You are here:
  1. Home
  2. Support services
  3. Practice management
  4. Advice and guidance on GDPR compliance
  5. Preparing for the GDPR: Answering your questions part 2

Preparing for the GDPR: Answering your questions part 2

22 March 2018

Thank you to those who have sent in questions and provided feedback on our 'Preparing for the GDPR' series. You can find all previous episodes on our specialist guidance pages.

You can send us your thoughts and questions on any GDPR topic by emailing

While we are not able to respond to queries individually, we do hope to address the main issues you raise over the coming weeks.

Below are answers to some of the questions we have received so far.

Does my firm need to appoint a Data Protection Officer?

The Law Society has published guidance for law firms on appointing data protection officers (DPOs) and the Information Commissioner’s Office has also recently expanded its guidance pages on DPOs. These will help guide you in answering this question.

Our guidance argues that most law firms will not be required to appoint a data protection officer (DPO) and that most are unlikely to make a voluntary appointment. The feedback we have received suggests most firms are in agreement.

It is good practice for all firms to:

  • evaluate their processing of personal data against the criteria for the mandatory appointment of a DPO
  • document their decision
  • continuously review this decision, especially before any substantial change in processing activity or when carrying out a data protection impact assessment.

Firms should consider voluntary designation of a DPO.  

Over time norms are likely to be established in different professional and industrial sectors, including the legal profession, about when DPOs should be appointed or voluntarily designated. We will provide updated guidance on these issues when necessary.

What investigative powers will the Information Commissioner have?

The potential for massive fines under the GDPR has been widely reported. It was also the subject of the ICO’s first myth-busting blog in which she pointed out that fines would be a last resort but that warnings, reprimands and corrective orders are also available and could result in significant reputational damage.

In addition to sanctions the ICO will have significant investigatory powers. These include ordering controllers or processors to provide it with any information it requires for the performance of its tasks, carrying out data protection audits, to obtain access to all personal data held by controllers and processors and to obtain access to any premises of the controller or processor along with any data processing equipment. As we have mentioned in previous weeks, it will be important to document your decision-making, which will provide important evidence in any instance of an ICO investigation.

Do I need to enhance my cybersecurity preparedness?

This is an issue that is front and centre in the news currently following accusations against Cambridge Analytica and Facebook.

You will have to notify the ICO of any personal data breaches when there is likely to be a risk to people’s rights and freedoms. The name and contact details of your DPO (if any) is part of the information you must provide in your notification.

Personal data breaches are likely to be one of the major catalysts for many investigations by the Information Commissioner. 

Personal data breaches can include:

  • access by an unauthorised third party
  • deliberate or accidental action (or inaction) by a controller or processor
  • sending personal data to an incorrect recipient
  • computing devices containing personal data being lost or stolen
  • alteration of personal data without permission
  • loss of availability of personal data.

The government’s Cyber Aware programme provides cyber security advice for small businesses and individuals. We highly recommend you familiarise yourself with these resources.

Your feedback: controllers and processors

Understanding when you are acting as a data controller, establishing respective responsibilities where you act as a joint controller, and ensuring that you comply with your obligations in relation to your data processors are all fundamental elements of GDPR compliance.

The definitions under the GDPR remain substantially the same as under the current regime. View the ICO’s guidance.

Please let us know what issues, if any, you are facing in relation to controllers and processors.

Email to share your thoughts.

Further information

Our GDPR pages provide useful information on various elements of GDPR as well as external links which may be of use.

The ICO provides a guide on preparing for GDPR which should be your first stop as you work towards compliance. They have also developed two checklists for data controllers and data processors which may be of use.

We have provided guidance for law firms on when it may be necessary to appoint a data protection officer.

We encourage you to share useful information with your colleagues. Everyone in your firm will have some responsibility for GDPR compliance.

Upcoming GDPR conference

Our GDPR conference, 'Get Data Protection Ready: Down to the wire', will be held at the Law Society on 17 April. You won’t want to miss the chance to hear from experts including representatives from the ICO, the National Cyber Security Centre and other law firms.

Book your place now


SRA handbook being replaced
SRA Standards and Regulations - Introduction to new package

The new SRA Standards and Regulations will become effective later this year replacing the existing SRA Handbook. Attend this one-hour live webinar where our speaker will talk you through the new package, clarify the new format and more.

SRA Standards and Regulations - Introduction to new package > More