Does a screenshot count as personal data under GDPR?

If anyone in the image can be identified from it, directly or in combination with other things you hold, then yes. A visible name, an email address, a face, an account number or even a username can be enough on its own, and detail that seems harmless in isolation often identifies someone once it sits alongside the rest of your records. The safe assumption for a business screenshot is that it is personal data unless you have actively removed every identifier.

Is keeping the unredacted original a problem if I only ever shared the redacted one?

It can be, because storage is itself processing. An original full of identifiers sitting in your screenshots folder, a Slack upload or a ticket attachment is personal data you are holding, which means it falls inside your retention, security and access obligations whether or not you ever look at it again. Data minimization points the other way: if you do not need the unredacted version, the lowest-risk move is not to create or keep one.

Why does it matter that ScrubShot works on-device for GDPR?

Because uploading an image to a web tool to redact it sends the unredacted original to that service first, which is a disclosure to a third party and usually brings a processor relationship and a transfer to think about. ScrubShot rewrites the sensitive areas into the pixels on your own Mac and nothing is uploaded, so no copy of the identifiers reaches anyone else in the course of cleaning the image. The processing stays inside your own control.

If I scrub a screenshot, is the personal data really gone?

From the scrubbed image, yes, when the redaction is irreversible. ScrubShot replaces the area with blocks sampled at random from the region rather than computed from the text underneath, so there is no overlay to peel off and nothing for depixelation software to brute-force back. That said, scrubbing one shared copy does nothing about the original or about any copies already distributed, so handle those separately and revoke anything a leaked screenshot would expose.

← Resources

GDPR and screenshots: when a screenshot becomes personal data

Short answer: the moment a screenshot lets someone be identified, a customer email, an employee name, a face in a call grid, an account number tied to a person, it is personal data, and under UK GDPR your business is processing it like any other record. That reframes a habit nobody thinks about as a compliance question with three quiet parts: the unredacted original you keep is data you are storing, the copies that travel through chat and tickets are disclosures, and minimizing both is an obligation rather than good manners. This guide is a working explanation of when the regime bites, what a controller actually owes, and the practical way to keep screenshots inside the rules.

When a screenshot crosses into "personal data"

GDPR and UK GDPR define personal data as anything relating to an identified or identifiable living person. The test is not whether the image looks sensitive, it is whether someone in it can be picked out, either straight from the image or by combining it with other information you reasonably have access to. That second half is the part businesses underrate. A username on its own might mean little, but set against the customer table you already hold, it names a person. The same goes for an internal ticket reference, a partial postcode, or a device name that happens to be "Sarah's MacBook."

So the honest default for a business screenshot is to assume it carries personal data until you have looked and confirmed it does not. The exact fields that tip an image over the line, names, contact details, financial identifiers and the rest, are the same ones worth covering in any screenshot, which I have set out value by value in the rundown on hiding bank details and personal information in screenshots. Faces add their own category: an identifiable individual in a meeting grid or an admin view is personal data even when no text is readable at all.

Where the regime touches a screenshot, and what you owe

Once an image counts as personal data, the GDPR principles attach to it the same way they attach to a spreadsheet or a CRM entry. Here is how each principle lands on the specific case of a business screenshot, and the practical thing it asks of you.

GDPR principle	How it lands on a screenshot	What it asks of you
Lawful basis	Capturing and reusing someone's data in an image is processing, so it needs a basis like legitimate interests or contract behind it.	Be able to say why the screenshot exists and that the people in it would not be surprised by it.
Data minimization	A full-frame grab captures far more than the one thing you meant to share or keep.	Cover everything that is not the point before the image travels, and avoid keeping the unredacted version at all.
Storage limitation	An old screenshots folder is a quiet archive of identifiers nobody is curating.	Treat originals as data with a shelf life, and clear them out rather than letting them accumulate.
Integrity and confidentiality	Pasting into chat or a ticket discloses the image to everyone in that space, often more people than intended.	Scrub before sharing and keep the unredacted copy off any service you do not control.
Accountability	If a screenshot leaks, you have to be able to show what was in it and what you did to limit it.	Have a habit you can describe, redact at capture, store little, and know what each leaked image would expose.

The original you keep is data you are storing

The risk people miss is not the copy they send, it is the copy they keep. Storage counts as processing under GDPR, so an unredacted screenshot sitting in your Pictures folder, a Slack upload history or a ticket attachment is personal data you are actively holding, even if you never open it again. Every one of those originals widens the surface a breach could expose, lengthens what a subject access request has to account for, and sits squarely inside your retention and security duties.

Data minimization is the principle that speaks to this most directly. It does not only ask you to share less, it asks you to hold less in the first place. The cleanest way to satisfy it is to never produce a hoard of unredacted originals: redact the image as you capture it, so the only version that exists is already clean. That is a different discipline from sharing carefully, and it is the one most teams skip, because the original feels private as long as it stays on the machine. It is still data you are responsible for.

