GDPR Guide for law firms – Five essential measures to protect your firm

by Michael Addison in Data Protection | posted:

GDPR guide law firms

GDPR Guide for law firms


Like any legal change that so barely makes a foothold in our lives, people’s imaginations run amok and news outlets also parade the worst. So, drama over. GDPR is not Y2K.

The general data protection regulations come into force on the 25th may of 2018.  

While the Information Commissioner’s Office (ICO) has been clear on the guidelines set out by GDPR, the main point of contention is what happens with the different sectors in the UK.


More importantly, how secure is your law firm?

The law society has published a guide specifically for how law firms should be preparing for GDPR.


These are the five significant points you need to know about GDPR.


  1. Employee Awareness


GDPR is going to affect everyone.

Management need to be aware of the risk of fines and reputational damage to the business and employees need to understand customers access rights and what to do in the event of a data breach.

If your organisation hasn’t received any training on GDPR, now would be the time to start. Get the basics right before implementing a company-wide strategy.

The first step is understanding….


2. Data information you hold


You may already be aware of the current data protection act. GDPR will give people greater control over the information companies have over them. As for businesses, this will present a lot of new challenges. For instance, the legal profession has access to a wealth of personally identifiable information.

What kind of personal information does that entail?

Basic personal information (name, age, gender)

Health and clinical data

Financial details

Criminal records

Social care




The requirement for GDPR is that if you were to present this information, the process must be transparent. Document what personal data you hold, where it came from, what you use it for, what legitimate reason you have for holding it, and who you share it with.


3. Consent


If your firm relies on consent for processing information through the data protection act, then be prepared. GDPR makes obtaining consent from users much more difficult.

You may no longer:

  • Obtain consent for example, from pre-ticked boxes.
  • Rely on one consent for other purposes (client comes in for content insurance, is sent emails about pet insurance).
  • Place double negatives (click here to not join our newsletter.)


You must make it clear and concise in your wording with separate consent boxes for each marketing avenue/ reason for collecting the data.

If a client has consented in the past, then they have the right to withdraw consent at any time. You have a months window to reply and give them the acknowledgement this has been the case.

As mentioned, consent can be seen as difficult to gain.

However, that isn’t true. A users consent is freely given and specific, so the service you are providing tailors to them.


Consent is similar to trust.


Trust goes when a data breach happens.


4. Data Breaches


ICO reported the majority of data breaches between 2015/16 were from the loss or theft of paperwork. You must be aware yourself but, the legal profession often holds personal information in paper files.

You should only keep information as long as it’s necessary. Placing information into a secure console would prevent the likelihood of any paper going missing.

legal firms data breach

Prevent this with a shredding service


5. Data Security


Individuals have the right to have their personal information erased. Firstly, this does not apply if the processing  ‘is for the establishment, exercise or defence of legal claims’ under article 17.

Here are some of the conditions that would apply to the right of erasure:

  • The data is no longer necessary to hold.
  • The information is only for direct marketing.
  • You are relying on the users’ consent and they withdrew it.


So how do you dispose of the information when it’s required?

Personal data comes in many forms. We destroy paper, USB drives and anything that leads to a data breach; if it could put your company at risk, our service will get rid of it.

The service is flexible, depending on your requirements we provide a regular or one-off arrangement.


View our confidential waste services here.

Call us today on 0800 612 9288 for an instant no-obligation quote.

Legal firm data disposal


For the full article, you can follow the link here.