Skip to content
Law Society of Scotland
Search
Find a Solicitor
Contact us
About us
Sign in
Search
Find a Solicitor
Contact us
About us
Sign in
  • For members

    • For members

    • CPD & Training

    • Membership and fees

    • Rules and guidance

    • Regulation and compliance

    • Journal

    • Business support

    • Career growth

    • Member benefits

    • Professional support

    • Lawscot Wellbeing

    • Lawscot Sustainability

  • News and events

    • News and events

    • Law Society news

    • Blogs & opinions

    • CPD & Training

    • Events

  • Qualifying and education

    • Qualifying and education

    • Qualifying as a Scottish solicitor

    • Career support and advice

    • Our work with schools

    • Funding your education

    • Social mobility

  • Research and policy

    • Research and policy

    • Research

    • Influencing the law and policy

    • Equality and diversity

    • Our international work

    • Legal Services Review

    • Meet the Policy team

  • For the public

    • For the public

    • What solicitors can do for you

    • Making a complaint

    • Client protection

    • Find a Solicitor

    • Frequently asked questions

    • Your Scottish solicitor

  • About us

    • About us

    • Contact us

    • Who we are

    • Our strategy, reports and plans

    • Help and advice

    • Our standards

    • Work with us

    • Our logo and branding

    • Equality and diversity

  1. Home
  2. For members
  3. Business support
  4. GDPR - The General Data Protection Regulation
  5. Guide to GDPR
  6. xCreate a record of data processing

xCreate a record of data processing

All law firms should know what personal data they are processing and why, and be able to identify what is happening to it. This includes who it is being shared with, including the location of the cloud server storing your data.

All firms need to decide how long they will retain personal data and what security measures they have in place when it is being stored or when it is being sent out of the organisation, depending on the risks inherent in the processing of that data. For example, more care should be taken over special category data and financial data, which can easily be used to harm or cause distress to individuals.

Solicitors are generally very aware of client confidentiality but the GDPR requires the processes to be documented, and working out what personal data you are processing is essential to even begin to do this effectively. For more information, go to the ICO website.


Record of processing

All data controllers must maintain a record of processing activities under their responsibility. Most law firms will be required to do this, although the GDPR limits this obligation for smaller firms.

Organisations with 250 employees or more must record the information set out below about all the personal data processing activities they carry out.

If you have fewer than 250 employees, you are only required to record this information about certain processing activities as listed here:

  • Processing you carry out which is likely to result in a risk to the rights and freedoms of data subjects, or
  • Processing which is not occasional, or
  • Processing which includes special categories of data

For law firms, processing the personal data of clients is likely to involve risks, and it is not occasional. Similarly, processing the personal data of employees is not occasional.

You must record the following information:

  • Name and details of your organisation (and, where applicable, of joint controllers, your representative and data protection officer)
  • Purposes of the processing (and we suggest recording the legal basis too)
  • Description of the categories of data subjects and categories of personal data
  • Categories of recipients to whom personal data will be disclosed
  • Details of transfers to third countries and international organisations, including documentation of the transfer mechanism safeguards in place
  • Time limits for erasure of personal data where possible
  • A general description of technical and organisational security measures where possible

Even if you don’t have 250 employees or feel your processing is occasional, it is important to work out what data you are processing so that you can comply with the other GDPR obligations. As already pointed out, much of the processing will require to be recorded anyway and so we recommend that a record of all your data processing is maintained and updated to ensure that your risk is kept to a minimum and to ensure that data protection accountability is built into the organisation’s processes and procedures.

You may be required to make these records available to the ICO but they do not require to be made public.

Case study

Our high street law firm does not have 250 employees but, does carry our processing which is ‘not occasional’ for staff in particular and it processes includes some special category data of staff and clients. On that basis, our law firm has created a record of data processing based on the data audit which they carried out.

Our case study firm carried out an audit of their data processing. They used the information to begin to populate their record of data processing:

GDPR audit
GDPR audit
Download GDPR audit PDF 121kb
GDPR Example of record of data processing
GDPR Example of record of data processing
Download GDPR Example of record of data processing PDF 60kb

Data protection principles and your data protection policy

All personal data must be processed in compliance with the data protection principles, which are set out below. They lead to particular obligations under the GDPR but must be considered when dealing with any personal data to inform decision making.

Lawfulness, fairness and transparency Processed lawfully, fairly and in a transparent manner in relation to the data subject.
Purpose limitation Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data minimisation Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Storage limitation Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and confidentiality Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

There is an additional principle under the GDPR – accountability. That means organisations must not only comply with the GDPR but must also demonstrate that they comply. Ensure that you have documented policies and processes in place to demonstrate compliance.

Lawful processing

In order to process personal data lawfully, you must comply with all legal obligations and you must be able to rely on one of the following bases for processing.

Fair and transparent processing

In order to process personal data fairly, the processing must be in line with the data subject’s expectations. In other words, only use the data for the reasons you collected it.

GDPR guide for law firms

Data protection regulations from the perspective of a legal practice

  • Ten steps
  • Law firms as data controllers
  • Create a record of data processing
  • Marketing
  • Client confidentiality, legal privilege and limited exemptions
  • Sharing data with third parties
  • Data retention
  • Data protection officers
  • AML and data protection
  • Security
  • Reporting personal data breaches
  • Requests for copies of personal data
  • Appendix 1 - Consent
  • xCreate a record of data processing
  • Appendix 2 - Example of a data protection policy
  • Example of Privacy Notice
  • xClient confidentiality, legal privilege and limited exemptions
  • xData retention
  • xSharing data with third parties
  • xData protection officers
  • xSecurity
  • xReporting personal data breaches
  • xRequests for client personal data
  • Appendix 1 - Consent
  • Appendix 2 - Example of a data protection policy
Read more about GDPR guide for law firms
Add To Favorites

Additional

  • Guide to GDPR

In this section

  • xCreate a record of data processing
  • Lawful processing
  • Fair and transparent processing
Law Society of Scotland
Atria One, 144 Morrison Street
Edinburgh
EH3 8EX
If you’re looking for a solicitor, visit FindaSolicitor.scot
T: +44(0) 131 226 7411
E: lawscot@lawscot.org.uk
About us
  • Contact us
  • Who we are
  • Strategy reports plans
  • Help and advice
  • Our standards
  • Work with us
Useful links
  • Find a Solicitor
  • Sign in
  • CPD & Training
  • Rules and guidance
  • Website terms and conditions
Law Society of Scotland | © 2025
Made by Gecko Agency Limited