certain security-related data, confidential business information, and privileged legal information.

Step-By-Step Guide to Responding to DSARs

Here's a practical guide on how to respond to DSARs to comply with the GDPR, including how to redact third-party data.

Step 1. Verify the Requester's Identity

Before you respond to a DSAR, you'll need to make sure the person making the request is who they say they are. Your identity verification method should collect only the minimum information necessary.

For instance, you probably don't need a data subject's government ID or birth certificate to confirm their identity. Requesting more data than what you actually need to verify identity poses a higher risk to the individual's privacy, is likely not proportionate to your needs, and may violate the GDPR's principle of data minimization.

A common practice in verifying identity is asking the individual to provide information only they have access to, such as a transaction reference number or confirmation code.

The Joint Commission's Data Subject Access Request Form explains that it requires users' personal data to process requests, including the requester's first and last name and email address. It includes links to its Privacy Statement and Preference Center, where users can find out more about how it processes personal data and how they can exercise their privacy rights.

If you can't verify the data subject's identity, you may need to ask for more information in order to process the DSAR. If you still can't confirm the individual's identity, you should let them know as soon as possible why you can't fulfill their DSAR.

Recital 64 of the GDPR explains that data controllers should use "all reasonable measures" to confirm data subjects' identity when responding to DSARs.

Step 2. Review the Request

Once you have confirmed the data subject's identity, you can take a closer look at the request to determine whether any other legislation applies and if the DSAR is legitimate.

Answering the following questions can help you decide the best way to move forward with your DSAR response:

• Is personal data related to the data subject being processed? You will need to check all systems, databases, and departments to see if the data subject's personal data is being processed. Data mapping tools like OneTrust or BigID can help you discover and classify data. Keep in mind that even if you don't find any information about the person making the request, you'll still need to reply.
• Is the request excessive or manifestly unfounded? If the request is excessive or manifestly unfounded (clearly unreasonable, such as a request obviously made with the intention to burden or harass your company), then you may need to inform the data subject that you must charge a fee in order to respond to their request, or that you cannot respond to their access request.
• Do you need further information from the data subject in order to respond to the request? If so, you will need to let the individual know what information you need in order to fulfill their DSAR.
• Will you need to charge an administrative fee in order to respond to the request? If the data subject is asking for additional copies of their personal data or in situations where the requests are repetitive, you may be allowed to charge a reasonable fee to cover administrative expenses related to handling the DSAR.

You have one month to respond to a DSAR. This deadline runs from the day you receive the request, not from when identity verification is completed. If the request is complex, you may extend your response time by up to two more months, but you must inform the requester within the first month and explain why the extension is necessary.

Supervisory authorities, such as the ICO, recommend documenting your reasoning for any extension in case of audit or complaint.

Article 12 of the GDPR explains that the deadline to reply to a data subject request is one month from the data a data controller receives a request, but that this deadline can be extended by an additional two months if necessary.

So what happens if you miss the deadline for responding to a DSAR? GDPR violations can result in serious consequences, including fines of up to the higher amount of €20 million or 4% of your organization's global annual revenue.

Having efficient procedures in place for identifying DSARs and confirming the requester's identity can help you comply with the GDPR's DSAR response deadlines.

Step 3. Find Out What Personal Data Is Processed

The next step in responding to a DSAR is establishing a comprehensive list of the requester's personal data that your organization processes or has processed.

You may need to check the following locations to find all of the personal data your organization holds about the individual:

• Devices, such as smartphones, computers, tablets, and external hard drives.
• Communication channels, including emails, call recordings, messaging and project management platforms, and social media content.
• Internal systems, such as HR files, customer support records, financial and payment processing systems, and subscriber databases.
• Storage locations, including cloud storage platforms, document repositories, and archived files.
• Logs and monitoring data, such as analytics logs, security logs, and CCTV recordings.
• Third-party service providers, including analytics and tracking tools, video conferencing platforms, email marketing services, and Customer Relationship Management (CRM) systems.

Finding all the personal data linked to an individual can be a big job, and you might want to consider using data discovery tools to help expedite the process.

BigID provides a data discovery and classification service that can scan multiple locations to find and classify data.

Once you've located all relevant personal data, you'll want to provide the requester with the following information:

• The personal data that is being processed
• Your reasons for processing the data
• The categories of personal data being processed
• The categories of third parties that receive the personal data
• How long you intend to retain the personal data
• Information about the data subject's rights under the GDPR, including their rights to correct or delete their personal data, restrict or object to the processing of their personal data, and lodge a complaint with a supervisory authority
• What source the personal data was collected from (if not collected directly from the data subject)
• Whether the data processing involves automated decision-making, including profiling
• Whether the personal data has been transferred to a third country
• Whether there is any third party personal data that can't be disclosed to the data subject making the request
• Any obstacles to providing the personal data to the requester

Step 4. Determine What Data Needs to Be Redacted

The next step is deciding what data you need to redact. Types of data you may need to redact can include third-party personal data, confidential business information, certain systems or security-related data, and privileged legal information.

Third-Party Personal Data

It's important to balance the data subject's right to access their personal data with other people's privacy rights. Any personal data that belongs to data subjects other than the individual who made the DSAR should be redacted.

For example, your company might have an email that contains the requester's personal data but also contains information about other employees. In that case, you would want to redact the data about the other employees before providing the requester with a copy of the email.

