Every organisation that processes personal data under the UK GDPR or EU GDPR will eventually receive a subject access request (SAR) — also called a data subject access request (DSAR). The information governance team, data protection officer (DPO), or designated information officer must locate all personal data relating to the requester, review it for exemptions and third-party content, and provide a lawful disclosure — typically within one calendar month.

Email archives are almost always in scope. That is where the compliance burden spikes: you cannot simply forward entire inboxes. You must apply email redaction for GDPR SAR responses — masking names, contact details, health data, and any other identifier that belongs to someone other than the data subject. How you perform that redaction matters as much as whether you do it at all.

What is a GDPR subject access request?

Article 15 of the GDPR gives individuals the right of access to personal data an organisation holds about them. Regulators including the ICO (UK Information Commissioner's Office) expect controllers to:

Confirm Whether you process their personal data
Provide A copy of that data in a commonly used electronic format
Explain Purposes, categories, recipients, retention, and sources
Respond Within one month (extendable by two months for complex requests)

A SAR is not a fishing expedition for unrelated business records — but it is a comprehensive request for everything you hold about that person. Email threads, calendar invites, attachments, and PST exports all fall within scope. Manual copy-paste is not scalable; neither is handing over unredacted threads that expose colleagues, customers, or patients.

Why email dominates SAR / DSAR responses

Corporate email is unstructured, persistent, and widely forwarded. A single SAR can require searching:

  • Live mailboxes on Microsoft 365, Exchange, or Google Workspace
  • Archived PST, MSG, and EML files on network shares
  • Journal and compliance archives
  • Attachments containing HR, medical, financial, or legal correspondence

The data protection officer or information governance lead must balance transparency (giving the requester their data) with data minimisation and third-party confidentiality (not disclosing anyone else's personal data). That balance is achieved through systematic GDPR email redaction — not by hoping staff remember to bcc carefully.

The redaction challenge: third-party personal data

In a typical email thread, the data subject might appear in the To field — but the body references dozens of other people: managers, clients, patients, suppliers, family members. GDPR and ICO guidance are clear: you should redact information relating to other individuals unless it is reasonable to disclose it without their consent or it is already known to the requester.

Common elements to redact in SAR email disclosures: other people's names and email addresses, national insurance / social security numbers, phone numbers, home addresses, dates of birth, medical details, salary figures, account numbers, and any special category data (health, ethnicity, trade union membership, etc.) belonging to third parties.

Getting this wrong is a double failure: you may under-disclose to the data subject (breach of Article 15) or over-disclose third-party data (breach of Article 5 principles and potential complaint to the supervisory authority). Automated bulk redaction with human review is the only practical approach at scale.

Why SAR email redaction must happen locally / on-premise

When you upload a mailbox, PST file, or email export to an online redaction service, you are no longer just responding to a SAR — you are making a new disclosure to that vendor. Under GDPR you must have a lawful basis and, in most cases, a Data Processing Agreement with any processor. You must also assess international transfers, sub-processors, retention, and security measures.

On-premise / local processing

  • Data never leaves your network
  • No new processor or sub-processor
  • Aligns with privacy by design
  • Fits legal privilege & healthcare constraints
  • Auditable on your own systems

Cloud upload redaction

  • Full mailbox copied to third-party servers
  • Cross-border transfer assessments required
  • Vendor breach = your breach
  • Often prohibited by sector policy
  • Harder to demonstrate data minimisation

Sectors handling especially sensitive data — NHS trusts, law firms (legal professional privilege), financial services, local authorities, and education — frequently prohibit uploading client or citizen mail to US-hosted SaaS tools. An on-premise email redaction tool installed on your own computers and servers is not a nice-to-have; it is often the only compliant option.

Risks of uploading SAR material to third-party cloud tools

1

Processor sprawl: Each cloud redaction vendor becomes a GDPR processor. You need contracts, security questionnaires, and ongoing oversight — for a task that could stay entirely in-house.

2

International transfers: US-hosted services may require Standard Contractual Clauses, transfer impact assessments, and documentation under Schrems II — overhead the DPO must justify for every SAR.

3

Retention & deletion: Can you prove the vendor deleted your upload after the SAR is closed? Many SaaS terms allow indefinite retention for "service improvement" or backups.

4

Scope creep: Uploading a whole PST "just to redact" often means exporting more data than the SAR requires — conflicting with data minimisation under Article 5(1)(c).

5

Regulatory scrutiny: If the SAR itself is sensitive (employment dispute, medical grievance, whistleblowing), uploading it externally multiplies reputational and regulatory risk.

