Skip to content
Law Society of Scotland
Search
Find a Solicitor
Contact us
About us
Sign in
Search
Find a Solicitor
Contact us
About us
Sign in
  • For members

    • For members

    • CPD & Training

    • Membership and fees

    • Rules and guidance

    • Regulation and compliance

    • Journal

    • Business support

    • Career growth

    • Member benefits

    • Professional support

    • Lawscot Wellbeing

    • Lawscot Sustainability

  • News and events

    • News and events

    • Law Society news

    • Blogs & opinions

    • CPD & Training

    • Events

  • Qualifying and education

    • Qualifying and education

    • Qualifying as a Scottish solicitor

    • Career support and advice

    • Our work with schools

    • Lawscot Foundation

    • Funding your education

    • Social mobility

  • Research and policy

    • Research and policy

    • Research

    • Influencing the law and policy

    • Equality and diversity

    • Our international work

    • Legal Services Review

    • Meet the Policy team

  • For the public

    • For the public

    • What solicitors can do for you

    • Making a complaint

    • Client protection

    • Find a Solicitor

    • Frequently asked questions

    • Your Scottish solicitor

  • About us

    • About us

    • Contact us

    • Who we are

    • Our strategy, reports and plans

    • Help and advice

    • Our standards

    • Work with us

    • Our logo and branding

    • Equality and diversity

Guide to GDPR

  1. Home
  2. For members
  3. Business support
  4. GDPR - The General Data Protection Regulation
  5. Guide to GDPR

 

We have produced this Guide specifically for law firms. While they are not Law Society rules, we thought it would be helpful to look at the Regulation and the Data Protection Act from the perspective of a legal practice.

Part of this guide includes a data audit we carried out with a high street firm to look at their data processing. Many high street firms will recognise the information gathered in the audit and can use it to evaluate their own data processes. You can find examples of a data protection policy and and a privacy notice at the bottom of the page. 

This is the second edition following the initial publication in 2018.

Since this Guide was first drafted, the UK has left the EU. The GDPR was retained with substantively the same provisions as before. It is now referred to as the UK GDPR. At the time that this Guide was published, the Data Protection Act 2018 had just been finalised. This Guide therefore is to reflect these changes and additional developments in interpretation and guidance published since 2018. We have taken into account the changes that the pandemic and working from home have made which led to more technology being used by all organisations

Law firms have to comply with data protection laws, just like all other organisations that process personal data.

In many instances, it is left to each firm to determine how to comply depending on the nature and volume of work undertaken. On that basis, this guide is for information only; the tables and templates are
illustrative and should be amended to take account of your firm’s unique circumstances.

Responsibility for regulating Data Protection laws lies with the Information Commissioner’s Office (ICO), not the Law Society of Scotland.

Read more

Ten steps

 Ten steps to help you to create a GDPR plan

Read more about Ten steps

Law firms as data controllers

Personal data you hold for your employees and clients, and what counts as personal data

Read more about Law firms as data controllers

Create a record of data processing

Examples of audit and data processing records, lawful, fair and transparent processing

Read more about Create a record of data processing

Marketing

From collecting data via your website to direct marketing

Read more about Marketing

Client confidentiality

Exemptions when dealing with personal data

Read more about Client confidentiality

AML and data protection

AML obligations and personal data

Read more about AML and data protection

Data retention

Retention periods and how you will erase or dispose of personal data

Read more about Data retention

Sharing data

List all the organisations that you share data with on a regular basis

Read more about Sharing data

Data protection officers

Identify your data protection lead, whether or not they require a Data Protection Officer

Read more about Data protection officers

Security

Appropriate technical and organisational measures in relation to processing personal data

Read more about Security

Reporting personal data breaches

Notifying the Information Commissioner’s Office of a personal data breach 

Read more about Reporting personal data breaches

Requests for copies of personal data

Requests for access to personal data from clients, third parties and others

Read more about Requests for copies of personal data

Appendix 1 - Consent

Only rely on consent if there is no other legal processing condition that you can identify

Read more about Appendix 1 - Consent

Example of a data protection policy

Word version of a sample data protection policy

Read more about Example of a data protection policy

Example of Privacy Notice

Word version of a sample privacy notice

Read more about Example of Privacy Notice
Add To Favorites

Additional

Pdf version

Download now about Pdf version

Mitigo

Find out more about Mitigo
Law Society of Scotland
Atria One, 144 Morrison Street
Edinburgh
EH3 8EX
If you’re looking for a solicitor, visit FindaSolicitor.scot
T: +44(0) 131 226 7411
E: lawscot@lawscot.org.uk
About us
  • Contact us
  • Who we are
  • Strategy reports plans
  • Help and advice
  • Our standards
  • Work with us
Useful links
  • Find a Solicitor
  • Sign in
  • CPD & Training
  • Rules and guidance
  • Website terms and conditions
Law Society of Scotland | © 2025
Made by Gecko Agency Limited