Question 1

Are law firms required to maintain a GDPR Record of Processing Activities?

Accepted Answer

Yes. Law firms are data controllers and are expected to maintain an Article 30 register under the UK GDPR and EU GDPR. This applies to firms of all sizes — the 250-employee exemption threshold is rarely met by law firms given the nature of the personal data they process (which typically includes sensitive categories such as health data, financial data, and data relating to criminal convictions).

Question 2

What is the lawful basis for a law firm processing client personal data?

Accepted Answer

The lawful basis depends on the type of processing. Acting under a retainer is typically "performance of a contract" or "legitimate interests". AML and KYC checks are processed under "legal obligation". Marketing to existing clients may use "legitimate interests", while marketing to new contacts typically requires consent. Each processing activity in your Article 30 register is expected to specify the correct lawful basis.

Question 3

How should a law firm respond to a data subject access request?

Accepted Answer

A law firm is expected to respond to a DSAR within one calendar month (extendable by two further months for complex requests). Organisations are expected to provide all personal data held on the individual across all matter files, correspondence, billing records, and HR systems — subject to legal professional privilege and third-party exemptions. An accurate, searchable Article 30 register significantly reduces the time needed to identify which systems hold the relevant data.

Question 4

How does legal professional privilege interact with GDPR transparency obligations?

Accepted Answer

Legal professional privilege is not overridden by GDPR. However, firms are still expected to document their processing activities even where the data is privileged. The Article 30 register documents that processing occurs, the purposes and lawful bases — it does not require disclosure of the privileged content itself.

Where client confidentiality meets GDPR transparency

The compliance challenge

Legal privilege and data transparency sit in tension

DSARs hit law firms hard

Multi-practice data flows are complex

How Clarium helps

Practice-area documentation

Lawful basis mapped automatically

DSAR readiness built in

Regulator and SRA-ready exports

Common use cases

Upload practice area policies

Map by practice area

Export for ICO or SRA review

Accelerate DSAR responses

Ready to simplify your GDPR compliance?