Skip to content
Law Society of Scotland
Search
Find a Solicitor
Contact us
About us
Sign in
Search
Find a Solicitor
Contact us
About us
Sign in
  • For members

    • For members

    • CPD & Training

    • Membership and fees

    • Rules and guidance

    • Regulation and compliance

    • Journal

    • Business support

    • Career growth

    • Member benefits

    • Professional support

    • Lawscot Wellbeing

    • Lawscot Sustainability

  • News and events

    • News and events

    • Law Society news

    • Blogs & opinions

    • CPD & Training

    • Events

  • Qualifying and education

    • Qualifying and education

    • Qualifying as a Scottish solicitor

    • Career support and advice

    • Our work with schools

    • Lawscot Foundation

    • Funding your education

    • Social mobility

  • Research and policy

    • Research and policy

    • Research

    • Influencing the law and policy

    • Equality and diversity

    • Our international work

    • Legal Services Review

    • Meet the Policy team

  • For the public

    • For the public

    • What solicitors can do for you

    • Making a complaint

    • Client protection

    • Find a Solicitor

    • Frequently asked questions

    • Your Scottish solicitor

  • About us

    • About us

    • Contact us

    • Who we are

    • Our strategy, reports and plans

    • Help and advice

    • Our standards

    • Work with us

    • Our logo and branding

    • Equality and diversity

  1. Home
  2. For members
  3. Business support
  4. GDPR - The General Data Protection Regulation
  5. Guide to GDPR
  6. Create a record of data processing

Create a record of data processing

All law firms should know what personal data they are processing and why, and be able to identify what is happening to it. This includes who it is being shared with, including the location of any cloud server storing your data.

All firms need to decide how long they will retain personal data and what security measures they have in place when it is being stored or when it is being sent out of the organisation, depending on the risks inherent in the processing of that data. For example, more care should be taken over special category data and financial data, which can cause individuals harm or distress knowing it is not secure.

Solicitors are generally very aware of client confidentiality, but data protection laws require the processes to be documented a lot more than before the GDPR came into force. Working out what personal data you are processing is essential to even begin to do this effectively.

The ICO has resources about documentation including templates which can be found here: Go to ICO, accountability, governance and documentation.


Record of processing

All data controllers must maintain a record of processing activities under their responsibility. Most law firms will be required to do this, although the UK GDPR limits this obligation for smaller firms.

Organisations with 250 employees or more must record the information set out below about all the personal data processing activities they carry out.

If you have fewer than 250 employees, you are only required to record this information about certain processing activities as listed here:

  • Processing you carry out which is likely to result in a risk to the rights and freedoms of data subjects, or
  • Processing which is not occasional, or
  • Processing which includes special categories of data

For law firms, processing the personal data of clients is likely to involve risks, and it is not occasional. Similarly, processing the personal data of employees is not occasional.

You must record the following information:

  • Name and contact details of your organisation (and, where applicable, your data protection officer)
  • Purposes of the processing
  • The lawful basis for the processing
  • Any legitimate interests relied on for processing personal data
  • Description of the categories of data subjects whose data you are processing
  • Categories of personal data being processed if not obtained from the person it relates to and where it was obtained from
  • Recipients or categories of recipients to whom personal data will be disclosed
  • Information about transfers to third countries and international organisations with information about the safeguards in place
  • Time limits for erasure of personal data or information about how that will be determined
  • Information about the consequences of failing to provide personal data in certain circumstances
  • A description of applicable data subject rights
  • Information and contact details about how to make a complaint in including to the Information Commissioner

Even if you don’t have 250 employees or feel your processing is occasional, it is important to work out what personal data you are processing so that you can comply with the other data protection obligations. As already pointed out, much of the processing will require to be recorded anyway and so we recommend that a record of all your data processing is maintained and updated to ensure that your risk is kept to a minimum and to ensure that the accountability is met and awareness is built into your organisation’s processes and procedures.

You may be required to make these records available to the Information Commissioner in relation to an investigation but this is not a document that requires to be published.

Case study

Our high street law firm does not have 250 employees but, does carry our processing which is ‘not occasional’ for staff in particular and it processes includes some special category data of staff and clients. On that basis, our law firm has created a record of data processing based on the data audit which they carried out.

Our case study firm carried out an audit of their data processing. They used the information to begin to populate their record of data processing:

Audit Pages
Audit Pages
Download Audit Pages PDF 40kb
Example Of A Record Of Data Processing
Example Of A Record Of Data Processing
Download Example Of A Record Of Data Processing PDF 26kb

All personal data must be processed in compliance with the data protection principles, which are set out below. They lead to particular obligations under data protection law but must be considered when dealing with any personal data to inform decision making.

Lawfulness, fairness and transparency

Processed lawfully, fairly and in a transparent manner in relation to the data subject.

Purpose limitation

Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Data minimisation

Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Accuracy

Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

Storage limitation

Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

There is an additional principle which was introduced under the GDPR – accountability. That means organisations must not only comply with the GDPR but must also demonstrate that they comply. Ensure that you have documented policies and processes in place to demonstrate compliance.

Case study - data protection principles

Our high street law firm’s work with any personal data, is underpinned by these principles and inform the content of the firm’s data protection policy. The firm’s policy is based on the Law Society of Scotland’s data protection policy template (see below)

Lawful processing

In order to process personal data lawfully, you must comply with all legal obligations and you must be able to rely on one of the following bases for processing.

Fair and transparent processing

In order to process personal data fairly, the processing must be in line with the data subject’s expectations. In other words, only use the data for the reasons you collected it.

Add To Favorites

Additional

  • Guide to GDPR

In this section

  • Create a record of data processing
  • Lawful processing
  • Fair and transparent processing
Law Society of Scotland
Atria One, 144 Morrison Street
Edinburgh
EH3 8EX
If you’re looking for a solicitor, visit FindaSolicitor.scot
T: +44(0) 131 226 7411
E: lawscot@lawscot.org.uk
About us
  • Contact us
  • Who we are
  • Strategy reports plans
  • Help and advice
  • Our standards
  • Work with us
Useful links
  • Find a Solicitor
  • Sign in
  • CPD & Training
  • Rules and guidance
  • Website terms and conditions
Law Society of Scotland | © 2025
Made by Gecko Agency Limited