GDPR Redaction Requirements Explained
GDPR does not publish a single checklist titled 'how to redact PDFs,' but several obligations combine to shape what good redaction looks like. You must protect personal data by design and by default, minimise disclosure to what is necessary, respect the rights of third parties, and avoid sloppy releases that amount to a new breach. The following is practical guidance, not legal advice — always align with your DPO or counsel.
Third-party personal data
Access rights give the requester their personal data, not a free look at everyone else's. Emails between HR and a manager, for example, contain multiple people's data. You typically redact identifiers and content relating to others unless you can rely on a specific ground to disclose. Getting this wrong is one of the most common DSAR/SAR-related complaint themes.
Permanence and technical adequacy
Redaction for disclosure should be irreversible in the file you hand over. Drawing black rectangles in a graphics tool without flattening, or using PDF layers incorrectly, can leave text selectable underneath. Regulators and courts expect proportionate technical measures. Recovered text after "redaction" has featured in public enforcement stories elsewhere.
Export a final PDF and sanity-check: copy-paste, search, and document properties should not resurrect withheld content.
Data minimisation and storage
Data minimisation requires that personal data be adequate, relevant, and limited to what is necessary. For redaction workflows, that means not creating unnecessary copies of unredacted bundles on shared drives, and not logging full document contents in ticketing systems. Prefer local processing or controlled environments over uploading full HR exports to generic cloud AI tools without a DPIA and contract.
Security of processing
You need appropriate technical and organisational measures. When you choose a redaction tool, consider where files are processed, who can access them, encryption in transit and at rest, subprocessors, and how long content is retained. See our security page for how Ghost handles these requirements.
Documentation
Keep enough records to show how you handled the request: timeline, scope of search, exemptions or partial refusals with reasons, and redaction approach. You do not need to over-collect. Focus on auditability.
Frequently asked questions
Does GDPR specify which redaction software I must use?
No. GDPR sets principles such as integrity, confidentiality, data minimisation, and security of processing. You choose appropriate technical and organisational measures. Many teams document third-party choice, encryption, subprocessors, and retention for whichever redaction tools they adopt.
Why avoid uploading DSAR/SAR packs to random cloud AI tools?
Each new processor may need a contract, legal basis, and transfer assessment. Uploading sensitive employee or customer documents to consumer services can create compliance and security risk. Prefer third parties with clear retention policies and data-minimisation controls — and avoid uncontracted generic AI tools for full DSAR/SAR packs.
What should I document after redacting for a DSAR/SAR?
Keep proportionate records: when the request was received, scope of search, what was disclosed, what was redacted or withheld and the high-level reason (including exemptions), and how the final pack was delivered. Your DPO can define the template.