GDPR for Solicitors: How Law Firms Handle Client Data Under UK GDPR

Law firms hold some of the most sensitive personal data in existence. Client files contain financial records, medical histories in personal injury and clinical negligence cases, custody arrangements, criminal histories, immigration status, and detailed accounts of personal crises. A conveyancing file alone can include bank statements, mortgage agreements, and identity documents for an entire family. An employment dispute file may contain HR records, medical reports, and private communications.

This is why solicitors and law firm managers need to treat UK GDPR not as an administrative nuisance but as a core professional obligation — one that sits alongside SRA duties, legal professional privilege, and the Solicitors' Code of Conduct.

This guide covers the key GDPR obligations for law firms in UK private practice: lawful basis, the privilege intersection, practice management software, DSARs, marketing, SRA compliance, ICO registration, and a practical checklist.

---

Why Law Firms Are High-Risk Data Controllers

The ICO classifies organisations by the sensitivity and volume of personal data they process. Law firms score high on both counts.

Categories of data law firms typically process:

• Client identity data (names, addresses, dates of birth, national insurance numbers)
• Financial data (bank accounts, mortgage details, company ownership structures)
• Health data — a special category under UK GDPR — in personal injury, clinical negligence, mental health tribunals, and capacity cases
• Criminal conviction and offence data — another special category — in criminal defence and some employment matters
• Family data including children's information in matrimonial, care proceedings, and adoption cases
• Immigration status in asylum and deportation cases
• HR and payroll data for staff and trainees

Processing special category data and criminal offence data requires an additional lawful basis beyond the standard Article 6 bases. Failure to identify and document this is one of the most common compliance gaps in legal practice.

---

Lawful Basis for Processing Client Data

For most client work, law firms have two main lawful bases available:

Article 6(1)(b) — Contract performance. When a client instructs you, you enter a contract for legal services. Processing data to carry out that instruction — drafting documents, conducting searches, corresponding with third parties — is necessary for the performance of that contract. This is the primary basis for active client file work.

Article 6(1)(c) — Legal obligation. Solicitors have statutory and regulatory obligations that require data processing. Money laundering regulations require identity verification and ongoing monitoring. Court rules require disclosure of documents. The Legal Aid Agency requires detailed financial information. These processing activities are covered by legal obligation.

Article 6(1)(f) — Legitimate interest may apply in limited circumstances: conflict checking, business development records, maintaining alumni relationships. It requires a documented legitimate interest assessment (LIA) and must not override client rights.

For special category data (health, criminal, racial origin, religious belief), you need an additional basis under Article 9. For law firms, the most relevant are:

• Article 9(2)(f): Processing necessary for the establishment, exercise, or defence of legal claims. This is the workhorse basis for litigation, personal injury, criminal defence, and most contentious work.
• Article 9(2)(g): Substantial public interest, with a basis in domestic law. Schedule 1 of the Data Protection Act 2018 sets out qualifying conditions — including legal proceedings, legal advice, judicial acts, and the administration of justice.
• Article 9(2)(a): Explicit consent — rarely appropriate as a primary basis in professional services because consent must be freely withdrawable, which creates problems in ongoing retainers.

You must document your lawful basis and special category condition in your Records of Processing Activities (ROPA). "We need it for the case" is not sufficient documentation.

---

Legal Professional Privilege and GDPR

Solicitor-client privilege is one of the most important protections in the English legal system. It protects confidential communications between solicitor and client made for the purpose of giving or receiving legal advice, and communications made in connection with actual or contemplated litigation.

GDPR does not override privilege. This is confirmed in the UK GDPR framework and the DPA 2018. Article 15(4) UK GDPR explicitly acknowledges that the right of access shall not adversely affect the rights and freedoms of others — including the right of legal professional privilege.

But the interaction is more nuanced than a blanket exemption.

What privilege does not protect:

• The fact that a relationship exists between solicitor and client
• The identity of the client
• Administrative data (billing address, phone number, dates of instructions)
• Data the client has already disclosed publicly

What privilege may protect:

• The contents of advice given under a retainer
• Documents that would reveal the substance of privileged communications
• Work product created in anticipation of or during litigation

When a data subject makes a Subject Access Request (SAR), you are entitled to withhold documents covered by legal professional privilege. But you cannot withhold the existence of processing or the identity of the data subject. The exemption applies document by document, not as a blanket refusal to respond.

