You are here:
  1. Home
  2. Support services
  3. Practice management
  4. Advice and guidance on GDPR compliance

Advice and guidance on GDPR compliance

  • The EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018 came into force in the UK on 25 May 2018.

    Together they bring the most significant change in data protection regulation in 20 years. The regulation is designed to align privacy laws across Europe and increase protections and data privacy rights for individual citizens.

    This page brings together guidance and support with education and learning resources from the Law Society and external agencies to help you and your firm understand the regulation.

    Law firms generally face the same issues as other organisations in seeking to comply with the GDPR and, through our ongoing discussions with firms, we are identifying and exploring specific issues of concern around compliance.

    This page will be regularly updated as we continue to consider what guidance we can provide in light of the evidence from GDPR compliance.

  • Prev 1 2

    How to prepare for the GDPR part 5: Summary and FAQs

    This is the last of a five-week series of articles on how to prepare for the GDPR.

    7 March 2018
    Advice

    How to prepare for the GDPR part 4: Cybersecurity

    This is the fourth of a five-week series of articles on how to prepare for the GDPR.

    28 February 2018
    Advice

    How to prepare for the GDPR part 3: Legal bases for processing data

    This is the third of a five-week series of articles on how to prepare for the GDPR.

    21 February 2018
    Advice

    How to prepare for GDPR part 2: The information you hold

    This is the second of a five-week series of articles on how to prepare for the GDPR.

    15 February 2018
    Advice

    How to prepare for GDPR part 1: Awareness and implications

    This is first of a five-week series of articles with advice on how to prepare for the GDPR.

    7 February 2018
    Advice

    Article 29 Working Party new GDPR guidance notes

    The Article 29 Working Party have published five new guidelines on the General Data Protection Regulation (GDPR).

    18 December 2017
    Advice

    Getting to know the GDPR - data breaches

    The GDPR will introduce new reporting requirements and financial penalties with regard to data breaches.

    3 October 2017
    Advice
    Prev 1 2
  • Podcasts

    The GDPR and employment lawyers

    Nick Denys, policy advisor at the Law Society, explores some of the challenges organisations face to remain GDPR compliant.

    The GDPR and children’s rights

    Sarah Richardson, who supports the Law Society’s children law sub-committee, discusses how the EU GDPR affects the data protection rights of children.

    The GDPR guide for law firms

    Andrew McWhir, policy advisor at the Law Society, discusses the Law Society’s GDPR guide for law firms.

  • What is the GDPR?

    The GDPR and the Data Protection Act (DPA) 2018 came into force in the UK on 25 May 2018. The DPA replaces the DPA 1998 and supplements the GDPR by filling in sections of the regulation left to Member States to interpret and implement.

    The GDPR imposes stringent accountability and transparency obligations on data controllers, including mandatory reporting of data breaches.

    The new regulation is an evolution of the previous data protection framework, with which law firms should already be compliant.

    Lead-up to the GDPR

    The regulation introduced new elements and significant enhancements, which meant that every organisation had to start doing some things for the first time and to change their previous processes. The EU GDPR.ORG website provides a useful summary of the changes brought by the GDPR.

    The Information Commissioner's Office (ICO) produces a more detailed monthly summary of what's new. Subscribing to the ICO's newsletter is a useful way to keep informed.

    Data controller or processor?

    It's key to determine whether your firm processes personal data as a 'data controller' or 'data processor'. You should then complete the ICO's checklist for data controllers and/or processors. Law firms will generally be data controllers.

    Follow the 12 steps

    The ICO has published a 12-step guide (PDF 238kb) that we strongly recommend you use to work towards compliance.

    Given the scale of the changes, you should consider appointing an individual to act as the business lead for your GDPR project. This does not necessarily have to be someone with data protection expertise.

    While most law firms are not required to appoint a data protection officer (DPO), we recommend that firms consider the voluntary designation of someone with appropriate expertise and resources to lead on GDPR compliance.

    We also suggest firms complete the information audit to identify and document all of the personal data that your firm processes.

    Access our guidance on appointing a DPO

  • Contact us

    Please contact us if you or your firm have a specific issue you would like to raise.