xCreate a record of data processing

All law firms should know what personal data they are processing and why, and be able to identify what is happening to it. This includes who it is being shared with, including the location of the cloud server storing your data.

All firms need to decide how long they will retain personal data and what security measures they have in place when it is being stored or when it is being sent out of the organisation, depending on the risks inherent in the processing of that data. For example, more care should be taken over special category data and financial data, which can easily be used to harm or cause distress to individuals.

Solicitors are generally very aware of client confidentiality but the GDPR requires the processes to be documented, and working out what personal data you are processing is essential to even begin to do this effectively. For more information, go to the ICO website.


Record of processing

All data controllers must maintain a record of processing activities under their responsibility. Most law firms will be required to do this, although the GDPR limits this obligation for smaller firms.

Organisations with 250 employees or more must record the information set out below about all the personal data processing activities they carry out.

If you have fewer than 250 employees, you are only required to record this information about certain processing activities as listed here:

  • Processing you carry out which is likely to result in a risk to the rights and freedoms of data subjects, or
  • Processing which is not occasional, or
  • Processing which includes special categories of data

For law firms, processing the personal data of clients is likely to involve risks, and it is not occasional. Similarly, processing the personal data of employees is not occasional.

You must record the following information:

  • Name and details of your organisation (and, where applicable, of joint controllers, your representative and data protection officer)
  • Purposes of the processing (and we suggest recording the legal basis too)
  • Description of the categories of data subjects and categories of personal data
  • Categories of recipients to whom personal data will be disclosed
  • Details of transfers to third countries and international organisations, including documentation of the transfer mechanism safeguards in place
  • Time limits for erasure of personal data where possible
  • A general description of technical and organisational security measures where possible

Even if you don’t have 250 employees or feel your processing is occasional, it is important to work out what data you are processing so that you can comply with the other GDPR obligations. As already pointed out, much of the processing will require to be recorded anyway and so we recommend that a record of all your data processing is maintained and updated to ensure that your risk is kept to a minimum and to ensure that data protection accountability is built into the organisation’s processes and procedures.

You may be required to make these records available to the ICO but they do not require to be made public.

Case study

Our high street law firm does not have 250 employees but, does carry our processing which is ‘not occasional’ for staff in particular and it processes includes some special category data of staff and clients. On that basis, our law firm has created a record of data processing based on the data audit which they carried out.

Our case study firm carried out an audit of their data processing. They used the information to begin to populate their record of data processing:

GDPR audit
GDPR audit
GDPR Example of record of data processing
GDPR Example of record of data processing

Data protection principles and your data protection policy

All personal data must be processed in compliance with the data protection principles, which are set out below. They lead to particular obligations under the GDPR but must be considered when dealing with any personal data to inform decision making.

Lawfulness, fairness and transparency Processed lawfully, fairly and in a transparent manner in relation to the data subject.
Purpose limitation Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data minimisation Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Storage limitation Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and confidentiality Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

There is an additional principle under the GDPR – accountability. That means organisations must not only comply with the GDPR but must also demonstrate that they comply. Ensure that you have documented policies and processes in place to demonstrate compliance.

Lawful processing

In order to process personal data lawfully, you must comply with all legal obligations and you must be able to rely on one of the following bases for processing.

Fair and transparent processing

In order to process personal data fairly, the processing must be in line with the data subject’s expectations. In other words, only use the data for the reasons you collected it.

GDPR guide for law firms

Data protection regulations from the perspective of a legal practice

Read more

In this section