Law firms are data controllers in relation to the personal data they hold for their employees and clients. This guide will deal mainly with the relationship that law firms have with their clients, who are data subjects.
The data controller can be an individual (for example, a sole practitioner or an advocate).
All data controllers are currently required to register with the Information Commissioner’s Office (ICO) and from 25 May 2018, all data controllers are required to pay an annual data protection fee. This won’t be due until your current notification runs out. The level of fee will depend on which tier your organisation fits into:
- Tier 1 – micro organisations – identified as having a maximum turnover of £632,000 for the financial year or no more than ten members of staff. The fee is £40.
- Tier 2 – small and medium organisations – identified as having a maximum turnover of £36 million for the financial year or no more than 250 members of staff. The fee is £60.
- Tier 3 – large organisations – if your organisation does not fall into the above categories then the fee is £2,900.
Failing to pay the fee/the correct level could result in the ICO taking enforcement action, including imposing an administrative fine of up to £4,350.
Data Controller (Art 4(7))
The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data.
Data Subject (Art 4(1))
An identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Data Processor (Art 4(8))
A natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
Employees of a law firm process data on behalf of the data controller but are not, as an individual, a data controller or a data processor.
Processing data covers the gathering, storing, accessing, sharing and deleting of personal data. It is a very broad term.
Processing (Art 4(2))
Any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction.
Not sure if your firm is already registered with the ICO?
What counts as personal data?
Personal data is information stored digitally or in a paper file from which an individual can be identified or is identifiable. It includes information that can be identified as relating to an individual which is used to inform a decision that you might take about an individual. It includes:
- Name
- Contact details
- Photographic images
- CCTV footage
- Passport number and copies of passport
- Bank account details
- Meeting notes
Personal data (Art 4(1))
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Information about clients which are corporate entities is not regulated by the GDPR, although information about their employees is.
Special category data
There is a sub-category of personal data called special category data (previously known as sensitive personal data) which includes the following:
- Data revealing racial or ethnic origin
- Data revealing political opinions
- Data revealing religious or philosophical beliefs
- Data revealing trade union membership
- The processing of genetic data, biometric data for the purpose of uniquely identifying a natural person
- Data concerning health, including physical or mental health of an individual and the provision of health services
- Data concerning a natural person's sex life or sexual orientation
Criminal conviction and offence data is dealt with separately under the GDPR. This includes the alleged commission of offences or proceedings for an offence which includes disposal and sentence. The provisions and restrictions are essentially the same but will be found in the new Data Protection Act. In this guide when special category data is referred to, it will include criminal conviction and offence data.
GDPR guide for law firms
Our guide looks at the regulation and the Data Protection Act from the perspective of a legal practice.
- Law firms as data controllers
- Create a record of data processing
- Client confidentiality, legal privilege and limited exemptions
- Data retention
- Sharing data with third parties
- Data protection officers
- Security
- Reporting personal data breaches
- Requests for client personal data
- Appendix 1 - Consent
- Appendix 2 - Example of a data protection policy
- Appendix 3 - Background to the GDPR changes
