All law firms should know what personal data they are processing and why, and be able to identify what is happening to it. This includes who it is being shared with, including the location of the cloud server storing your data.
All firms need to decide how long they will retain personal data and what security measures they have in place when it is being stored or when it is being sent out of the organisation, depending on the risks inherent in the processing of that data. For example, more care should be taken over special category data and financial data, which can easily be used to harm or cause distress to individuals.
Solicitors are generally very aware of client confidentiality but the GDPR requires the processes to be documented, and working out what personal data you are processing is essential to even begin to do this effectively. For more information, go to the ICO website.
Record of processing
All data controllers must maintain a record of processing activities under their responsibility. Most law firms will be required to do this, although the GDPR limits this obligation for smaller firms.
Organisations with 250 employees or more must record the information set out below about all the personal data processing activities they carry out.
If you have fewer than 250 employees, you are only required to record this information about certain processing activities as listed here:
- Processing you carry out which is likely to result in a risk to the rights and freedoms of data subjects, or
- Processing which is not occasional, or
- Processing which includes special categories of data
For law firms, processing the personal data of clients is likely to involve risks, and it is not occasional. Similarly, processing the personal data of employees is not occasional.
You must record the following information:
- Name and details of your organisation (and, where applicable, of joint controllers, your representative and data protection officer)
- Purposes of the processing (and we suggest recording the legal basis too)
- Description of the categories of data subjects and categories of personal data
- Categories of recipients to whom personal data will be disclosed
- Details of transfers to third countries and international organisations, including documentation of the transfer mechanism safeguards in place
- Time limits for erasure of personal data where possible
- A general description of technical and organisational security measures where possible
Even if you don’t have 250 employees or feel your processing is occasional, it is important to work out what data you are processing so that you can comply with the other GDPR obligations. As already pointed out, much of the processing will require to be recorded anyway and so we recommend that a record of all your data processing is maintained and updated to ensure that your risk is kept to a minimum and to ensure that data protection accountability is built into the organisation’s processes and procedures.
You may be required to make these records available to the ICO but they do not require to be made public.
Our case study firm carried out an audit of their data processing. They used the information to begin to populate their record of data processing:
Data protection principles and your data protection policy
All personal data must be processed in compliance with the data protection principles, which are set out below. They lead to particular obligations under the GDPR but must be considered when dealing with any personal data to inform decision making.
| Lawfulness, fairness and transparency | Processed lawfully, fairly and in a transparent manner in relation to the data subject. |
| Purpose limitation | Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. |
| Data minimisation | Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. |
| Accuracy | Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. |
| Storage limitation | Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. |
| Integrity and confidentiality | Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. |
There is an additional principle under the GDPR – accountability. That means organisations must not only comply with the GDPR but must also demonstrate that they comply. Ensure that you have documented policies and processes in place to demonstrate compliance.
In order to process personal data lawfully, you must comply with all legal obligations and you must be able to rely on one of the following bases for processing.
In order to process personal data fairly, the processing must be in line with the data subject’s expectations. In other words, only use the data for the reasons you collected it.
GDPR guide for law firms
Our guide looks at the regulation and the Data Protection Act from the perspective of a legal practice.
- Law firms as data controllers
- Create a record of data processing
- Client confidentiality, legal privilege and limited exemptions
- Data retention
- Sharing data with third parties
- Data protection officers
- Security
- Reporting personal data breaches
- Requests for client personal data
- Appendix 1 - Consent
- Appendix 2 - Example of a data protection policy
- Appendix 3 - Background to the GDPR changes
