You are here:
  1. Home
  2. News
  3. Blog
  4. Are you GDPR ready? Start here

Are you GDPR ready? Start here

20 February 2018

The General Data Protection Regulation comes into force on 25 May 2018 in the UK, and yet recent research has found that only 25 per cent of law firms believe they are in compliance. If you haven’t started planning for it yet, this is where you should begin.

Law firms hold vast amounts of sensitive data on their clients. Should a data breach occur, the regulator, the Information Commissioner’s Office (ICO), can impose a fine of up to four per cent of global turnover or €20m, whichever is the higher.

Undertaking a thorough review of how you currently process and hold data should be a priority for every law firm right now, to ensure that you don’t fall foul of the new law. If you haven’t started yet – don’t panic. There is still time to plan and implement a compliance programme.

Mind the gap

A good starting point is to carry out a gap analysis to work out where existing compliance is good, and where there are likely to be difficulties in complying with the GDPR. Then your incremental compliance plan can be put together.

1 Review all existing contracts with your suppliers to see if they are handling personal data

  • Do you have a cloud-based case management system? If so, what would happen if there were to be a data breach on that system? Would the supplier notify you, and would they help you to comply with the 72-hour breach notification requirement under article 33 of the GDPR?
  • You may have a HR system that manages all your staff’s details – is that contract GDPR-compliant?
2 Carry out an independent review of any insurance policies, to see what is and isn’t covered


  • Will your existing policies cover you for regulatory breaches?
  • Will they cover you for a loss of turnover in the event of a data breach?
  • Will they cover you for a subsequent loss of staff?
  • If your credit rating is affected due to a data breach, are you covered for that?

3 Staff, from partner-level down, are fundamental to ensuring GDPR-readiness

Make staff aware that, in addition to the possibility of fines against their employer, criminal sanctions are available where employees, wilfully or negligently, are responsible for data breaches. All staff need to understand what the risks are, both to the firm and to them.

Some things to be aware of:

Both digital and hard-copy personal data needs to be protected.

  • Consider the visibility of your offices from the street: are client details visible on computer screens?
  • Are client cheques, with their account details on them, left on desks, and if so, are they visible from the outside?

The dangers of collaborative or agile working

  • Public wifi. Consider the risks associated with working in public spaces using free public wifi. There are a number of privacy solutions for employees who work remotely. Employees should be encouraged to use only secure wifi at home or the office, and if travelling, to consider the use of a privacy screen on their device.

GDPR benefits for individuals

Compliance: an ongoing obligation

Neil Ford from IT Governance explains the compliance challenges: ‘With three months until the GDPR comes into effect, firms that haven't started their compliance project face a number of challenges. Some of the most important areas to address are data protection governance, risk management and information security management” (see IT Governance’s blog 10 things you must consider for GDPR compliance).

Risk management

The Information Commissioner’s Office will want to see that a firm has considered the relevant risk or issue, can give reasons for its existence and evidence of the steps taken to address it. Oz Alashe explains: ‘While there has been lots of comment on the potential fines under the GDPR, in reality, if an organisation can demonstrate it has the technical and organisational controls in place to prevent a breach, the ICO is unlikely to impose a fine.’

Compliance should not be seen as a one-step process, but as a regular ongoing feature of a firm’s compliance framework. Having a proactive relationship with the ICO through regular communication can also pay dividends down the line, should a breach occur.

Do you need a data protection officer?

Article 37(1) of the GDPR requires a data protection officer (DPO) to be designated if the data processing activities of an organisation involve regular and systematic monitoring of data subjects on a large scale, or the processing of special categories of data on a large scale.

While some law firms may be required to appoint a DPO, even for those that don’t have to, it may still be worth making a voluntary appointment.

The Article 29 Working Party has further guidance on the appointment of a DPO. The Law Society will be also be issuing guidance shortly on DPOs. The guidance will be published as a work in progress and comments will be welcomed.

Information security management

Make sure all your data is encrypted. Secure all devices, including printers, by changing passwords. If all else fails, review how you are exchanging information with your client, and consider buying an off-the-shelf product that allows a secure, encrypted exchange of information. The Law Society Cyber Security Toolkit provides further guidance.


Views expressed in our blogs are those of the authors and do not necessarily reflect those of the Law Society. At the time of publishing CybSafe and IT Governance were Law Society cybersecurity partners.

