GDPR for solicitors
All solicitors hold personal data – their employees’, their clients’ and other people relating to their clients and their work. If someone can be identified from the information you hold on them, it is personal data.
Knowing what personal data you have and what you do with it is a first step in complying.
Controller or processor of data
As a solicitor you’ll mostly be a controller of data, not a processor. As a data controller you must:
- process personal data lawfully and fairly in line with data protection principles
- process the data in a way that protects the subject (person)
- use the right systems
- be accountable
- cooperate with the ICO
- make sure you follow the rules when sending data abroad (cross-border data flows)
In some areas of your work you may be acting as joint controller or data processor. You can read the ICO guidance to decide whether you’re a controller, joint controller or processor.
Working with processors
You're responsible for your processors’ compliance.
You must also have a written contract with whoever processes data for you. The ICO has set out what should be included in the contract.
Appointing a DPO
You will not usually have to appoint a data protection officer (DPO) but you’ll need to make someone in your practice responsible for making sure data protection rules are followed.
Read more about appointing a DPO, including when you must appoint one.
The rights of data subjects
When you collect someone’s personal data, you must tell them, for example, who you are and how you’ll use their information, including if it’s being shared with other organisations.
Data subjects also have the right to:
- see any information you hold about them and correct it if it’s wrong
- request their data is deleted
- request their data is not used for certain purposes
If someone asks to see the data you hold on them it’s known as a subject access request (SAR). You must give them a copy of the data within one month.
The ICO covers what rights data subjects have in more detail.
Register with the ICO
You must pay a data protection fee to the ICO to notify them that you’re using personal data.
You can be fined if you do not pay the registration fee.
How personal data should be used
The data protection principles set out the rules you need to follow when using personal data. You must make sure the information is:
- processed fairly, lawfully and transparently
- processed for specified, explicit purposes
- processed in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
GDPR introduced a new ‘accountability’ principle. It means you are responsible for what you do with personal data and how you comply with the data protection principles.
What else you need to do will depend on how much and what type of data your practice controls.
Special category personal data
Processing special category data is banned. However, there are exceptions.
To process special category data you must:
- meet one of the conditions for lawful processing, and
- meet one of the conditions for special category data
This is because special category data is more sensitive, and so needs more protection.
This type of data, if breached, could put someone’s fundamental rights and freedoms at risk, for example by putting them at risk of unlawful discrimination.
Special category (sensitive) data is information such as:
- ethnic background
- political opinions
- religious beliefs
- trade union membership
- biometrics (where used for identification)
- sex life or orientation
Criminal offence data
This is treated in a similar way to sensitive data, but you can only use it in an official capacity or under specific conditions set out in the Data Protection Act.
Show you’re complying
’Accountability’ is one of the data protection principles. It means you:
- are responsible for complying with GDPR
- need to demonstrate your compliance
The person responsible for data protection in your practice needs to be able to show what’s being done to comply.
This means that they’ll need to keep a record, for example of:
- data processing – what data is being processed, why it is, where it’s shared and how long it’s kept
- any data breaches
- subject access requests (SARs)
- consent given
Have a breach response plan
You can set out how you’d respond to a data breach in advance and rehearse it.
You’ll only have 72 hours to report a breach. If you work out a response plan, where everyone who’d be involved knows what to do, you’ll be prepared.
Access requests and legal privilege
As a legal professional you do not have to release information if it breaches:
- legal professional privilege
- duty of confidentiality towards a client
GDPR and solicitor’s lien
If your client requests access to their personal data, this will override any right you have to hold a lien over their personal data.