Law firms have to comply with the General Data Protection Regulation, just like all other organisations that process personal data.

We have produced this GDPR guide specifically for law firms. While they are not Law Society rules, we thought it would be helpful to look at the regulation and the Data Protection Act from the perspective of a legal practice.

Part of this guide includes a data audit we carried out with a high street firm to look at its data processing. Many high street firms will recognise the information gathered in the audit and can use it to evaluate their own data processes.

In many instances, it is left to each firm to determine how to comply depending on the nature and volume of work undertaken. On that basis, this guide is for information only; the tables and templates are illustrative and should be amended to take account of your firm’s unique circumstances.

Responsibility for regulating GDPR lies with the ICO not the Law Society of Scotland.

Download a PDF version of the guide

GDPR ten steps:

Your firm is a data controller and must be registered with the ICO. From 25 May 2018, data controllers will require to pay a data protection fee.

Relevant sections from our guide:

Not sure if your firm is already registered with ICO?

Map out how you process your clients’ personal data from the moment it comes into your office through to storage and file destruction. Don’t forget to map the personal data of your staff.

In the guide, we show what a data audit of a high street firm might look like.

You are required to keep a record of certain data processing activities and this audit will provide you with the information that needs to be recorded and which is required to meet other GDPR obligations.

Relevant sections from our guide:

You must have a GDPR-compliant contract in place with data processors and appropriate arrangements in place with other controllers. You may wish to have arrangements with other organisations that you pass personal data to in relation to security and retention.

Relevant sections from our guide:

You can only store data for as long as it is necessary for the purpose for which it was processed.

Relevant sections from our guide:

Your data protection policy sets out your approach to data protection and privacy.

Relevant sections from our guide:

You must have a policy detailing how you will deal with requests from clients (and employees/ex-employees) regarding the information that you hold about them. Individuals also have the right to ask for their personal data to be erased in certain circumstances. This can be included in your data protection policy.

Relevant sections from our guide:

Have in place a written process to set out what to do in the event of a breach and who is responsible for reporting to the ICO/data subject. Ensure that all staff can identify a data breach and are aware of who to inform.

Relevant sections from our guide:

This is regulated by the Privacy and Electronic Marketing Regulations, which tell us consent is generally required for marketing to individuals and sole traders but not business contacts. You may be able to use the soft opt-in for clients.

Relevant sections from our guide:

It is crucial that everyone in your firm who handles client data understands and adheres to your policies for handling personal data. Arrange training to ensure that they are up to speed.

Relevant sections from our guide:

Law firms as data controllers

Law firms are data controllers in relation to the personal data they hold for their employees and clients.

Create a record of data processing

All law firms should know what personal data they are processing and why, and be able to identify what is happening to it.

Client confidentiality

Exemptions when dealing with personal data that is subject to client confidentiality/contained within communications that are legally privileged.

Data retention

Set out your information retention periods and how you will erase or dispose of personal data, whether held electronically or in paper form.

Sharing data

List all the organisations that you share data with on a regular basis

Data protection officers

Every organisation should have a data protection lead, whether or not they require a Data Protection Officer.


Organisations processing data must have appropriate technical and organisational measures in relation to personal data held in paper files and stored digitally.

Reporting personal data breaches

The GDPR obliges the data controller to notify the Information Commissioner’s Office (ICO) of a personal data breach without undue delay.

Requests for client personal data

Requests for access to personal data (subject access requests, or SARs) could come from clients, third parties and investigatory bodies.

Appendix 1 - Consent

You should only rely on consent if there is no other legal processing condition that you can identify.

Appendix 2 - Example of a data protection policy

Example of a data protection policy which members might find useful when thinking about what to include in their own policies.

Appendix 3 - Background to the GDPR changes

GDPR and the Data Protection Act