Skip to content
Law Society of Scotland
Search
Find a Solicitor
Contact us
About us
Sign in
Search
Find a Solicitor
Contact us
About us
Sign in
  • For members

    • For members

    • CPD & Training

    • Membership and fees

    • Rules and guidance

    • Regulation and compliance

    • Journal

    • Business support

    • Career growth

    • Member benefits

    • Professional support

    • Lawscot Wellbeing

    • Lawscot Sustainability

  • News and events

    • News and events

    • Law Society news

    • Blogs & opinions

    • CPD & Training

    • Events

  • Qualifying and education

    • Qualifying and education

    • Qualifying as a Scottish solicitor

    • Career support and advice

    • Our work with schools

    • Lawscot Foundation

    • Funding your education

    • Social mobility

  • Research and policy

    • Research and policy

    • Research

    • Influencing the law and policy

    • Equality and diversity

    • Our international work

    • Legal Services Review

    • Meet the Policy team

  • For the public

    • For the public

    • What solicitors can do for you

    • Making a complaint

    • Client protection

    • Find a Solicitor

    • Frequently asked questions

    • Your Scottish solicitor

  • About us

    • About us

    • Contact us

    • Who we are

    • Our strategy, reports and plans

    • Help and advice

    • Our standards

    • Work with us

    • Our logo and branding

    • Equality and diversity

  1. Home
  2. For members
  3. Business support
  4. GDPR - The General Data Protection Regulation
  5. Guide to GDPR
  6. Ten steps

Ten steps

If you were starting from scratch and introducing GDPR into your firm for the first time, these ten steps will help you to create an implementation plan.

1 Register with the Information Commissioner’s Office (ICO) Your firm is a data controller and must be registered with the ICO. From 25 May 2018, data controllers will require to pay a data protection fee at a level appropriate to their size and turnover.
2 Audit your data processing Map out how you process personal data on behalf of your clients from the moment it comes into your office through to storage and file destruction. Don’t forget to map the processing of the personal data of your staff. In the guide, we show what a data audit of a high street firm might look like. You are required to keep a record of certain data processing activities and this audit will provide you with the information that needs to be recorded and which is required to meet other data protection compliance obligations.
3 Identify all the third parties you share data with You must have a GDPR compliant contract in place with data processors (services providers who deal with personal data on your behalf) and appropriate arrangements in place with other controllers. You may wish to consider having arrangements with other organisations that you share personal data with particularly in relation to confidentiality, security and retention.
4 Create a data retention policy You can only store data for as long as it is necessary for the purpose for which it was processed.
5 Have a written data protection policy Your data protection policy sets out your approach to data protection and privacy.
6 Create privacy notices setting out how you process personal data at least for clients, staff and visitors to your website There is an obligation to provide anyone whose personal data you process with information about how you handle their data and which sets out their rights and how to exercise them.
7 Have a written process for dealing with data subject requests, including subject access requests You should have a policy detailing how you will deal with requests from clients, employees/ex-employees and others regarding the information that you hold about them. Individuals also have the right to ask for their personal data to be erased in certain circumstances. This can be included in your data protection policy
8 Have a process and written guidance for what to do in the event of a personal data breach Have in place written process to set out what to do in the event of a breach, which provides guidance on how to identify whether it requires to be reported and who is responsible for reporting to the ICO/data subject. Ensure that all staff can identify a personal data breach, and are aware of who to report it to.
9 Review your approach to marketing to ensure it is compliant Digital marketing is regulated by the Privacy and Electronic Communications Regulations, which mandate that consent is generally required for marketing to individuals and sole traders, but not necessarily business contacts. You may be able to use the soft opt-in for clients.
10 Train your staff It is crucial that everyone in your firm who handles client data understands and adheres to your policies for handling personal data. Arrange training to ensure that they are up to speed.
Add To Favorites

Additional

  • Guide to GDPR

In this section

  • Ten steps
  • Law firms as data controllers
  • Create a record of data processing
  • Marketing
  • Client confidentiality, legal privilege and limited exemptions
  • Sharing data with third parties
  • Data retention
  • Data protection officers
  • AML and data protection
  • Security
  • Reporting personal data breaches
  • Requests for copies of personal data
  • Appendix 1 - Consent
  • Appendix 2 - Example of a data protection policy
  • Example of Privacy Notice
Law Society of Scotland
Atria One, 144 Morrison Street
Edinburgh
EH3 8EX
If you’re looking for a solicitor, visit FindaSolicitor.scot
T: +44(0) 131 226 7411
E: lawscot@lawscot.org.uk
About us
  • Contact us
  • Who we are
  • Strategy reports plans
  • Help and advice
  • Our standards
  • Work with us
Useful links
  • Find a Solicitor
  • Sign in
  • CPD & Training
  • Rules and guidance
  • Website terms and conditions
Law Society of Scotland | © 2025
Made by Gecko Agency Limited