Fulfilling GDPR requirements using redaction


When our sales people talk to our product managers about the features customers seem less familiar with, redaction comes up. Customers often misunderstand what this feature really is and how it can be useful for business and data protection strategies. So here’s a good example of how redaction can be used. In this case, redaction can serve your business in complying with the new GDPR regulations for protecting EU citizens from businesses using their data irresponsibly.

What redaction is—and what it isn’t

Redaction blocks sensitive information in a document by removing it and replacing it. Unlike just drawing a dark box over existing text, redaction removes the data. You won’t even find it by looking into the code or the file’s metadata. So it’s a reliable method of removing information, not a mask that still leaves sensitive data discoverable by those crafty enough to go looking for it.

Two use cases of redaction

You can use redaction in two ways:

  • Anonymization: Data anonymization is a type of information sanitization with the intent of privacy protection. It involves completely blacking out the information, and that information cannot be restored.
  • Pseudonymizing: A data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by artificial identifiers, or pseudonyms. A single pseudonym for each replaced field or collection of replaced fields makes the data record less identifiable while remaining suitable for data analysis and data processing. Essentially, you’re blacking out the information but leaving a reference code that links to a mapping table you can use for data analysis.

While it may be easier and cheaper to simply delete all related records, instead of redacting them, both of these redaction methods can serve you in cases where deleting the information isn’t feasible, or isn’t legally permissible. 

GDPR and redaction

GDPR is a regulation applied to all EU countries as of 2018 that’s designed to protect EU citizens from businesses using their data irresponsibly. It puts the subject of the data—namely, the person who the data describes and is about—in charge of what personal information is shared, where and how.

GDPR was enacted because of the idea of the ‘right to be forgotten’ whereby any individual may contact your business asking for their personal information to be deleted from all your systems within a certain time frame.

If your company has no legal reason to continue holding this person’s information in your database, you must oblige and provide evidence that this information no longer remains in any of your systems. This means that you must first identify any reference to this individual in a contract, email or any documents referring to their profile, then delete Personally Identifiable Information (PII) within it.

Redaction provides an easy-to-implement process to comply with GDPR without requiring you to suppress relevant information or delete an entire record.

GDPR is here to stay. By using redaction on critical documents, you can take a significant step towards meeting GDPR requirements and bolstering customer trust.

Leave a Reply

Your email address will not be published. Required fields are marked *