All law firms should know what personal data they are processing and why, and be able to identify what is happening to it. This includes who it is being shared with, including the location of any cloud server storing your data.

All firms need to decide how long they will retain personal data and what security measures they have in place when it is being stored or when it is being sent out of the organisation, depending on the risks inherent in the processing of that data. For example, more care should be taken over special category data and financial data, which can cause individuals harm or distress knowing it is not secure.

Solicitors are generally very aware of client confidentiality, but data protection laws require the processes to be documented a lot more than before the GDPR came into force. Working out what personal data you are processing is essential to even begin to do this effectively.

The ICO has resources about documentation including templates which can be found here: Go to ICO, accountability, governance and documentation.


Record of processing

All data controllers must maintain a record of processing activities under their responsibility. Most law firms will be required to do this, although the UK GDPR limits this obligation for smaller firms.

Organisations with 250 employees or more must record the information set out below about all the personal data processing activities they carry out.

If you have fewer than 250 employees, you are only required to record this information about certain processing activities as listed here:

  • Processing you carry out which is likely to result in a risk to the rights and freedoms of data subjects, or
  • Processing which is not occasional, or
  • Processing which includes special categories of data

For law firms, processing the personal data of clients is likely to involve risks, and it is not occasional. Similarly, processing the personal data of employees is not occasional.

You must record the following information:

  • Name and contact details of your organisation (and, where applicable, your data protection officer)
  • Purposes of the processing
  • The lawful basis for the processing
  • Any legitimate interests relied on for processing personal data
  • Description of the categories of data subjects whose data you are processing
  • Categories of personal data being processed if not obtained from the person it relates to and where it was obtained from
  • Recipients or categories of recipients to whom personal data will be disclosed
  • Information about transfers to third countries and international organisations with information about the safeguards in place
  • Time limits for erasure of personal data or information about how that will be determined
  • Information about the consequences of failing to provide personal data in certain circumstances
  • A description of applicable data subject rights
  • Information and contact details about how to make a complaint in including to the Information Commissioner

Even if you don’t have 250 employees or feel your processing is occasional, it is important to work out what personal data you are processing so that you can comply with the other data protection obligations. As already pointed out, much of the processing will require to be recorded anyway and so we recommend that a record of all your data processing is maintained and updated to ensure that your risk is kept to a minimum and to ensure that the accountability is met and awareness is built into your organisation’s processes and procedures.

You may be required to make these records available to the Information Commissioner in relation to an investigation but this is not a document that requires to be published.

Our case study firm carried out an audit of their data processing. They used the information to begin to populate their record of data processing:

Data protection principles and your data protection policy

All personal data must be processed in compliance with the data protection principles, which are set out below. They lead to particular obligations under data protection law but must be considered when dealing with any personal data to inform decision making.

Lawfulness, fairness and transparency Processed lawfully, fairly and in a transparent manner in relation to the data subject.
Purpose limitation Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data minimisation Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Storage limitation Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and confidentiality Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

There is an additional principle which was introduced under the GDPR – accountability. That means organisations must not only comply with the GDPR but must also demonstrate that they comply. Ensure that you have documented policies and processes in place to demonstrate compliance.