The EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018 came into force in the UK on 25 May 2018.
Together they bring the most significant change in data protection regulation in 20 years. The regulation is designed to align privacy laws across Europe and increase protections and data privacy rights for individual citizens.
This page brings together guidance and support with education and learning resources from the Law Society and external agencies to help you and your firm understand the regulation.
Law firms generally face the same issues as other organisations in seeking to comply with the GDPR and, through our ongoing discussions with firms, we are identifying and exploring specific issues of concern around compliance.
This page will be regularly updated as we continue to consider what guidance we can provide in light of the evidence from GDPR compliance.
We have produced a guide 'Preparing for the GDPR: A guide for law firms' to support firms to work towards compliance.
In the final run-up to GDPR - there are now fewer than 35 working days until it comes into force - two significant events have taken place. They both offer insights into some of the questions law firms are grappling with.
We answer some of the questions raised from our series of articles on preparing for the GDPR.
Frequently asked questions about the GDPR.
Guidance for law firms on the appointment of a Data Protection Officer.
Continuation of the GDPR advice series, with answers to some of the questions raised about the ICO's 12 Steps to Take Now.
This is the last of a five-week series of articles on how to prepare for the GDPR.
This is the fourth of a five-week series of articles on how to prepare for the GDPR.
Nick Denys, policy advisor at the Law Society, explores some of the challenges organisations face to remain GDPR compliant.
Sarah Richardson, who supports the Law Society’s children law sub-committee, discusses how the EU GDPR affects the data protection rights of children.
Andrew McWhir, policy advisor at the Law Society, discusses the Law Society’s GDPR guide for law firms.
Stephen McCartney looks at the changes that GDPR will bring, and explains the Royal Mail’s approach.
Non-cyber risks can still cause data breaches. Understand these threats to minimise the risk to your firm.
Technology policy advisor, Tim Hill, and data protection solicitor, Anita Bapat, consider aspects of the GDPR for small firms.
The GDPR and the Data Protection Act (DPA) 2018 came into force in the UK on 25 May 2018. The DPA replaces the DPA 1998 and supplements the GDPR by filling in sections of the regulation left to Member States to interpret and implement.
The GDPR imposes stringent accountability and transparency obligations on data controllers, including mandatory reporting of data breaches.
The new regulation is an evolution of the previous data protection framework, with which law firms should already be compliant.
The regulation introduced new elements and significant enhancements, which meant that every organisation had to start doing some things for the first time and to change their previous processes. The EU GDPR.ORG website provides a useful summary of the changes brought by the GDPR.
The Information Commissioner's Office (ICO) produces a more detailed monthly summary of what's new. Subscribing to the ICO's newsletter is a useful way to keep informed.
It's key to determine whether your firm processes personal data as a 'data controller' or 'data processor'. You should then complete the ICO's checklist for data controllers and/or processors. Law firms will generally be data controllers.
The ICO has published a 12-step guide (PDF 238kb) that we strongly recommend you use to work towards compliance.
Given the scale of the changes, you should consider appointing an individual to act as the business lead for your GDPR project. This does not necessarily have to be someone with data protection expertise.
While most law firms are not required to appoint a data protection officer (DPO), we recommend that firms consider the voluntary designation of someone with appropriate expertise and resources to lead on GDPR compliance.
We also suggest firms complete the information audit to identify and document all of the personal data that your firm processes.
Access our guidance on appointing a DPO
Please contact us if you or your firm have a specific issue you would like to raise.