Screenshots travel further than the share you intended

A screenshot rarely stops where you put it. It lands in a Slack channel and gets read by everyone in that channel, then sits in the searchable history for new joiners to scroll back to. It attaches to a support or issue ticket and ends up in front of a vendor's staff and inside their systems too. It drops into a shared doc that quietly syncs to half the company. Each of those is a disclosure of whatever the image contains, to a wider audience than the one person you were answering.

Two of those destinations deserve naming because of who else is in the room. Pasting into chat is where screenshots leak most, since the audience is broad and the history is permanent, which is why the safe move is to clean the image before it ever hits the channel, the loop laid out in blurring sensitive information before you paste to Slack. A vendor ticket is more exposing still, because the unredacted original now lives in a third party's infrastructure, and the practical version of handling that sits in redacting screenshots for customer support tickets. The pattern repeats across roles: the personal data on a finance, HR or legal screen is dense, and the people in frame usually never learn where the image went, which is why I have written separate field-by-field guides for accountants and finance teams, HR and recruiters, and lawyers and legal teams.

Uploading to redact is itself a disclosure

There is a particular trap worth calling out, because it feels like the responsible choice. Reaching for a web tool to blur or pixelate a screenshot means uploading the unredacted original to that service before any redaction happens. From a GDPR standpoint that upload is a disclosure of personal data to a third party. It usually creates a processor relationship that ought to be governed by a contract, and depending on where the service runs, an international transfer to account for. The image is most exposed at the exact moment you were trying to protect it.

The way around it is to keep the whole operation on your own machine, so the identifiers never leave it. That is why ScrubShot does its work on-device: the sensitive areas are rewritten into the pixels locally and nothing is sent anywhere, so cleaning the image creates no new copy in anyone else's hands. The wider problem with the upload-first model is unpacked in what actually happens when you redact a screenshot online.

The redaction has to actually hold

Minimizing only counts if the cover survives contact with someone who wants to undo it. A box drawn on top of a figure is a separate layer in many tools, so it can be nudged aside or stripped out of the file, and a soft blur over short, predictable text such as an account number or a code can sometimes be reversed because the original detail is still mathematically present. A redaction that can be peeled back has not minimized anything, it has only hidden it from a casual glance.

The version that holds is one where the sensitive pixels are genuinely rewritten and the replacement is not derived from what it covers. ScrubShot's Scrub tool fills each block with colors sampled at random from the region rather than computed from the text underneath, so there is no overlay to lift and nothing for depixelation software to brute-force back, a property I have explained in full in the piece on whether pixelation can be reversed. For the everyday business workflow, deciding between cover-in-place, crop and mosaic, the practical comparison lives in the main guide to redacting screenshots on a Mac without uploading them.

About this guide

I make ScrubShot, so I am writing this as the person who built a tool for the exact habit it describes, not as a lawyer. This is a plain-language read on how UK GDPR concepts apply to an ordinary business screenshot, and it is meant to help you reason about the risk, not to replace advice on your own situation. I have kept to the parts I can stand behind: that an identifiable person in an image makes it personal data, that storing the unredacted original is processing you are responsible for, and that uploading an image to redact it discloses the very thing you were trying to protect. Where the answer is "it depends on facts I cannot see," I have said so rather than invent a rule.

FAQ

Does a screenshot count as personal data under GDPR?: If anyone in the image can be identified from it, directly or in combination with other things you hold, then yes. A visible name, an email address, a face, an account number or even a username can be enough on its own, and detail that seems harmless in isolation often identifies someone once it sits alongside the rest of your records. The safe assumption for a business screenshot is that it is personal data unless you have actively removed every identifier.
Is keeping the unredacted original a problem if I only ever shared the redacted one?: It can be, because storage is itself processing. An original full of identifiers sitting in your screenshots folder, a Slack upload or a ticket attachment is personal data you are holding, which means it falls inside your retention, security and access obligations whether or not you ever look at it again. Data minimization points the other way: if you do not need the unredacted version, the lowest-risk move is not to create or keep one.
Why does it matter that ScrubShot works on-device for GDPR?: Because uploading an image to a web tool to redact it sends the unredacted original to that service first, which is a disclosure to a third party and usually brings a processor relationship and a transfer to think about. ScrubShot rewrites the sensitive areas into the pixels on your own Mac and nothing is uploaded, so no copy of the identifiers reaches anyone else in the course of cleaning the image. The processing stays inside your own control.
If I scrub a screenshot, is the personal data really gone?: From the scrubbed image, yes, when the redaction is irreversible. ScrubShot replaces the area with blocks sampled at random from the region rather than computed from the text underneath, so there is no overlay to peel off and nothing for depixelation software to brute-force back. That said, scrubbing one shared copy does nothing about the original or about any copies already distributed, so handle those separately and revoke anything a leaked screenshot would expose.

Try it

ScrubShot is a Mac app built so the compliant move is also the fast one: press the shortcut, drag over the names, addresses, account numbers and faces that should not travel, and they are rewritten into the image as an irreversible mosaic. Nothing is uploaded, so the unredacted original never leaves your Mac and the cleaned version is the only one anyone else sees. There is a free 7-day trial with no card required. After that it is $30 once.

Try ScrubShot free →