You are here:
  1. Home
  2. News
  3. Blog
  4. GDPR: how we support our members

GDPR: how we support our members

11 September 2018

You may be breathing a sigh of relief – the 25 May 2018 deadline has passed and you can now put GDPR on the back burner and get on with some ‘proper’ work. But, can you?

I am a solicitor in the Law Society’s Practice Advice Service. This is a helpline, staffed by solicitors, which provides free and confidential telephone advice for members.

Our team continue to receive enquiries on GDPR on issues such as:

  • Do I need to write to all existing clients to obtain consent?
  • I’m exercising a lien; do I need to respond to a Subject Access Request?
  • What should I include in the client care letter?

Where shall I start?

First, it is important to get your firm’s house in order. GDPR should then be a ‘work in progress’ to be kept under constant review. Familiarise yourself with the ICO website and bookmark it as a favourite!

Action plan

The ICO has produced useful data protection checklists which will help you prepare an action plan. They cover:

  • Controllers checklist
  • Information security
  • Records management
  • Data sharing and subject access
  • Direct marketing

It is worth completing these checklists as the answers you give generate a report outlining what you can do to comply.

The Law Society has produced a guide for law firms which includes a checklist for firms to work through based on the ICO’s 12 steps.

Keep your eye on the ball

Security of data and subject access requests are the areas where most breaches are likely to occur, giving rise to potential complaints and triggering a notification to the ICO.


GDPR requires that you have in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual’s rights. A key component of this is making sure that the information you hold is kept securely. This includes electronic and paper records. Consider:

  • How secure are your premises?
  • Are paper files locked away at the end of the day?
  • Do you operate a clean desk policy?
  • Do you have a homeworking policy in place?
  • How secure are the files kept at home?
  • Is there a register to record the files taken out of the office?

Subject access requests (SAR)

You should have in place a policy for dealing with requests for personal information within the new one-month time limit. You should ensure that all staff are aware of the policy and they can recognise a SAR.

A SAR can be made verbally or in writing as long as it is clear that the individual is asking for their own personal data. It does not need to include the term ‘subject access request’. There is no longer a fee.

Staff should know who in the firm is responsible for dealing with requests for information so that the SAR can be dealt with without delay.

The data protection lead will need to search all the data the firm holds. This is why it is important that any files held (whether electronically or in paper format) are only retained for as long as necessary. The less unnecessary information the firm holds the less time you spend searching following a SAR.

Client care information

Our Client care information practice note has been updated to reflect GDPR and includes:

  • information to be given to clients when you collect their personal data
  • information on privacy notices
  • links to the Law Society webpages on GDPR
  • links to the European data protection regulator’s guidance on meeting the transparency requirement.

How do you demonstrate accountability?

GDPR introduces the new principle of accountability. To demonstrate compliance, you will need to start documenting your data protection policies and procedures. Review and update the current ones and consider which new ones are necessary for your firm. Examples include:

  • appointing a data protection officer
  • having written policies on data protection, security, homeworking, email, IT, data breaches, retention policy, training, confidentiality; clear desk; disciplinary; use of mobile technology etc.
  • contracts with processors
  • risk assessments and documenting these


Everyone in your firm who handles client data should understand and follow the firm’s policies. You must arrange regular training to ensure they remain up to speed.

For further practical advice and information please call the Practice Advice team on 0207 320 5675 - lines are open 9.00 to 17:00 Monday to Friday.

We have produced a guide for law firms which includes a checklist for firms
Our Client care information practice note has been updated to reflect GDPR

While every effort has been made to ensure the accuracy of the information in this article, it does not constitute legal advice and cannot be relied upon as such. The Law Society does not accept any responsibility for liabilities arising as a result of reliance upon the information given.

About the author

Sonia Aman is a solicitor in our Practice Advice Service and has been advising members on practice and procedure in a number of areas of law, compliance and anti-money laundering for over 10 years.

