You are here:
  1. Home
  2. Support services
  3. Practice management
  4. Advice and guidance GDPR compliance

Advice and guidance on GDPR compliance

  • The EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018 came into force in the UK on 25 May 2018.

    Together they bring the most significant change in data protection regulation in 20 years. The regulation is designed to align privacy laws across Europe and increase protections and data privacy rights for individual citizens.

    This page brings together guidance and support with education and learning resources from the Law Society and external agencies to help you and your firm understand the regulation.

    Law firms generally face the same issues as other organisations in seeking to comply with the GDPR and, through our ongoing discussions with firms, we are identifying and exploring specific issues of concern around compliance.

    This page will be regularly updated as we continue to consider what guidance we can provide in light of the evidence from GDPR compliance.

  • 1 2 Next

    Preparing for the GDPR: A guide for law firms

    We have produced a guide 'Preparing for the GDPR: A guide for law firms' to support firms to work towards compliance.

    20 April 2018
    Advice

    Preparing for the GDPR - ICO conference and cybersecurity special

    In the final run-up to GDPR - there are now fewer than 35 working days until it comes into force - two significant events have taken place. They both offer insights into some of the questions law firms are grappling with.

    12 April 2018
    Advice

    Preparing for the GDPR: Answering your questions part 4

    We answer some of the questions raised from our series of articles on preparing for the GDPR.

    4 April 2018
    Advice

    Preparing for the GDPR: Answering your questions part 3

    We answer some of the questions raised from our series of articles on preparing for the GDPR.

    27 March 2018
    Advice

    Preparing for the GDPR: Answering your questions part 2

    We answer some of the questions raised from our series of articles on preparing for the GDPR.

    22 March 2018
    Advice

    Frequently asked questions about the GDPR

    Frequently asked questions about the GDPR.

    16 March 2018
    Advice

    Preparing for the GDPR: Answering your questions

    Continuation of the GDPR advice series, with answers to some of the questions raised about the ICO's 12 Steps to Take Now.

    15 March 2018
    Advice

    Appointing a Data Protection Officer

    Guidance for law firms on the appointment of a Data Protection Officer.

    15 March 2018
    Advice

    How to prepare for the GDPR part 5: Summary and FAQs

    This is the last of a five-week series of articles on how to prepare for the GDPR.

    7 March 2018
    Advice

    How to prepare for the GDPR part 4: Cybersecurity

    This is the fourth of a five-week series of articles on how to prepare for the GDPR.

    28 February 2018
    Advice
    1 2 Next
  • Podcasts

    The GDPR and employment lawyers

    Nick Denys, policy advisor at the Law Society, explores some of the challenges organisations face to remain GDPR compliant.

    The GDPR and children’s rights

    Sarah Richardson, who supports the Law Society’s children law sub-committee, discusses how the EU GDPR affects the data protection rights of children.

    The GDPR guide for law firms

    Andrew McWhir, policy advisor at the Law Society, discusses the Law Society’s GDPR guide for law firms.

  • Webinars

    audience
    Non-cyber data protection

    Non-cyber risks can still cause data breaches. Understand these threats to minimise the risk to your firm.

    Non-cyber data protection > More
    question
    GDPR for in-house - how it affects your organisation

    Stephen McCartney looks at the changes that GDPR will bring, and explains the Royal Mail’s approach.

    GDPR for in-house - how it affects your organisation > More
    crowd
    Data protection for small firms

    Technology policy advisor, Tim Hill, and data protection solicitor, Anita Bapat, consider aspects of the GDPR for small firms.

    Data protection for small firms > More
  • What is the GDPR?

    The GDPR and the Data Protection Act (DPA) 2018 came into force in the UK on 25 May 2018. The DPA replaces the DPA 1998 and supplements the GDPR by filling in sections of the regulation left to Member States to interpret and implement.

    The GDPR imposes stringent accountability and transparency obligations on data controllers, including mandatory reporting of data breaches.

    The new regulation is an evolution of the previous data protection framework, with which law firms should already be compliant.

    Lead-up to the GDPR

    The regulation introduced new elements and significant enhancements, which meant that every organisation had to start doing some things for the first time and to change their previous processes. The EU GDPR.ORG website provides a useful summary of the changes brought by the GDPR.

    The Information Commissioner's Office (ICO) produces a more detailed monthly summary of what's new. Subscribing to the ICO's newsletter is a useful way to keep informed.

    Data controller or processor?

    It's key to determine whether your firm processes personal data as a 'data controller' or 'data processor'. You should then complete the ICO's checklist for data controllers and/or processors. Law firms will generally be data controllers.

    Follow the 12 steps

    The ICO has published a 12-step guide (PDF 238kb) that we strongly recommend you use to work towards compliance.

    Given the scale of the changes, you should consider appointing an individual to act as the business lead for your GDPR project. This does not necessarily have to be someone with data protection expertise.

    While most law firms are not required to appoint a data protection officer (DPO), we recommend that firms consider the voluntary designation of someone with appropriate expertise and resources to lead on GDPR compliance.

    We also suggest firms complete the information audit to identify and document all of the personal data that your firm processes.

    Access our guidance on appointing a DPO

  • Contact us

    Please contact us if you or your firm have a specific issue you would like to raise.