You company just got a Data Subject Access Request, but it contains the personal data of two or more parties. How do you balance the GDPR’s principle ‘right to access’ with ‘what to disclose’? How should you properly redact the data before disclosing it?