Redaction and DSARs: What You Need to Know

Under the GDPR (General Data Protection Regulation), data subjects or their representatives are entitled to receive copies of any personal information that an organisation holds on them. The process of exercising this right is known as a DSAR (data subject access request).

There are some circumstances where organisations are required or may have a lawful exemption to redact information before sending it to the person who made the request.

In this blog, we explain when information should be redacted and help you understand how to do so.

When is redaction required for a DSAR?

Although the GDPR gives individuals the right to know what information an organisation is processing about them and how it’s being used, the Regulation also understands that absolute transparency is not always feasible.

There are times when personal data records are inextricably linked to other non-personal confidential information. This can include sensitive internal documents and personal information about other people.

In cases like this, organisations should remove any information that doesn’t relate to the individual.

Redaction may also be necessary when personal information is held in databases alongside hundreds of other people. You must only release information regarding the person who made the request.  Similarly, databases might store personal data alongside company information and terminology related to its business practices. Depending on the nature of this information, it might need to be redacted.

As a rule, you don’t have to release anything that could harm your organisation if it was revealed to an outside party.

However, this exemption does not apply to personal data that is embarrassing. Each request should be treated on its merits.

What information should be redacted?

The information that should be redacted will vary depending on the situation. An important part of the DSAR process is communicating the context for which the personal data is being used this is normally contained within an organisations Privacy Notice.

If there is supporting information that makes this clear, it might be advisable to retain it. However, you must never share information about someone other than the person who made the request.

How should information be redacted?

Physical records can be redacted in one of two ways. The first is to cross out, or redact, the offending data with a black marker pen.

If you choose this option, it’s a good idea to buy a specialist ‘redacting marker’. Unlike most pens, they are designed to ensure that information underneath is unreadable.

The second way is to create copies of the documents and use scissors to cut out the relevant information.

For digital files, you should look for a redaction option in the software you’re using. For example, Adobe PDF has a ‘mark for redaction’ tool that renders certain sections of the document unreadable.

If the software doesn’t have such a tool, you should create copies of the document and manually remove non-relevant information. You can either delete the offending information or highlight it in black.

If you highlight it in black, be sure to save the file as a PDF, otherwise the recipient will be able to highlight the text and read it.

In each of these cases, you might have the resources to redact information manually if you are dealing with a limited number of documents or requests. However, it can be a time-consuming process, so you might soon be overwhelmed.

You should also make a note of which lawful exemption you have used, so that if necessary you can justify your decision to the supervisory authority.

DSAR support with GRCI Law

Redaction is just one of many challenges organisations face when responding to DSARs.

There are strict time limits on fulfilling requests, the information must be provided in an appropriate format and it should be accompanied by other relevant details, such as the organisation’s contact information.

Organisations must also acknowledge the individual’s right to lodge a complaint, and they must understand their own rights to refuse manifestly excessive and unfounded requests.

Additionally, organisations need to know when they can delay requests to confirm the identity of the requestor or seek further information and when they are entitled to charge a fee to complete a request.

These concerns, alongside the potential for GDPR fines for non-compliance, mean that many organisations benefit from expert support.

GRCI Law provides that help with its DSAR as a Service package. It contains the guidance you need to manage the response process quickly and effectively.

Our team of experienced lawyers, barristers and cyber security experts manage the DSAR response process on your behalf, enabling you to focus on what your business does best.