  • Share this page:

Adam Johnson | Adele Edwin-Lamerton | Ahmed Aydeed | Alex Barr | Alex Heshmaty | Alexa Lemzy | Alexandra Cardenas | Amanda Adeola | Amanda Carpenter | Amanda Jardine Viner | Amy Bell | Amy Heading | an anonymous sole practitioner | Andrew Kidd | Andrew McWhir | Andy Harris | Anna Drozd | Annaliese Fiehn | Anne Morris | Anne Waldron | anonymous female solicitor | Asif Afridi and Roseanne Russell | Bansi Desai | Barbara Whitehorne | Barry Wilkinson | Becky Baker | Ben Hollom | Bhavisha Mistry | Bob Nightingale | Bridget Garrood | Caroline Marlow | Caroline Roddis | Caroline Sorbier | Carolyn Pepper | Catherine Dixon | Chris Claxton-Shirley | Christina Blacklaws | Ciaran Fenton | CV Library | Daniel Matchett | Daphne Perry | David Gilroy | David Yeoward | Douglas McPherson | Duncan Wood | Elijah Granet | Elizabeth Rimmer | Emily Miller | Emily Powell | Emma Maule | Floyd Porter | Gary Richards | Gary Rycroft | Graham Murphy | Gustavo Bussmann | Hayley Stewart | Hilda-Georgina Kwafo-Akoto | Ignasi Guardans | James Castro Edwards | Jane Cassell | Jayne Willetts | Jeremy Miles | Jerry Garvey | Jessie Barwick | Joe Egan | Jonathan Andrews | Jonathan Fisher | Jonathan Smithers | Jonathon Bray | Julian Hall | Julie Ashdown | Julie Nicholds | June Venters | Justin Rourke | Karen Jackson | Kate Adam | Katherine Cousins | Kaweh Beheshtizadeh | Kayleigh Leonie | Keiley Ann Broadhead | Kerrie Fuller | Kevin Hood | Kevin Poulter | Larry Cattle | Laura Bee | Laura Devine | Laura Uberoi | Leah Glover and Julie Ashdown | Leanne Yendell | Lee Moore | LHS Solicitors | Linden Thomas | Lucy Parker | Maria Shahid | Marjorie Creek | Mark Carver | Mark Leiser | Markus Coleman | Martin Barnes | Mary Doyle | Matt Oliver | Matthew Still | Max Rossiter | Melissa Hardee | Neil Ford | Nick Denys | Nick O'Neill | Nick Podd | Nikki Alderson | Oz Alashe | Patrick Wolfe | Paul Rogerson | Pearl Moses | Penny Owston | Peter Wright | Philippa Southwell | Preetha Gopalan | Prof Sylvie Delacroix | Rachel Brushfield | Rafie Faruq | Ranjit Uppal | Ravi Naik | Remy Mohamed | Richard Collier | Richard Coulthard | Richard Heinrich | Richard Mabey | Richard Messingham | Richard Miller | Richard Roberts | Rita Gupta | Rob Cope | Robert Bourns | Robin Charrot | Rosa Coleman | Rosy Rourke | Sachin Nair | Saida Bello | Sally Azarmi | Sally Woolston | Sam De Silva | Sara Chandler | Sarah Austin | Sarah Crowe | Sarah Henchoz | Sarah Smith | Shereen Semnani | Shirin Marker | Siddique Patel | Simon Day | Sofia Olhede | Sonia Aman | Sophia Adams Bhatti | Sophie O'Neill-Hanson | Steve Deutsch | Steve Thompson | Stuart Poole-Robb | Sue James | Susan Kench | Suzanne Gallagher | The Law Society Digital and Brand team | Tom Chapman | Tom Ellen | Tony Roe | Tracey Calvert | Umar Kankiya | Vanessa Friend | Vicki Butler | Vidisha Joshi | William Li | William McSweeney