---

Data Subject Access Requests: The Law Firm Challenge

DSARs are one of the most resource-intensive GDPR obligations for law firms. A former client, an opposing party (if they are also your data subject), a former employee, or a third party whose data appears in your files can all submit SARs.

Key obligations:

• You have one calendar month to respond (extendable by two further months for complex or numerous requests, with notice given within the first month)
• You must provide a copy of personal data you hold about the requester
• You must provide supplementary information: purposes, lawful basis, retention periods, recipients, rights

Common law firm complications:

• Third-party data. Client files often contain data about multiple individuals. You must redact or withhold data about third parties where disclosing it would unfairly reveal their personal information. This redaction exercise can be substantial on large files.
• Privilege. As above — apply the exemption document by document, with a record of the reasoning.
• Confidentiality obligations. Data about third-party clients is confidential. You cannot disclose one client's data to another in response to a SAR.
• Disproportionate effort. For large historical archives, consider whether Section 45 DPA 2018 (manifestly unfounded or excessive requests) applies — but use this exemption cautiously; the ICO takes a narrow view.

A searchable, well-organised document management system is not merely a productivity tool — it is a GDPR compliance necessity for firms that want to respond to DSARs without writing off a week of fee-earner time.

---

Practice Management Software as Data Processors

When a law firm uses cloud-based practice management software, that software provider is a data processor. UK GDPR Article 28 requires a written Data Processing Agreement (DPA) to be in place before processing begins.

Common platforms used by UK solicitors:

• Clio — widely used by smaller and mid-size firms. Clio's DPA is available in their trust centre. Ensure you are using the UK GDPR-specific version.
• LEAP — popular in residential conveyancing and family law. LEAP processes client data on its platform; confirm sub-processor lists.
• Osprey Approach — UK-focused legal practice management software. DPA should cover data residency (UK/EEA servers) given post-Brexit context.
• Actionstep — used by mid-size firms. Review where data is hosted; Actionstep has US origins and international infrastructure.

What your DPA with these providers must cover:

• Processing only on documented instructions
• Confidentiality obligations on their staff
• Appropriate security measures
• Sub-processor restrictions (they cannot engage further sub-processors without your consent)
• Assistance with DSARs and security obligations
• Deletion or return of data at end of contract
• Audit rights

If your practice management software does not offer a DPA, that is a serious compliance gap. Most established providers now offer them as standard — if yours does not, escalate to their legal or compliance team.

Document storage and case management tools such as SharePoint, Dropbox, NetDocuments, and iManage are similarly processors. Each requires a DPA. Check transfer mechanisms for any US-headquartered provider.

---

Legal Aid Agency Data Sharing

Firms holding Legal Aid contracts with the Legal Aid Agency (LAA) process personal data under the Legal Aid, Sentencing and Punishment of Offenders Act 2012 and associated regulations. This creates specific data-sharing obligations.

LAA as a controller in its own right: The LAA is an executive agency of the Ministry of Justice and processes client financial and eligibility data for its own purposes (administering the legal aid scheme). Your firm and the LAA are separate controllers for overlapping data.

Article 6(1)(c) — legal obligation covers most LAA data sharing: you are required by contract and statute to submit financial eligibility information, case outcomes, and costs.

Data shared with the LAA may include:

• Client names, addresses, national insurance numbers
• Financial circumstances (income, capital, benefits)
• Matter outcomes and billing information
• Solicitor contract compliance data

Ensure your privacy notice discloses LAA data sharing. Clients have a right to know their data is being shared with a government body, even if you cannot refuse to share it.

---

Court Filing, Disclosure, and Third-Party Recipients

Litigation involves extensive personal data sharing with parties who are not your client. UK GDPR Article 13/14 requires you to inform data subjects about recipients of their personal data.

