DSAR/SAR Redaction for Legal Teams
Solicitors and in-house counsel often inherit DSAR (also known as SAR) review after HR has assembled thousands of pages. The legal task is to ensure the disclosure complies with access rights while protecting legal professional privilege, third-party rights, and exemptions where properly engaged. Redaction quality must withstand scrutiny if the individual complains to the ICO or challenges the response. Speed matters, but recoverable redaction is never acceptable.
Scope and exemptions
Not everything in a file must be disclosed. Schedules of exemptions under UK GDPR / GDPR must be applied carefully and explained when you withhold material. LPP, management forecasting, and negotiations each have nuance. Redaction is the practical mechanism for withholding. Your letter to the data subject should summarise what categories were withheld and the high-level reason.
Multi-party documents
Email chains and attendance notes routinely implicate several people. Redaction must remove or obscure third-party personal data unless disclosure is fair and lawful. That often means heavy redaction of threads while preserving the requester's own contributions and data about them.
Court and regulator-ready PDFs
Final PDFs should be searchable where appropriate, paginated consistently, and free of hidden text. Some tribunals expect a schedule of documents. DSAR/SAR responses may be informal but should still be professional. Verify exports on multiple viewers before send.
Third-party and data-transfer risk
Instructing a law firm or BPO to redact involves processors and DPAs. Using a SaaS redaction platform that processes client documents in another jurisdiction may trigger transfer assessments. Ghost is designed with data minimisation in mind — see our security page for architectural details that many firms document alongside DPIAs and processor terms for sensitive matters.