Skip to main content

Complying with Redaction Requirements in DataGrail

Certain U.S. privacy laws now require that specific information is omitted from the response to a Data Subject Access or Correction/Update Inaccuracies Request. For example, the Minnesota Consumer Data Privacy Act (effective 7/31/2025) requires that the following information is not disclosed to a data subject:

  • Social security number
  • Government ID numbers
  • Financial account numbers
  • Health insurance account numbers
  • Medical ID numbers
  • Account passwords
  • Security questions & answers
  • Biometric data

For each of these data types, entities are required to disclose whether the company has access to that data for the requester, but not disclose the data itself. There are a few steps you should take in DataGrail if any of these laws are applicable to you.

Adjust Automated Workflows

Because these laws require the omission of certain sensitive data, these requests should not be fully automated. If you have configured workflows to auto-complete Access and Correction requests, you should add a branch to workflow criteria so that requests from applicable locations retain a manual final review step.

Automation Example

Redact Data From Requests

Upon receiving an Access or Update Inaccuracies request in a relevant region, let the integration process as expected. Once the request completes the Extracting Personal Data state, you can edit the data files to redact sensitive data.

Determining Files to Redact

Complete and reference a data map to help inform which personal data files will need to be redacted.

To indicate you have the data but not disclose it to the customer, you can replace the data with [REDACTED] but leave the property name.

Example: SSN: [REDACTED]

Sometimes, you may need to redact data from a file where the data is not labeled. In this situation, we recommend including an indication of the data type.

Example: (Support Agent): Sure, I can help you recover your password. Before I do, can you tell me [SECURITY QUESTION REDACTED]?

When you’re done, finalize the request and send it to the data subject as usual.

 

Need help?
If you have any questions, please reach out to your dedicated Account Manager or contact us at support@datagrail.io.

Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.