NullifyNullify

Guide · Compliance

GDPR redaction guide

Under GDPR, sharing a document that contains someone else's personal data — or more of your own than necessary — can itself be a data protection failure. Whether you're answering a subject access request (DSAR), disclosing records, or just emailing a contract, redaction is how you apply data minimisation in practice. This guide covers what to redact, and how to do it in a way you can defend.

What counts as personal data

GDPR's definition is broad: any information relating to an identified or identifiable person. That includes the obvious — names, addresses, emails, phone numbers, ID numbers, financial details — and the less obvious: job titles in small teams, IP addresses, vehicle registrations, handwriting and photographs.

Special category data (health, ethnicity, religion, sexual orientation, trade union membership) carries higher risk and should be redacted by default unless there is a clear lawful basis to share it.

When you must redact

The most common trigger is a DSAR: the requester is entitled to their own data, but not to third parties' data mixed into the same emails and files. Before disclosure you must redact other people's information unless they consent or it is reasonable to disclose.

Redaction also applies to routine sharing — sending statements, invoices, HR records or case files to anyone who doesn't need every field. Data minimisation (Article 5(1)(c)) says you share the minimum necessary.

Redaction that survives scrutiny

Two failures regulators repeatedly see: cosmetic redactions (black boxes with the text still underneath) and no record of what was removed. Use a tool that permanently destroys redacted content, and keep an audit trail.

Nullify burns redactions into the page so they cannot be reversed, and every export includes a PDF audit report listing what was detected, accepted and dismissed — useful evidence of a considered redaction exercise. Manual redaction happens entirely in your browser, and our servers store no document content.

Step-by-step

  1. Step 1

    Identify personal data page by page

    Names, contact details, identifiers, financial data, special category data. Nullify's AI detection can flag these across up to 50 combined pages for $2.99, with regional profiles for UK, US, Canadian and Australian identifiers.

  2. Step 2

    Redact third-party data and unnecessary fields

    Accept or dismiss each suggestion — you stay the decision-maker, which is what accountability requires.

  3. Step 3

    Export and file the audit report

    The burned-in export plus the audit report gives you both the disclosable document and your evidence of process.

Frequently asked questions

Does GDPR require a specific redaction tool?+

No, but it requires the outcome: redacted data must be genuinely irretrievable, and you should be able to demonstrate your process. Permanent redaction plus an audit report meets both.

Do I need to redact my own data before sharing my documents?+

You're not obliged to, but data minimisation is good practice — share only what the recipient needs, especially with financial and ID documents.

Is a black highlighter in Word or a PDF box compliant?+

Usually not — if the text can be recovered by selecting, copying or deleting the shape, the personal data was never removed and a disclosure of that file is a breach.

Does using Nullify add a data processor to my records?+

Manual redaction happens entirely in your browser, so no document data is processed by any server. AI mode sends only extracted text — never your file — over an encrypted connection; we store nothing and it is never used to train AI models.

Redact your PDF now — free

Manual redaction is free and unlimited. AI-assisted detection is $2.99 for up to 50 pages combined across all your PDFs.

Start Redacting

More guides