The ICO advises that if third-party information is "inextricably linked" with the requester's personal data, you must carefully assess whether redaction is possible or whether disclosure can still be justified. Where disclosure would be unfair, you may lawfully withhold the third-party data while still providing the requester with access to their own.

Recital 63 of the GDPR states that the data subject's right of access cannot adversely affect the rights and freedoms of others.

You need to take extra precautions when handling special categories of data (also known as sensitive information).

Sensitive information can include:

• Race
• Ethnicity
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Health-related data
• Biometric data (such as fingerprints or iris scans)
• Data concerning an individual's sex life or sexual orientation

Any sensitive data that doesn't belong to the individual making the DSAR should be redacted before you respond to the request.

Article 9 of the GDPR explains that organizations cannot process special categories of data unless certain criteria apply, including if the data subject gives their consent or if the processing is necessary to save someone's life.

Confidential Business Data

You should redact information that could harm the legitimate interests of an organization, such as trade secrets or financial information.

Google's redacted letter to the Federal Communications Commission (FCC) is an example of a document that contains redacted business data to protect the organization's interests.

Certain Systems or Security-Related Data

You may need to redact certain systems or security-related data, such as:

• Data relating to national security or public safety
• Logs or metadata that are irrelevant to the access requests
• IP logs or passwords that could compromise system security

Article 23 of the GDPR explains the restrictions that may apply to data subjects' rights, including in situations where those rights conflict with national security, defence, or public security.

Privileged Information

Privileged legal information between attorneys and their clients is protected and may need to be redacted from your DSAR response.

Step 5. Ensure Third-Party Data Is Properly Redacted

As far as redacting information in a physical format goes, you've likely seen a redacted court document in the movies with the thick black lines through the text. While that is one method of redacting information, you need to make sure there is no way for the text to be made readable again, such as through Adobe Photoshop or a similar program that could lighten the marker.

A common pitfall highlighted by the Irish Data Protection Commission is superficial redaction - using highlight, white text, or image overlay without actually removing the underlying data. Such methods can be reversed by copying and pasting, or by using editing tools. True redaction requires removing or irreversibly obscuring the data, then saving the document as a flattened, non-editable file (e.g., secured PDF). Maintaining an audit trail of what was redacted and why is also recommended for accountability.

You might also consider copying only the requested information from the original document and sending it in a separate document.

But we're living in the digital age, so your biggest concern is likely redacting information electronically.

Options for redacting information from electronic documents depend on the amount of data you're working with and the scale of your operation.

Common redaction methods include using tools such as Foxit or Redactable, replacing the redacted text with a placeholder such as [REDACTED], or manually extracting only the requested information and pasting it into a new document to send to the requester.

Redactable's automated redaction software relies on AI to scan documents and discover and redact sensitive information.

If you're not fully removing the redacted content, you'll need to make sure to save the copy of the requested information as a new, non-editable file, so that the recipient can't access the redacted data.

What if the information requested is CCTV footage? You may need to blur some of the footage if it could be used to identify third parties. You can use tools such as Adobe Premiere Pro or Movavi Video Editor to do this.

Adobe Premiere Pro enables users to blur an individual's face to protect their identity as they move across a frame in a clip.

Step 6. Provide the Requested Data

After you have redacted third-party data, you can send the information to the requester. If the data subject makes the request electronically, you should provide the copy electronically (unless otherwise specified by the data subject).

Make sure to provide the data in an accessible format, send it securely, and include information about why you process their data, how you got it, how long you plan to retain it, who you share the data with, and how the data subject can exercise their privacy rights.

Step 7. Maintain Records of DSAR Requests

You should keep dated records of all DSAR requests, responses, and timelines. Maintaining this documentation can help you manage repeat requests, prepare for potential audits, and demonstrate compliance with the GDPR's personal data processing principles.

Summary

The GDPR is the EU's primary data protection law. It applies to organizations that process personal data belonging to individuals in the EU and requires applicable entities to take steps to honor data subjects' rights and protect their personal data.

A DSAR is a formal request that a person can make to find out if an organization processes their personal data.

Your DSAR response should include the following information:

• Why you process the requester's personal data
• The categories of personal data you process
• Any third parties you disclose personal data to
• Your data retention policy
• Information about data subjects' rights to correct or delete their personal data, restrict or object to the processing of their personal data, and complain to a supervisory authority about the processing of their personal data
• The source of the data, if it is collected indirectly
• Whether and why automated decision-making or profiling is involved, and the potential consequences of these processing activities
• How you protect personal data if it is transferred internationally

You should redact certain data before responding to a DSAR to protect third parties' privacy, maintain confidentiality, and comply with GDPR principles and other state and global privacy legislation.

DSARs are also increasing in both volume and complexity. Recent industry research shows that organizations spend an average of 27 staff hours per request, with costs ranging from €1,200 to several thousand per DSAR, depending on the systems involved. This reinforces the importance of adopting efficient redaction workflows, using automated discovery and redaction tools where possible, and training staff to handle requests consistently.

Types of data that may need to be redacted before responding to a DSAR include:

• Third-party personal data
• Confidential business data
• Certain systems or security-related information
• Privileged legal information

You can respond to DSARs by taking the following steps:

1. Verify the requester's identity
2. Review the request
3. Find out what personal data is processed
4. Determine what data needs to be redacted
5. Ensure third-party data is properly redacted
6. Provide the requested data
7. Maintain records of DSAR requests