Updated

Guide

GDPR for solicitors

Learn how to handle personal data lawfully, securely and transparently. This guide covers the key compliance issues facing solicitors. It includes practical steps to protect your clients, your firm and yourself.

26 Sep 2025

4 minute read

All solicitors hold personal data.

If someone can be identified from the information you hold on them, it is personal data. This includes employees, clients and other people related to your work.

How you use this data is regulated by the:

What you need to do to comply with regulations depends on how much and what type of data you control.

The first step is knowing what personal data you have and what you do with it.

Data controllers and processors

As a solicitor you’ll mostly be a controller of data, not a processor.

A ‘controller’ decides the purpose for collecting personal data and how it will be processed.

A ‘processor’ processes personal data on behalf of a controller.

As a data controller you must:

process personal data lawfully and fairly in line with data protection principles
process the data in a way that protects the subject (person)
use the right systems
be accountable
cooperate with the Information Commissioner’s Office (ICO)
make sure you follow the rules when sending data abroad (cross-border data flows)

In some areas of your work, you may be acting as joint controller or data processor.

To work out whether you’re a controller, joint controller or processor, read the ICO’s data controller and processor guidance.

Working with processors

As controller you can decide to process data via a processor.

Processors are often service providers. For example, accounting software or cloud storage providers.

When working with processors, you are responsible for their compliance.

You must have a written contract with whoever processes data for you.

The ICO has set out what to include in a processor contract.

Appointing a data protection officer (DPO)

Most law practices will not usually have to appoint a DPO.

However, someone should be responsible for making sure your firm or organisation follow data protection rules.

Read our appointing a DPO guide.

Data subjects and subject access requests (SARs)

When you collect someone’s personal data, you must inform them.

You must tell them who you are and how you’ll use their information, including if it’s being shared with other organisations.

Data subjects have the right to:

see any information you hold about them and correct it if it’s wrong
request for their data to be deleted
request for their data to not be used for certain purposes

If someone asks to see the data you hold about them, it’s known as a ‘subject access request (SAR)’. You must give them a copy of their data within one month.

Read the ICO’s guide to individual rights.

Read our guide on responding to a subject access request (SAR).

Access requests and legal privilege

As a legal professional you do not have to release information if it breaches:

legal professional privilege
duty of confidentiality towards a client

GDPR and solicitor’s lien

If your client requests access to their personal data, this will override any right you have to hold a lien over their personal data.

Read our guide on responding to subject access requests (SARs).

Special category personal data

Special category data is sensitive information about a person, such as their:

race
ethnic background
political opinions
religious beliefs
trade union membership
genetics
biometrics (where used for identification)
health
sex life or orientation

Processing special category data is banned. However, there are exceptions.

To process special category data, you must:

meet one of the conditions for lawful processing, and
meet one of the conditions for special category data

This is because special category data is more sensitive and so needs more protection.

If breached, this type of data could put someone’s fundamental rights and freedoms at risk. For example, by putting them at risk of unlawful discrimination.

Read the ICO’s guidance on handling special category data.

Criminal offence data

Criminal offence data is treated in a similar way to sensitive data.

You can only use it in an official capacity or under specific conditions set out in the Data Protection Act.

Read the ICO’s guidance on handling criminal offence data.

How to comply with GDPR

The rules you need to follow when using personal data are set out in the data protection principles.

You must make sure personal data is:

processed fairly, transparently and lawfully
processed for specified, explicit purposes
processed in a way that is adequate, relevant and limited to only what is necessary
accurate and, where necessary, kept up to date
kept for no longer than is necessary
handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage

GDPR introduced a new ‘accountability’ principle. This means you are responsible for what you do with personal data and how you comply with the data protection principles.

What else you need to do will depend on how much and what type of data your practice controls.

Register with the ICO

You must pay the ICO a data protection fee.

This notifies them that your organisation is using personal data.

You can be fined if you do not pay the registration fee.

Create a breach response plan

You can set out how you’d respond to a data breach in advance and rehearse it.

You’ll only have 72 hours to report a breach to the ICO.

If you work out a response plan, you’ll be prepared. Your plan will help make sure everyone who’d be involved knows what to do.

Consider the lawful basis

There are six lawful bases for processing data.

Read our guidance on the following lawful bases:

We recommend you use contract or legitimate interests as the lawful basis, rather than consent. This is because someone can withdraw their consent at any time.

The Data (Uses and Access) Act has created a new list of ‘recognised legitimate interests’ as a lawful basis for processing data.

Learn more about the changes to legitimate interest data processing.

Show you’re complying

‘Accountability’ is one of the data protection principles. It means you:

are responsible for complying with GDPR
need to demonstrate your compliance

The person responsible for data protection needs to be able to show what your organisation is doing to comply.

This means that they’ll need to keep a record of:

data processing – what data is being processed, why it’s being processed, where it’s shared and how long it’s kept
any data breaches
subject access requests (SARs)
consent given