Law firms must prepare for GDPR

16 Jun 2017News

Complying with the new GDPR provisions will also add value to your firm, says Christopher Coughlan

With less than a year until the General Data Protection Regulation (GDPR) takes effect on 25 May 2018 solicitors and other professionals should already be preparing for compliance.

This is particularly crucial for law firms, who tend to hold large quantities of personal data, including sensitive personal data. The GDPR took four years to finalise and this is a complete overhaul of data protection, so a detailed discussion of GDPR is beyond the scope of this article.

However, with potential fines of up to the greater of €20m or 4 per cent of a company’s global turnover, breach notification obligations and increased accountability, GDPR compliance will be crucial for all professionals.

The right of an individual to request copies of their personal data in permanent form, as part of a subject access request, is expanded under the GDPR to include the right of erasure (‘the right to be forgotten’), and a right of rectification, which will place obvious administrative burdens on firms.

The length of time in which firms will have to respond to subject access requests is reduced from 40 days to 30 days under the GDPR, and firms will no longer be entitled to charge the £10 fee for the subject access request.

The GDPR includes breach notification provisions which apply to both controllers and processors. Firms will be under an obligation to report a breach of security that leads to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

When acting as a processor, a firm must report all breaches to the controller without undue delay. When acting as controller, a firm must report all breaches (subject to certain exemptions) to the Information Commissioner’s Office (ICO) without undue delay and within 72 hours of becoming aware of the breach.

Where there is a high risk to the rights and freedoms of individuals there will be an obligation to notify the individual concerned as well as the ICO.

The recent trend towards outsourcing, in conjunction with the outcome focussed regulation of the legal services industry, has resulted in the Solicitors Regulation Authority releasing guidance as to how law firms can ensure that client data is protected.

Increased fines for data controllers (and the introduction of penalties for data processors) have heightened the risk faced by law firms in relinquishing control over client data. A maximum fine of the greater of €20m or 4 per cent of a company’s global turnover for failure to comply is a significant exposure for firms.

In light of the increased liability and specific contractual requirements under the GDPR firms should review their agreements with existing suppliers to ensure that they are compliant with the standards required under the GDPR.

The volume of changes being introduced by GDPR mean that firms should have started preparing by now. As well as being a regulatory issue, it’s important to be aware that good data protection will also add value to your firm.

Christopher Coughlan is head of data protection and privacy at Ashfords

@Ashfords_Law www.ashfords.co.uk

Legal News desk contact: editorial@solicitorsjournal.com

Latest Articles

Supreme Court ruling on fraudulent trading liability

UK Supreme Court clarifies liability of third parties in MTIC fraud and limitation rules for dissolved companies.

Forty years on, surrogacy law is still playing catch-up

Despite international growth in surrogacy, UK law remains reactive, outdated and ill-equipped for today’s challenges

Law firm reports significant caseload rise

A surge in immigration-related legal advice reflects new UK policies tightening regulations affecting businesses and individuals

Tudor v Tecuci District Court: Article 8 extradition appeal analysis

High Court upholds Romanian extradition despite private life arguments

Costs Lawyers seek recognition and support

The Association of Costs Lawyers aims to elevate its members' status and engage the younger workforce

Gig economy drivers challenge their status

Former eCourier drivers have launched a legal claim to secure workers' rights against misclassification

When is an environmental case not an Aarhus claim?

Court of Appeal narrows Aarhus costs protection, requiring direct breach of environmental law, not incidental impacts.

Commonhold’s fragile foundations: risk and reality

Commonhold promises fairness and simplicity, but unresolved enforcement and financial risks threaten its stability and long-term value

How the amended English Arbitration Act puts London at the centre of global arbitration reform

The Arbitration Act 2025 introduces reforms enhancing efficiency, certainty, and London’s global leadership in international arbitration

Support needed for UK retailers now

Clarke Willmott LLP calls for intervention in the autumn statement to avert worsening conditions in retail

Court of Appeal clarifies GDPR compensation thresholds in Farley v Equiniti

Court of Appeal establishes new precedent on data breach compensation claims.

Crest Nicholson v Secretary of State: Water neutrality upheld in planning decision

High Court affirms water neutrality condition for housing development near ecologically sensitive sites.

O Argence-Lafon v Ark Syndicate Management: EAT whistleblowing judgement analysis

Employment Appeal Tribunal clarifies protected disclosure requirements in insurance sector whistleblowing case

Sky UK Limited v Ofcom: Electronic communications services classification under regulatory scrutiny

Court of Appeal clarifies electronic communications service definitions in telecommunications regulation framework.

SRA addresses issues in law firms' high-volume claims

The SRA's review reveals significant failures by law firms in their duty to clients in high-volume claims

SJ Interview: James Palmer CBE

James Palmer CBE, Partner of Herbert Smith Freehills Kramer, has long been recognised as one of the UK’s most influential corporate lawyers and policy voices. Awarded a CBE in 2025 for his services to business and law, he has combined a high-profile career in M&A with decades of work on legal reform. In this interview, he discusses the challenges of legislative inflation and corporate advice, access to justice, and the future role of technology.

The SQE is failing its own test

Five years on, the SQE is underperforming, and targeted reforms could close persistent gaps.