GDPR for solicitors


All solicitors hold personal data – their employees’, their clients’ and other people relating to their clients and their work. If someone can be identified from the information you hold on them, it is personal data.

The EU GDPR, along with the Data Protection Act 2018, controls how you use this information. What you need to do to comply with regulations depends on how much and what type of data you control.

Knowing what personal data you have and what you do with it is a first step in complying.

Controller or processor of data

As a solicitor you’ll mostly be a controller of data, not a processor. As a data controller you must:

  • process personal data lawfully and fairly in line with data protection principles
  • process the data in a way that protects the subject (person)
  • use the right systems
  • be accountable
  • cooperate with the ICO
  • make sure you follow the rules when sending data abroad (cross-border data flows)

In some areas of your work you may be acting as joint controller or data processor. You can read the ICO guidance to decide whether you’re a controller, joint controller or processor.

Working with processors

You're responsible for your processors’ compliance.

You must also have a written contract with whoever processes data for you. The ICO has set out what should be included in the contract.

Appointing a DPO

You will not usually have to appoint a data protection officer (DPO) but you’ll need to make someone in your practice responsible for making sure data protection rules are followed.

Read more about appointing a DPO, including when you must appoint one.

The rights of data subjects

When you collect someone’s personal data, you must tell them, for example, who you are and how you’ll use their information, including if it’s being shared with other organisations.

Data subjects also have the right to:

  • see any information you hold about them and correct it if it’s wrong
  • request their data is deleted
  • request their data is not used for certain purposes

If someone asks to see the data you hold on them it’s known as a subject access request (SAR). You must give them a copy of the data within one month.

The ICO covers what rights data subjects have in more detail.

Register with the ICO

You must pay a data protection fee to the ICO to notify them that you’re using personal data.

You can be fined if you do not pay the registration fee.

How personal data should be used

The data protection principles set out the rules you need to follow when using personal data. You must make sure the information is:

  • processed fairly, lawfully and transparently
  • processed for specified, explicit purposes
  • processed in a way that is adequate, relevant and limited to only what is necessary
  • accurate and, where necessary, kept up to date
  • kept for no longer than is necessary
  • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage

GDPR introduced a new ‘accountability’ principle. It means you are responsible for what you do with personal data and how you comply with the data protection principles.

What else you need to do will depend on how much and what type of data your practice controls.

Special category personal data

Processing special category data is banned. However, there are exceptions.

To process special category data you must:

This is because special category data is more sensitive, and so needs more protection.

This type of data, if breached, could put someone’s fundamental rights and freedoms at risk, for example by putting them at risk of unlawful discrimination.

Special category (sensitive) data is information such as:

  • race
  • ethnic background
  • political opinions
  • religious beliefs
  • trade union membership
  • genetics
  • biometrics (where used for identification)
  • health
  • sex life or orientation

Read more about handling special category data on the ICO website

Criminal offence data

This is treated in a similar way to sensitive data, but you can only use it in an official capacity or under specific conditions set out in the Data Protection Act.

Read more about handling criminal offence data on the ICO website

Show you’re complying

Accountability’ is one of the data protection principles. It means you:

  • are responsible for complying with GDPR
  • need to demonstrate your compliance

The person responsible for data protection in your practice needs to be able to show what’s being done to comply.

This means that they’ll need to keep a record, for example of:

  • data processing – what data is being processed, why it is, where it’s shared and how long it’s kept
  • any data breaches
  • subject access requests (SARs)
  • consent given

Read more about what you need to do to show you’re complying on the ICO website

Have a breach response plan

You can set out how you’d respond to a data breach in advance and rehearse it.

You’ll only have 72 hours to report a breach. If you work out a response plan, where everyone who’d be involved knows what to do, you’ll be prepared.

Access requests and legal privilege

As a legal professional you do not have to release information if it breaches:

  • legal professional privilege
  • duty of confidentiality towards a client

GDPR and solicitor’s lien

If your client requests access to their personal data, this will override any right you have to hold a lien over their personal data.

You can read about SARs in more detail on the ICO website and what to do when you get a SAR.

Maximise your Law Society membership with My LS