GDPR SAR email redaction workflow with Hexamail Flow

Hexamail Flow is an email redaction application you install on your own Windows computers and process within your network perimeter. It does not require uploading mail to Hexamail's servers for redaction processing. The standard SAR workflow:

  1. 1
    Connect locally — link the relevant Outlook, Office 365, or Gmail account, or import EML, MSG, or PST files from your network. Data stays on your machines.
  2. 2
    Automatically redact in bulk — detect and mask third-party names, email addresses, phone numbers, postcodes, and other PII across the SAR corpus. Configure custom expressions for your organisation.
  3. 3
    Refine redactions — the information officer or paralegal reviews each message, unredacts phrases that are legitimately disclosable, and documents decisions for the audit trail.
  4. 4
    Output for disclosure — export redacted email as HTML, email, or PDF for inclusion in the SAR response pack, without data ever leaving your environment.

This workflow supports high-volume DSAR programmes — councils responding to housing SARs, HR teams handling employment access requests, NHS organisations disclosing correspondence, and solicitors compiling Article 15 bundles — without creating a parallel cloud data estate.

Hexamail Flow — on-premise email redaction

Built for information governance & compliance teams

Hexamail Flow is installed on your network and computers — not run as a cloud upload service. Your data protection officer can demonstrate that SAR email redaction occurs under your control, on your infrastructure, with no mandatory transfer to a third-party redaction platform.

Local mailbox & archive support

Connect Microsoft 365, Exchange, Outlook, Gmail — or import PST, MSG, and EML from network shares and eDiscovery exports.

Bulk GDPR redaction

Automatically mask third-party PII at scale — names, addresses, emails, phone numbers, and custom patterns.

Human review & unredact

Refine automated redactions message by message. Unredact content that is reasonably disclosable to the data subject.

Disclosure-ready output

Export redacted SAR packs as HTML, email, or PDF — ready for secure delivery to the requester.

Download Hexamail Flow trial

Who owns SAR email redaction? DPO, IG & FOIA teams

Responsibility varies by organisation, but these roles are typically involved in GDPR subject access request email redaction:

Data Protection Officer (DPO)

Oversees lawful basis, timelines, exemptions (Schedule 2 UK GDPR / Article 15(4)), and whether redaction approach meets accountability requirements. Signs off processor assessments — or approves on-premise tools that avoid new processors.

Information Governance / Information Officer

Coordinates search, collation, redaction, and quality assurance. Maintains the SAR log, extension letters, and disclosure record. Often the primary Hexamail Flow operator.

Legal & HR

Review employment SARs, litigation holds, and privileged material. Decide what third-party data can be disclosed vs redacted.

IT / Information Security

Provision on-premise software, control access to PST exports, and ensure redaction workstations meet your security baseline — without opening outbound data paths to unknown vendors.

SAR email redaction compliance checklist

  • Verify identity of the data subject before searching mail
  • Search all relevant mailboxes, archives, and PST exports
  • Redact third-party personal data — do not rely on cloud upload tools without DPIA
  • Use on-premise redaction (e.g. Hexamail Flow) where sector policy requires local processing
  • Document redaction decisions and reviewer sign-off
  • Provide response within one month (or issue extension notice)
  • Deliver in a commonly used electronic format (PDF, email, or secure portal)
  • Record the SAR on your ROPA / SAR register for accountability

FAQ — GDPR SAR email redaction

What is the difference between a SAR and a DSAR?
They refer to the same right under GDPR Article 15. SAR (subject access request) is the traditional UK term; DSAR (data subject access request) emphasises that the requester is the data subject. Both require you to locate personal data and redact third-party information before disclosure.
Do I have to redact other people's names in SAR emails?
Yes, in most cases. ICO guidance states you should redact information about other individuals unless it is reasonable to disclose it without consent or the information is already known to the requester. Email threads almost always require redaction of third-party personal data.
Can I use a cloud redaction tool for GDPR SAR responses?
Only with a full GDPR compliance assessment. Uploading mail to a third-party service typically makes that vendor a processor, may involve international data transfers, and may violate your own information security policies. Many DPOs prefer on-premise tools like Hexamail Flow that process data locally without cloud upload.
Why is on-premise email redaction better for subject access requests?
On-premise redaction keeps SAR material within your security perimeter. You avoid creating new processor relationships, cross-border transfers, and retention risks with external vendors. It supports privacy by design, data minimisation, and sector requirements (NHS, legal, finance) that prohibit uploading client mail to third-party clouds.
Can Hexamail Flow redact PST files for SAR searches?
Yes. Import PST, MSG, and EML files directly into Hexamail Flow on your local machine or network. Bulk-redact third-party PII, refine results, and export disclosure-ready HTML, email, or PDF — without uploading archives to an external service.
How long do we have to respond to a GDPR subject access request?
One calendar month from receipt, extendable by a further two months for complex or numerous requests if you inform the data subject within the first month. Efficient local email redaction tooling helps information governance teams meet these deadlines without outsourcing sensitive mail.
What should a data protection officer look for in SAR redaction software?
Local/on-premise processing, bulk automated redaction, manual review and unredact capability, support for PST/MSG/EML and live mailboxes, disclosure-ready export formats, and no mandatory cloud upload. Hexamail Flow is designed specifically for this GDPR SAR email redaction workflow.

Related guides: Office 365 email redaction · Outlook email redaction