You are here:
  1. Home
  2. Support services
  3. Practice management
  4. GDPR preparation
  5. Specialist guidance for law firms

Specialist guidance for law firms

Law firms generally face similar issues as other organisations in seeking to comply with the EU General Data Protection Regulation. You should therefore consult the ICO's guidance on preparing for the GDPR.

The Law Society has been exploring whether there are issues of particular concern to law firms that could be addressed through discussion documents, guidance or practice notes. One of the issues on which we are working is the appointment of data protection officers under Article 37 of the regulation.

You can find summary guidance on some areas of concern in our FAQs below, and you can contact us to suggest other issues or share your concerns about GDPR.

Appointment of a data protection officer (DPO)

Download the guidance for law firms on the appointment of a DPO (PDF 531kb).

This is a work in progress on which we would welcome comments.

Email us to give feedback.

Frequently asked questions 

Do law firms need to appoint DPOs under the GDPR?


GDPR will require some organisations, including some law firms, to appoint data protection officers (DPOs). To decide if you need to appoint a DPO you should familiarise yourself with Article 37 of the GDPR, relevant guidance from the Information Commissioner and the Article 29 Working Party guidance. If you decide you do not need to appoint a DPO,you may decide to make a voluntary appointment. We recommend that you document your decision-making.

How long should I retain personal data and documents?


Article 5(1)(e) of the GDPR sets out personal data retention requirements. It does not significantly differ from current requirements. You may wish to review your existing retention schedules in order to prepare for GDPR.

How should I apply the new rules on consent?


The ICO has published draft guidance on consent. However, this guidance will not be finalised until the Article 29 Working Party finalises its own guidance. This is currently expected to be available in December 2017.


Are there special rules for legally privileged material?


The current Data Protection Act exempts personal data in respect of which a claim to legal professional privilege could be maintained in legal proceedings from the subject information provisions - see Sched 7, 10. 

There are no comparable provisions in the GDPR but the Data Protection Bill currently making its way through parliament exercises a derogation in Sched 2.17 that mirrors existing provisions. There are also provisions concerning the handling of privileged material by the ICO (see s.128).


What do I need to know about cybersecurity and the GDPR?


Cybersecurity remains as important under GDPR as it is under the current data protection framework. See our advice and support on cybersecurity. For general advice and support on all aspects of cybersecurity, including their recently published small business guide, visit the National Cyber Security Centre’s website.

For information on mandatory data breach notification, read the ICO’s blog GDPR – setting the record straight on data breach reporting.