Recipients law firms share data with:

• Courts and tribunals (HM Courts & Tribunals Service)
• Opposing counsel and parties
• Expert witnesses (medical experts, forensic accountants, surveyors)
• Mediators and arbitrators
• The Legal Ombudsman in complaints
• Regulators (SRA, FCA, HMRC) where required
• Insurers and ATE funders
• Process servers and enquiry agents

Court proceedings data carries specific protections — court orders restricting reporting, anonymisation orders, and PII in published judgments. Ensure your data sharing in litigation is governed by your engagement letter, privacy notice, and where appropriate, the court's directions.

Disclosure obligations under CPR Part 31 or equivalent may require you to share documents containing third-party personal data. This is covered by Article 6(1)(c) (legal obligation) and Article 9(2)(f) (legal claims).

---

Marketing to Prospective Clients

Marketing is where law firms most commonly get GDPR wrong. The rules differ depending on how you are communicating and with whom.

Electronic marketing (email, SMS): Governed by both UK GDPR and the Privacy and Electronic Communications Regulations 2003 (PECR). For direct marketing by email to individuals (including sole traders), you need either:

• Prior consent — explicit, freely given, specific, and informed opt-in; or
• The soft opt-in — you obtained the contact's details in the course of a sale or negotiations for a sale of a similar service, and you gave them an easy opt-out at the time and in every subsequent communication.

For B2B email marketing to corporate entities (limited companies, LLPs with separate email addresses), PECR's strict consent rules do not apply, but you still need a UK GDPR lawful basis — usually legitimate interest with a documented LIA.

What law firms often get wrong:

• Importing conference attendee lists or referral partner contacts into email marketing systems without checking consent
• Sending newsletters to former clients without a legal basis
• Using "legitimate interest" without a documented assessment
• Failing to honour unsubscribes promptly (PECR requires you to cease marketing promptly on opt-out)

Content marketing and thought leadership: Publishing blog posts, LinkedIn updates, or press releases is not marketing communications subject to PECR. However, any follow-up direct approach to individuals who engage with your content requires a lawful basis.

Referral and word of mouth: Asking satisfied clients for referrals and maintaining referral partner relationships (accountants, IFAs, estate agents) involves processing contact data. Document the basis — usually legitimate interest — and disclose it in your privacy notice.

---

SRA Compliance Alongside UK GDPR

The Solicitors Regulation Authority (SRA) has its own data protection requirements that overlap with but do not replace UK GDPR obligations.

SRA Code of Conduct for Solicitors (2019): Paragraph 6.3 requires solicitors to keep the affairs of current and former clients confidential unless disclosure is required or permitted by law or the client consents. This confidentiality obligation is broader than GDPR — it applies to all client information, not just personal data.

SRA Accounts Rules: Client account transactions involve processing financial personal data. The segregation of client and office funds, transaction records, and reconciliations are subject to both the Accounts Rules and GDPR.

SRA Transparency Rules: Firms must publish certain information about their services and costs. This includes publishing a privacy notice — the SRA's transparency requirements and GDPR's Article 13/14 requirements effectively mandate this.

SRA inspection and audit: The SRA has powers to inspect firm records. Documents produced in response to an SRA audit may include personal data. Disclosure to the SRA is covered by legal obligation (Article 6(1)(c)).

Key point: SRA obligations and GDPR obligations coexist. Where they overlap, you must meet both. Where the SRA requires disclosure and GDPR would normally restrict it, the GDPR legal obligation basis covers the gap.

---

ICO Registration for Law Firms

All law firms that process personal data for purposes other than personal, family, or household matters must register with the ICO (pay the data protection fee). This is not optional.

Fee tiers (2024/25):

• Tier 1 (micro organisations): £40/year — turnover under £632,000 and fewer than 10 staff
• Tier 2 (small and medium): £60/year — up to £36m turnover or fewer than 250 staff
• Tier 3 (large): £2,900/year — larger organisations

Most small and mid-size practices fall into Tier 2. The fee is per data controller — if your firm is a partnership or LLP that is the controller, you register the firm once. Individual solicitors working as sole practitioners register individually.

