We have produced this Guide specifically for law firms. While they are not Law Society rules, we thought it would be helpful to look at the Regulation and the Data Protection Act from the perspective of a legal practice.

Part of this guide includes a data audit we carried out with a high street firm to look at their data processing. Many high street firms will recognise the information gathered in the audit and can use it to evaluate their own data processes. You can find examples of a data protection policy and and a privacy notice at the bottom of the page. 

This is the second edition following the initial publication in 2018.

Since this Guide was first drafted, the UK has left the EU. The GDPR was retained with substantively the same provisions as before. It is now referred to as the UK GDPR. At the time that this Guide was published, the Data Protection Act 2018 had just been finalised. This Guide therefore is to reflect these changes and additional developments in interpretation and guidance published since 2018. We have taken into account the changes that the pandemic and working from home have made which led to more technology being used by all organisations

Law firms have to comply with data protection laws, just like all other organisations that process personal data.

In many instances, it is left to each firm to determine how to comply depending on the nature and volume of work undertaken. On that basis, this guide is for information only; the tables and templates are
illustrative and should be amended to take account of your firm’s unique circumstances.

Responsibility for regulating Data Protection laws lies with the Information Commissioner’s Office (ICO), not the Law Society of Scotland.

Ten steps

 Ten steps to help you to create a GDPR plan

Law firms as data controllers

Personal data you hold for your employees and clients, and what counts as personal data

Create a record of data processing

Examples of audit and data processing records, lawful, fair and transparent processing


From collecting data via your website to direct marketing

Client confidentiality

Exemptions when dealing with personal data

AML and data protection

AML obligations and personal data

Data retention

Retention periods and how you will erase or dispose of personal data

Sharing data

List all the organisations that you share data with on a regular basis

Data protection officers

Identify your data protection lead, whether or not they require a Data Protection Officer


Appropriate technical and organisational measures in relation to processing personal data

Reporting personal data breaches

Notifying the Information Commissioner’s Office of a personal data breach 

Requests for copies of personal data

Requests for access to personal data from clients, third parties and others

Appendix 1 - Consent

Only rely on consent if there is no other legal processing condition that you can identify

Example of a data protection policy

Word version of a sample data protection policy

Example of Privacy Notice

Word version of a sample privacy notice