All organizations house data – customer data, employee data, and their own company data. There have always been scenarios when certain data needs to be redacted, but with an increase in privacy laws sweeping the globe and more consumer awareness around data ethics and transparency, more businesses are facing situations in which data redaction is becoming more common than ever. But it can be challenging to understand when exactly DSAR redaction is necessary and exactly how to execute the process correctly and compliantly. In this article, we answer six of our most frequently asked questions centered around one common theme: When is DSAR redaction necessary?
Watch the webinar: Redaction for DSARs: What You Need to Know
When is redaction needed in the context of a DSAR?
When a customer, employee, or former employee makes a request for their personal information, often the requester’s data may be found along with the personal data of other people. In these instances, you’re required to redact any personal information that isn’t about the person making the request.
What are the most common types of requests that create the need for redaction?
Do we need to disclose the entire file/document/email that contains a requester’s information?
We often hear from customers that the context of the information is what the data requester is really interested in. In most cases, the customer or employee knows the company has their name, email, address, etc. But their personal information also includes information that relates to them beyond their name and address – for example, what other people thought about this person’s performance in their role as an employee.
Another consideration outside of privacy is if the relevant information is not disclosed properly under a privacy law request, there is a risk that in a potential litigation between the employee and the employer that information comes to light through the legal discovery process. That can put the organization in a risky situation where they could potentially be found to not have complied with privacy laws in the context of litigation.
What if the third-party is known to the data subject making the request and their information is contained in a report that the data subject has already seen. Should we still redact the third-party information?
It depends on whether the third party’s information which was shared to the data requester in one context is appropriately shared in a different context. There may be related issues of consent, purpose limitation, and data minimization that arise under relevant privacy laws. From a practical perspective, redacting third party information helps avoid some of those risks.
As a general rule, what information should be redacted?
Choosing what information should be redacted will vary across different situations. A few guiding principles that may be useful here:
Is it possible and is it recommended to customize the redactions (e.g., to have the option of redacted data not being black in color)?
The OneTrust DSAR Redaction product has the functionality to customize the redactions, so different colors can be applied. In addition, you can write text in the redacted area. Customizing the redactions might be useful when using the black box to redact data may give too little information to the data requester. That may create follow-up questions from the requester on the redactions that have been applied.
How does OneTrust help with DSAR redaction?
OneTrust Data Redaction helps your organization automatically discover sensitive information such as names, addresses, and credit card numbers in a wide variety of file types and formats and redact files programmatically or embed manual review processes before finalizing redactions. Securely upload documents, PDFs, images, spreadsheets, presentations, emails and more to be scanned, classified, and redacted by our AI-driven redaction engine. The redaction process removes all instances of the data as well as the metadata associated with the information to provide a secure and irreversible solution. Enabling your organization to embed redaction where it’s needed most. You can leverage our application to upload, scan, and redact files, or simply use the API to integrate redaction into your existing tools and processes.
Sign up for a free trial today or request a demo to learn more.
Further Redaction Resources:
Follow OneTrust on LinkedIn, Twitter, or YouTube for the latest on data redaction.