Further help:

The Law Society’s dedicated cybersecurity and scam prevention page where you can sign up to the cybersecurity news digest relevant to the legal sector, information on endorsed cybersecurity providers, and relevant Law Society training, events and guidance

 Solicitors Regulation Authority on cybersecurity

Look at the ICO’s ‘12 steps to take now’ checklist, as well as  its other online resources  and details of monetary penalty notices and assessments

Tags: cyber security

About the author

Maria Shahid has worked as an editor and journalist for nearly 20 years. She has an in-depth knowledge of the legal and property sectors and has written for and edited trade publications including the Law Society Gazette, Legal Business, Legal Week, Property News and Property in Practice. She writes for clients in the legal, property and  insurance sectors. Before becoming a journalist, she qualified and practiced as a solicitor in the City and West End.

Contact Maria

Follow Maria on Twitter

  • Share this page:

Abigail Bright | Adam Johnson | Adele Edwin-Lamerton | Ahmed Aydeed | Alex Barr | Alex Heshmaty | Alexa Lemzy | Alexandra Cardenas | Amanda Adeola | Amanda Carpenter | Amanda Jardine Viner | Amy Bell | Amy Heading | an anonymous sole practitioner | Andrew Kidd | Andrew McWhir | Andy Harris | Anna Drozd | Annaliese Fiehn | Anne Morris | Anne Waldron | anonymous female solicitor | Asif Afridi and Roseanne Russell | Bansi Desai | Barbara Whitehorne | Barry Wilkinson | Becky Baker | Ben Hollom | Bhavisha Mistry | Bob Nightingale | Bridget Garrood | Caroline Marlow | Caroline Roddis | Caroline Sorbier | Carolyn Pepper | Catherine Dixon | Chris Claxton-Shirley | Christina Blacklaws | Ciaran Fenton | Coral Hill | CV Library | Daniel Matchett | Daphne Perry | David Gilroy | David Yeoward | Douglas McPherson | Duncan Wood | Elijah Granet | Elizabeth Rimmer | Eloise Skinner | Emily Miller | Emily Powell | Emma Maule | Floyd Porter | Gary Richards | Gary Rycroft | Graham Murphy | Greg Treverton-Jones | Gustavo Bussmann | Hayley Stewart | Hilda-Georgina Kwafo-Akoto | Ignasi Guardans | James Castro Edwards | Jane Cassell | Jayne Willetts | Jeremy Miles | Jerry Garvey | Jessie Barwick | Joe Egan | Jonathan Andrews | Jonathan Fisher | Jonathan Smithers | Jonathon Bray | Julian Hall | Julie Ashdown | Julie Nicholds | June Venters | Justin Rourke | Karen Jackson | Kate Adam | Katherine Cousins | Kaweh Beheshtizadeh | Kayleigh Leonie | Keiley Ann Broadhead | Kerrie Fuller | Kevin Hood | Kevin Poulter | Larry Cattle | Laura Bee | Laura Devine | Laura Uberoi | Law Gazette Jobs | Leah Glover and Julie Ashdown | Leanne Yendell | Lee Moore | LHS Solicitors | Linden Thomas | Lucy Parker | Maria Shahid | Marjorie Creek | Mark Carver | Mark Leiser | Markus Coleman | Martin Barnes | Mary Doyle | Matt O'Brien | Matt Oliver | Matthew Still | Max Rossiter | Melissa Hardee | Michael Henson-Webb | Neil Ford | Nick Denys | Nick O'Neill | Nick Podd | Nigel West | Nikki Alderson | Oz Alashe | Paris Theodorou | Patrick Wolfe | Paul Rogerson | Pearl Moses | Penny Owston | Peter Wright | Philippa Southwell | Preetha Gopalan | Prof Sylvie Delacroix | Rachel Brushfield | Rafie Faruq | Ranjit Uppal | Ravi Naik | Rebecca Atkinson | Remy Mohamed | Richard Collier | Richard Coulthard | Richard Heinrich | Richard Mabey | Richard Messingham | Richard Miller | Richard Roberts | Rita Gupta | Rob Cope | Robert Bourns | Robert Forman | Robin Charrot | Rosa Coleman | Rosy Rourke | Sachin Nair | Saida Bello | Sally Azarmi | Sally Woolston | Sam De Silva | Sara Chandler | Sarah Austin | Sarah Crowe | Sarah Henchoz | Sarah Smith | Shereen Semnani | Shirin Marker | Siddique Patel | Simon Day | Sofia Olhede | Sonia Aman | Sophia Adams Bhatti | Sophie O'Neill-Hanson | Steve Deutsch | Steve Thompson | Stuart Poole-Robb | Sue James | Susa | Susan Kench | Suzanne Gallagher | The Law Society Digital and Brand team | Tom Chapman | Tom Ellen | Tony Roe | Tracey Calvert | Umar Kankiya | Vanessa Friend | Vicki Butler | Vidisha Joshi | William Li | William McSweeney

Monthly archives

February 2020 | January 2020 | 2019 | 2018 | 2017 | 2016 | 2015