The Hidden Cost of Manual Redaction: Why UK Businesses are Spending £1,200 Per DSAR
For Data Protection Officers (DPOs) operating in the UK, the Data Subject Access Request (DSAR) has evolved from a sporadic compliance exercise into a relentless operational challenge. Driven by rising consumer awareness, disgruntled ex-employees, and a heavily regulated privacy landscape, DSAR volumes are surging.
While the statutory requirement is simply to provide data subjects with their personal information within one calendar month, the internal reality for organisations is far more complex. Recent industry data reveals that the average cost of processing a single standard DSAR in the UK now sits at approximately £1,200. When requests involve complex employee grievances, unstructured data, or CCTV footage, that figure can easily spiral upwards of £20,000.
For privacy teams, the question is no longer just how to comply with the Information Commissioner's Office (ICO), but how to stop DSARs from quietly draining the legal and IT budgets.
The Anatomy of a £1,200 DSAR
Under the UK GDPR and the Data Protection Act 2018, organisations generally cannot charge a fee for processing a DSAR unless it is "manifestly unfounded or excessive." Consequently, businesses must absorb the entirely of the administrative burden.
Where does the £1,200 go? It is rarely spent on the initial data extraction. Modern IT infrastructure can generally execute keyword searches across structured databases relatively quickly. The true financial sinkhole lies in the review and redaction phase.
Consider a standard employee DSAR. The initial search might yield 3,000 emails, several PDF performance reviews, and a handful of Slack messages. A human reviewer—often highly paid legal counsel or a senior compliance manager—must manually read every line to identify and redact the personally identifiable information (PII) of third parties. They must apply legal privilege exemptions, evaluate management forecasting data, and ensure that the final disclosure is legally defensible.
If a paralegal or compliance officer spends just three minutes reviewing, redacting, and logging each of those 3,000 documents, the process consumes 150 working hours. This manual attrition is what transforms a simple data request into a massive operational expense.
The "False Redaction" Trap and ICO Penalties
To mitigate these costs, some organisations rely on basic PDF editors or consumer-grade software to draw black boxes over sensitive text. This approach is not only inefficient; it is a severe security vulnerability.
Drawing a black rectangle over text in a legacy PDF editor often creates a "false redaction." It places a visual layer over the text but fails to remove the underlying Optical Character Recognition (OCR) code or the document's metadata. Anyone receiving the file can simply highlight the black box, copy the hidden text, and paste it into a new document.
The ICO has consistently warned against these exact technical failures. An improper redaction that exposes third-party data constitutes a data breach, carrying the risk of reputational damage and regulatory fines of up to £17.5 million or 4% of global turnover. Relying on manual, legacy tools to save time paradoxically introduces the highest level of regulatory risk.
Navigating the Data (Use and Access) Act 2025
The recent enactment of the Data (Use and Access) Act 2025 (DUAA) has introduced some welcome relief for UK data controllers.
Notably, the DUAA formally codifies the "stop the clock" principle. If your organisation genuinely requires clarification from the data subject to locate the requested information, you can pause the 30-day statutory deadline until that clarification is received. Furthermore, the Act establishes a "reasonable and proportionate" search standard, meaning organisations are no longer expected to conduct exhaustive, disproportionately expensive searches of legacy systems if the data is unlikely to be found there.
However, while these legislative changes help narrow the scope of a search, they do not solve the redaction bottleneck. Once you have located the relevant and proportionate unstructured data, you still face the monumental task of redacting it securely within the deadline.
Shifting from Cost Centre to Automated Efficiency
To break the cycle of escalating DSAR costs, privacy teams must transition from manual review to AI-driven automation.
Purpose-built automated redaction software changes the financial mathematics of a DSAR. By utilising advanced pattern-matching, Optical Character Recognition, and natural language processing, automated systems can bulk-redact thousands of pages of unstructured documents in minutes. More importantly, enterprise-grade tools ensure true, irreversible redaction—scrubbing the underlying code, stripping metadata, and destroying revision histories so the data cannot be recovered.
For organisations dealing with surveillance requests, modern computer vision algorithms can automatically track and blur faces in CCTV footage, turning a process that used to take days of manual frame-by-frame editing into a task that takes hours.
Maintaining your status as a responsible Data Controller means retaining oversight, but it does not require performing the manual labour yourself. By implementing tools with zero-retention architectures and strict AES-256 encryption, your team can automate the heavy lifting while focusing human expertise solely on the final review and approval.
For UK DPOs looking to protect their budgets and guarantee ICO compliance, it is time to stop subsidising manual redaction. See the difference automation makes on your own unstructured data workflows by starting a free trial of Acuity AutoRedact today.
