What documents need to be redacted under UK GDPR?

Any document shared with third parties that contains personal data relating to individuals other than the recipient — including DSAR responses, HR records, legal documents, and third-party correspondence.

GDPR Document Redaction for Small Businesses — A Practical Guide

Q: Does UK GDPR apply to small businesses?

Yes. The UK GDPR applies to all organisations that process personal data, regardless of size. There is no small business exemption.

April 2026 6 min read UK GDPR · Small Business · DPA 2018

GDPR compliance is not just an enterprise concern. Any UK business that handles personal data — which means virtually every business — has obligations around how that data is shared, disclosed, and protected. Document redaction is one of the most common practical tasks that falls out of those obligations, yet most small businesses have no clear process for it.

This guide is written for the UK small business owner, DPO, or office manager who needs to understand what to redact, when, and how to do it without an enterprise compliance budget.

When does a small business need to redact documents?

DSAR responses

When an employee or customer requests their personal data, you must redact third-party PII from any documents disclosed.

HR processes

Sharing interview notes, appraisals, or complaints — redact other employees' data before disclosure.

Third-party sharing

Sending client documents to insurers, accountants, or legal advisors — redact unrelated personal data first.

Legal proceedings

Providing evidence in employment tribunals, small claims, or regulatory inquiries — court bundles require redaction.

Medical referrals

If you handle health-related documentation — occupational health, absence records — redact before third-party disclosure.

Research & publishing

Publishing case studies or reports based on client or customer data — anonymise before use.

Your legal obligations as a small business

The UK GDPR applies to all organisations that process personal data, regardless of size. There is no small business exemption. However, micro-organisations (fewer than 250 employees) are exempt from the requirement to maintain written records of processing activities under Article 30 — unless processing is high-risk, involves special category data, or is not occasional.

For document redaction specifically, the relevant obligations come from:

Article 5 — data minimisation principle: only share personal data that is adequate, relevant and necessary
Article 25 — data protection by design: build redaction into your disclosure process
Section 40 DPA 2018 — third-party data protection in SAR responses

What must be redacted

Before sharing any document that may have originated with personal data in it, consider whether it contains:

Names, email addresses, phone numbers of individuals other than the recipient
Home addresses or postcodes
National Insurance numbers, NHS numbers, passport numbers
Bank account details or financial information
Health, disability, or medical information
Salary, performance, or disciplinary records relating to other staff
Any information from which a third party could be identified

The test: Before sharing a document, ask — would a reasonable person whose data appeared in this document expect it to be shared with this recipient? If not, redact it.

Budget-appropriate tools for small businesses

Enterprise redaction platforms cost thousands per year and require IT deployment. For small businesses, your realistic options are:

Adobe Acrobat Pro (£200/yr) — reliable but manual, no auto-detection
Free online tools — inadvisable for personal data (see our cloud redaction guide)
DesktopRedact (from £149/yr) — automated UK PII detection, local processing, audit log — built specifically for this use case

Building a simple redaction process

You don't need a complex policy document. A simple, documented process is all that's required:

Identify trigger events — DSAR received, document sharing request, legal disclosure needed
Collect relevant documents — all files that may contain the requester's or subject's personal data
Scan for PII — identify all personal data types present
Redact third-party data — using proper redaction software, not visual overlays
Review the redacted document — verify nothing slipped through, check metadata is stripped
Log and retain — record what was shared, what was redacted, when, and why

Free Tool

Interactive GDPR Redaction Checklist

24-point checklist covering all PII types, metadata, and audit requirements. Tick each item as you work through a document. Progress is saved in your browser. Print as PDF for your records.

Open Redaction Checklist

ICO enforcement against small businesses

The ICO has fined organisations of all sizes for data breaches involving inadequate redaction. Notable recent examples include a solicitors' firm fined £98,000 for sending an unredacted DSAR response to the wrong recipient, and an HR consultancy reprimanded for using a US-based cloud tool to process employee personal data without a transfer mechanism.

The ICO's approach is proportionate — they consider the size of the organisation, the harm caused, and whether there was a systemic failure or genuine mistake. A documented process with reasonable tools, honestly followed, goes a long way in mitigation.

DesktopRedact gives small businesses an affordable, compliant, fully local redaction tool — no enterprise budget required.

Join Waitlist