The EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018 came into force in the UK on 25 May 2018.
Together they bring the most significant change in data protection regulation in 20 years. The regulation is designed to align privacy laws across Europe and increase protections and data privacy rights for individual citizens.
This page brings together guidance and support with education and learning resources from the Law Society and external agencies to help you and your firm understand the regulation.
Law firms generally face the same issues as other organisations in seeking to comply with the GDPR and, through our ongoing discussions with firms, we are identifying and exploring specific issues of concern around compliance.
This page will be regularly updated as we continue to consider what guidance we can provide in light of the evidence from GDPR compliance.
This guide highlights the implications of lawful transfers of EU personal data in the UK should the UK leave the EU without reaching an agreement.
Contract is one of the lawful bases for using personal data. We recommend you use contract or legitimate interests as the lawful basis, rather than consent.
LPP and client confidentiality override a data subject's right of access and right to be informed under the GDPR and data protection act.
You do not always have to appoint a data protection officer (DPO). In most cases, as a law practice, you will not have to. But you'll need to make someone responsible for data protection.
You can only use personal data if you do so "lawfully" under GDPR. One way to do this is by getting the person's consent.
Legitimate interests is one of the lawful bases for using personal data. We recommend you rely on legitimate interests or contract as the lawful basis, rather than consent.
All solicitors hold personal data. This guide helps you know what you need to do to comply with GDPR.
Find out how and when you need to report a data breach.
Anyone can ask for a copy of any personal data your practice holds on them. This is known as a subject access request (SAR).
The potential for high fines under the GDPR has attracted considerable publicity but in practice the ICO has many more enforcement tools.
Nick Denys, policy advisor at the Law Society, explores some of the challenges organisations face to remain GDPR compliant.
Sarah Richardson, who supports the Law Society’s children law sub-committee, discusses how the EU GDPR affects the data protection rights of children.
Andrew McWhir, policy advisor at the Law Society, discusses the Law Society’s GDPR guide for law firms.
Half-day conference on 26 September, where expert speakers will explore major DP challenges for solicitors, identify new technology danger spots, practical advice on mitigating risk and more topics of interest.
Learn in this one hour webinar more about data transfer, adequacy decisions, EU/US Privacy Shield
New online course, GDPR for managers featuring downloadable checklists and valuable resources from the Law Society and ICO.
Please contact us if you or your firm have a specific issue you would like to raise.
The new SRA Standards and Regulations will become effective later this year replacing the existing SRA Handbook. Attend this one-hour live webinar where our speaker will talk you through the new package, clarify the new format and more.