5 DSAR Redaction Mistakes That Lead to GDPR Fines

Why Redaction Matters

When responding to a Data Subject Access Request, you must provide ALL personal data about the requester — but you must NOT disclose personal data about other individuals. This balancing act is where many organisations fail.

Poor redaction has led to some of the largest GDPR fines, including cases where medical records, HR files, and customer data were improperly shared.

Mistake #1: Over-Redaction

The problem: Redacting information the data subject is entitled to see.

Some organisations, fearful of sharing too much, redact legitimate data. This is a DSAR violation — you’re denying the data subject their rights.

Examples:

• Redacting the subject’s own name from documents
• Hiding metadata they’re entitled to see
• Removing context that makes the data meaningless

The fix: Only redact third-party personal data and information protected by legal privilege. Everything else belongs to the requester.

Mistake #2: Under-Redaction (Third-Party Data Exposed)

The problem: Failing to redact other people’s personal data.

This is the most common — and most dangerous — redaction mistake. Sharing one person’s data in another person’s DSAR response is a data breach.

Real examples:

• Customer service notes containing other customers’ details
• Email threads with multiple participants
• HR records mentioning colleagues
• Medical records with other patients visible

The fix: Every document must be reviewed for third-party PII before release. AI-powered scanning can catch what human reviewers miss.

Mistake #3: Inconsistent Redaction

The problem: Redacting a name in one place but leaving it visible elsewhere.

If “John Smith” appears 47 times in a document set and you only redact 45 occurrences, you’ve failed. Regulators consider inconsistent redaction as evidence of inadequate processes.

The fix: Use find-and-replace or AI tools that identify all instances of specific data elements across entire document sets.

Mistake #4: Visible Redaction Marks That Can Be Reversed

The problem: Using black highlighting or text boxes that can be removed.

Simply drawing a black box over text in a Word document doesn’t redact it — the text is still there. Same with many PDF “redaction” tools that just add a visual layer.

The fix: Use proper redaction tools that permanently remove the underlying data, then export to a flattened PDF.

Mistake #5: Forgetting Metadata

The problem: Redacting visible content but leaving metadata intact.

Documents contain hidden data: author names, revision history, comments, tracked changes, GPS coordinates in photos. All of this can contain third-party personal data.

Real examples:

• Word document properties showing other employees’ names
• Photo EXIF data revealing locations
• PDF metadata with email addresses
• Spreadsheet hidden columns

The fix: Strip metadata from all documents before release, or use tools that handle this automatically.

The Compliance Checklist

Before sending any DSAR response:

• All third-party names redacted consistently
• Email addresses, phone numbers, addresses of others removed
• Document metadata stripped
• Redactions are permanent (not reversible)
• Data subject’s own information is NOT redacted
• Someone other than the preparer has reviewed

How AI Changes Redaction

Modern AI can:

1. Detect PII automatically — names, emails, phone numbers, addresses, ID numbers
2. Identify the data subject — distinguish their data from others'
3. Apply consistent redaction — catch every instance across hundreds of pages
4. Handle multiple formats — PDFs, Word docs, images, spreadsheets
5. Create audit trails — log what was redacted and why

What takes a human 3 hours, AI does in minutes — with greater accuracy.

Related guides:

• How to Redact Personal Data Correctly for GDPR DSARs — Complete redaction guide
• GDPR DSAR Response Checklist — Step-by-step checklist
• What Happens If You Ignore a DSAR? — Consequences of non-compliance

Want to eliminate redaction risk? SAR Portal’s AI automatically detects and redacts third-party PII while preserving the data subject’s information. See how it works.