Failure to register is a criminal offence under the Data Protection Act 2018. The ICO actively checks registrations and can issue fines of up to £4,350 per offence. This is a low-cost, low-effort compliance step that firms should not overlook.

Check your registration at ico.org.uk/ESDWebPages/Search.

---

Staff and Trainee Data

Law firms process personal data about their own people: employees, consultants, trainees, pupillage applicants (in chambers), and locums. This data is subject to UK GDPR in the same way as client data.

Categories processed:

• Pre-employment: CVs, application forms, references, DBS checks, right to work verification
• Employment: payroll, tax, NI, pension enrolment, performance reviews, sickness records
• Training: trainee solicitor seat records, SQE results, CPD logs submitted to the SRA
• Special category: health data in sickness absence management; criminal records data in DBS checks

Lawful bases for employment data:

• Contract performance (Article 6(1)(b)) for payroll, sickness pay, contractual terms
• Legal obligation (Article 6(1)(c)) for HMRC reporting, right to work checks, SRA reporting obligations
• Legitimate interest (Article 6(1)(f)) for references, performance management, business continuity

For special category employment data (health, DBS), you need an additional Schedule 1 DPA 2018 condition — typically paragraph 1 (employment, social security, and social protection) — and a documented policy.

Staff privacy notice: Every employee and trainee must receive a privacy notice at the point data is collected (usually on appointment). This is separate from the client privacy notice.

---

UK GDPR Compliance Checklist for Law Firms

Use this checklist to assess your firm's current position:

Governance

• [ ] Appointed a data protection lead (DPO not mandatory for most firms, but a named lead is good practice)
• [ ] ROPA completed and up to date for all processing activities
• [ ] Privacy notices for clients, staff, and website visitors published and current
• [ ] Data protection policy and supporting policies (breach response, retention, DSAR) documented

Lawful Basis

• [ ] Lawful basis identified and documented for each processing activity
• [ ] Special category and criminal offence data bases documented with DPA 2018 Schedule 1 conditions
• [ ] Legitimate interest assessments completed where LI is relied upon

Client Data

• [ ] Engagement letters/client care letters reference data processing and direct clients to privacy notice
• [ ] Retention schedule in place (client files, accounting records, CCTV if applicable)
• [ ] SAR response process documented and tested
• [ ] Privilege exemption process documented for SAR responses

Third Parties and Processors

• [ ] DPAs in place with all practice management software providers
• [ ] DPAs in place with all other processors (cloud storage, HR systems, email marketing platforms)
• [ ] Data sharing agreements or documented legal basis for LAA, courts, experts, and other recipients
• [ ] International transfer mechanisms confirmed for any non-UK/EEA providers

Marketing

• [ ] PECR consent obtained for individual email marketing
• [ ] Soft opt-in assessed and documented where relied upon
• [ ] Legitimate interest assessments for B2B marketing
• [ ] Unsubscribe mechanism operational and honoured promptly

ICO and Regulatory

• [ ] ICO registration paid and up to date
• [ ] SRA transparency requirements met (privacy notice published)
• [ ] Breach response procedure in place (72-hour ICO notification obligation)
• [ ] Staff training completed and recorded

Staff Data

• [ ] Staff privacy notices issued
• [ ] Lawful bases documented for all HR processing activities
• [ ] DBS checks and health data processing covered by Schedule 1 DPA 2018 conditions
• [ ] Traineeship and SRA reporting obligations covered

---

Getting Started

If your firm has not yet conducted a full GDPR audit, the most practical starting point is understanding what data you actually hold and what third-party tools are involved in processing it.

For your website specifically — which is often the most visible compliance gap — you can run a free scan at app.custodia-privacy.com/scan. It identifies the trackers, cookies, and third-party scripts running on your site, checks whether your consent mechanism is valid, and flags missing or inadequate privacy notices. Most law firms are surprised by what they find.

From there, the broader compliance programme follows: ROPA, lawful basis mapping, DPAs with software providers, and a client privacy notice that actually reflects what you do.

---

This post provides general information about UK GDPR obligations for law firms. It does not constitute legal advice. The law in this area is complex and evolving. Consult a qualified data protection solicitor or privacy professional for advice specific to your firm's circumstances.