Redaction Software for GDPR Subject Access Requests

Respond to subject access requests without exposing anyone else's personal data. VIDIZMO Redactor detects and redacts third-party data across emails, documents, CCTV, and call recordings, so privacy teams meet the GDPR deadline without redacting each file by hand. 

Start a free trialTalk to an expert
Redaction Software for GDPR Subject Access Requests

Organizations Ensure Data Privacy and Compliance with Our Redaction Software

The DSAR Redaction Bottleneck 

A subject access request gives one person a copy of their data within one month. But their emails, documents, CCTV, and calls are full of other people's personal data that must be redacted first. 

Doing that by hand is slow, and one name left in is a reportable breach. 

The DSAR Redaction Bottleneck

Requirements for Compliant DSAR Redaction

Card 1 - Redact third parties

Redact third parties

A subject access response gives the requester their own data and nothing about anyone else. Every other person's name, contact detail, and identifier has to come out.

Card 2 - CCTV and calls

CCTV and calls

A DSAR can include CCTV of the requester and calls they were part of. Third parties in that footage and audio need redacting too, not only the documents.

Card 3 - One-month deadline

One-month deadline

GDPR sets a one-month deadline from receipt, extendable by two months for complex requests. Miss it and the response itself becomes a compliance failure.

Card 4 - Special category data

Special category data

Health and other special category data carry extra protection under GDPR. It needs careful handling wherever it belongs to a third party in the response.

Card 5 - DSAR exemptions

DSAR exemptions

DSAR exemptions cover third-party data, legal privilege, and a few specific grounds. They have to be applied without withholding data the requester is entitled to.

Card 6 - No accidental breach

No accidental breach

Leaving one person's data in another person's response is an unauthorized disclosure and a reportable breach. Third-party redaction has to be verified before release.

Redaction Capabilities for DSAR Fulfillment

AI detection

Detect names, contact details, identifiers, and 40+ categories of personal data across the request automatically, so you are not reading every file to find who appears in it. 

Card 1 - AI detection

Keep the requester

Selective redaction keeps the requester's own data intact while masking every other individual, including faces in CCTV and voices in recorded calls. 

Card 2 - Keep the requester

Faces and voices

Redact third parties in CCTV footage and call recordings alongside documents and emails, all in one platform, so the whole response is handled together. 

Card 3 - Faces and voices

OCR for scans

Read and redact text in scanned letters, forms, and image-based PDFs, so paper-origin records in the response are covered like digital ones. 

Card 4 - OCR for scans

Redact by name

Redact a specific colleague, customer, or third party across the entire response in one pass, by name or pattern, instead of file by file. 

Card 5 - Redact by name

Regulator-ready record

Every redaction is logged with what was removed, by whom, and when, then exported as a report you can show the requester or the regulator. 

Card 6 - Regulator-ready record

Teams That Rely on DSAR Redaction

Card 1 - Data protection officers

Data protection officers

Own GDPR compliance and the DSAR response, and are accountable when a disclosure goes out with third-party data still in it. 

Card 2 - Privacy and compliance teams

Privacy and compliance teams

Process subject access requests against the deadline. Automated detection cuts the manual workload and the risk of a missed identifier. 

Card 3 - In-house legal teams-1

In-house legal teams

Handle complex requests, exemptions, and challenges, with a documented process that holds up if a response is questioned. 

Card 4 - Information governance teams

Information governance teams

Manage records across systems and formats, and need redaction that works on documents, CCTV, and call recordings alike. 

Card 5 - HR teams

HR teams

Respond to employee subject access requests, which often pull emails and files naming managers and colleagues who must be redacted. 

Four Steps from Upload to Disclosure

Step 1

Upload 

Add the request's files individually, in bulk, or through the API from your email, document, or records system. 255+ formats accepted without manual conversion. 

Step 2

Redact

AI detects and redacts personal data across documents, images, CCTV, and audio through pattern matching, OCR, and transcription, masking third-party data automatically. 

Step 3

Review

Reviewers verify detections, keep the requester's data visible, and apply or adjust redactions before the response goes out. 

Step 4

Export

Download the redacted disclosure pack with an audit report documenting every redaction, basis, and timestamp. 

Start Clearing DSARs Faster

See how it detects and redacts third-party data across documents, CCTV, and calls, so you respond within the month without risking a breach. 
Start a Free Trial

Frequently asked questions

What must be redacted in a DSAR response?
Third-party personal data. A subject access request gives the requester their own data, so other people's names, contact details, and identifiers must be redacted first, along with any exempt material such as legally privileged content. 
How long do we have to respond to a DSAR under GDPR?
One month from receipt. The deadline can be extended by up to two further months for complex or numerous requests, provided you tell the requester within the first month and explain why. 
Can we keep the requester's data visible while redacting everyone else?
Yes. Selective redaction keeps the requester's personal data intact while masking third-party individuals across the response, including faces in CCTV footage and voices in call recordings. 
Does GDPR redaction apply to CCTV and call recordings, not just documents?
Yes. Personal data is personal data in any format. CCTV footage, call audio, emails, and documents in a response all fall under GDPR and must have third-party data redacted before disclosure. 
What happens if we disclose third-party data by mistake?
It is a personal data breach. Unauthorized disclosure of someone's personal data can trigger reporting obligations and regulatory penalties, which is why third-party redaction has to be verified before a response goes out. 
Can it handle high DSAR volumes?
Yes. Bulk processing lets you upload an entire request set and apply detection rules once across every file, so large or numerous requests are handled in one pass instead of file by file. 
Where is subject access data processed?
VIDIZMO Redactor deploys on-premises, in a private cloud, or as SaaS, so you can process subject access data within your own environment and data-residency requirements. 
back to top