UK GDPR (the UK General Data Protection Regulation, retained in domestic law by the Data Protection Act 2018) applies to law firms as data controllers. Because solicitors process highly sensitive personal data — including information subject to legal professional privilege, health data in personal injury matters, financial data in divorce proceedings, and criminal history in criminal defence work — law firms face one of the highest data protection risk profiles of any professional services sector.
UK GDPR applies to ALL UK law firms regardless of size. A sole practitioner processing client data has the same core obligations as a 500-lawyer firm. There is no small business exemption. Every regulated law firm must understand its obligations under the UK GDPR and the Data Protection Act 2018.
This guide sets out the practical UK GDPR obligations most relevant to law firms in 2026 — including the types of data you hold, lawful bases for processing, client subject access requests, and the often-overlooked impact of your practice management software on your compliance posture.
Understanding what data you process — and at what risk level — is the foundation of any GDPR compliance programme. Law firms regularly process data across a wide spectrum of sensitivity:
| Data Category | Examples | Likely Lawful Basis | Risk Level |
|---|---|---|---|
| Basic contact data | Name, address, email, phone | Contract; legitimate interests | Low |
| Financial data | Bank details, asset valuations, transaction history | Contract; legal obligation | Medium |
| Health data | Medical records in PI / clinical negligence matters | Substantial public interest; legal claims (Art. 9(2)(f)) | High — Special Category |
| Criminal history | Previous convictions, police records in criminal matters | Substantial public interest (DPA 2018, Sch. 1) | High — Special Category |
| Family / relationship data | Details of children, domestic arrangements, divorce particulars | Contract; legal claims | High |
| Immigration status | Visa history, nationality, right to work | Contract; legal obligation | High — Special Category |
| Staff personal data | Payroll, HR records, performance reviews | Contract; legal obligation; legitimate interests | Medium |
| Opposing party data | Details of adverse parties, witnesses, experts | Legitimate interests; legal claims | Medium |
Every law firm should maintain a Record of Processing Activities (ROPA) — a documented inventory of what data you process, why, on what legal basis, and for how long. The ICO can request to see this at any time. It does not need to be elaborate, but it must be accurate and kept up to date.
Clients must be informed — at or before the point of engagement — about how their data will be used. Your client care letter or engagement letter should include, or link to, a privacy notice that covers the categories of data you process, your lawful bases, any third-party sharing, data retention periods, and the individual's rights.
The SRA recommends retaining matter files for at least six years after the matter closes (longer for wills, conveyancing deeds, and certain trust matters). UK GDPR's storage limitation principle requires you to delete personal data when it is no longer needed — which creates a tension with professional indemnity requirements. The solution is a documented retention schedule that balances both obligations.
UK GDPR requires "appropriate technical and organisational measures" to protect personal data. For law firms this means, at minimum: password policies, access controls, encrypted email for sensitive communications, and a documented response process for data breaches. A breach involving client data must be reported to the ICO within 72 hours if it is likely to result in a risk to individuals.
Subject Access Requests (SARs) are one of the most common UK GDPR challenges for law firms. Any individual — client, staff member, opposing party, or even a witness — can request all personal data the firm holds about them. Mishandling a SAR is a significant ICO enforcement risk.
You must respond within one calendar month of receiving the request. For complex or multiple requests, you may extend by a further two months — but you must tell the requester within the first month that you are extending, and explain why.
Documents and communications covered by legal professional privilege (LPP) are exempt from disclosure under a SAR (Data Protection Act 2018, Schedule 2, paragraph 19). This is a critical protection for law firms — you are not required to hand over privileged advice notes, counsel's advice, or litigation strategy documents in response to a SAR from an opposing party or even the client themselves if disclosure would harm the firm's legal position.
Practical note: LPP exemption applies to the privileged content. Basic contact details, appointment dates, and non-privileged correspondence generally remain disclosable even if they appear in the same file as privileged documents.
Your choice of practice management software has direct consequences for UK GDPR compliance — specifically around data residency, third-party access, and breach notification.
Cloud-based practice management systems store client data on servers operated by the software vendor — typically in data centres in the US, EU, or elsewhere outside the UK. Post-Brexit, transfers of personal data to countries without UK adequacy decisions require additional safeguards (International Data Transfer Agreements, or equivalent standard contractual clauses). Most cloud vendors have these in place, but many law firms are unaware that their data is subject to the legal jurisdiction of the hosting country.
On-premises practice management software keeps all client data on servers within the law firm's own premises. This eliminates the international data transfer question entirely. It also means the firm retains complete control over access logs, breach detection, and data deletion — making it considerably easier to demonstrate compliance to the ICO if questions arise.
Susan is designed as a 100% on-premises system. No client data leaves your network. There are no third-party data processors to manage, no SaaS vendor privacy policies to review, and no cloud jurisdiction issues. Your GDPR obligations are straightforward because you own the data end to end.
Any cloud software vendor that processes personal data on your behalf must sign a Data Processing Agreement (DPA). This is a mandatory UK GDPR requirement under Article 28. Most established vendors provide standard DPAs — but you should check they cover UK GDPR specifically (not just EU GDPR), include the ICO's standard contractual clauses for international transfers where applicable, and give you the right to audit.
Yes. The vast majority of UK law firms are required to pay the ICO's data protection fee and register as a data controller. The fee is tiered by organisation size — most small firms pay £40–60 per year. Sole practitioners processing data only for core legal services may qualify for an exemption, but this is narrow and should not be assumed. Check the ICO's self-assessment tool at ico.org.uk.
Yes, but only with a lawful basis and, where applicable, appropriate contractual safeguards. Common legitimate disclosures include sharing with counsel, courts, and expert witnesses as part of the legal service. Sharing for marketing or analytics purposes requires explicit consent. Any third party that processes data on behalf of the firm (including cloud software vendors) must be covered by a data processing agreement.
Under UK GDPR, a Subject Access Request must be responded to within one calendar month of receipt. Where requests are complex or numerous, the deadline can be extended by a further two months — but the requester must be informed within the first month that an extension is being applied. Failure to respond on time can result in ICO enforcement action.
Legal professional privilege (LPP) provides a recognised exemption under UK GDPR (Schedule 2, paragraph 19 of the Data Protection Act 2018). This means a law firm can withhold documents covered by LPP from a Subject Access Request. However, the exemption applies to the privileged content itself — the existence of a matter, contact details, and non-privileged correspondence are generally still disclosable.
Susan's on-premises architecture eliminates cloud data residency risk. All client data stays on your servers — no SaaS vendors, no international transfers, no third-party data processors to manage.