We have produced this Guide specifically for law firms. While they are not Law Society rules, we thought it would be helpful to look at the Regulation and the Data Protection Act from the perspective of a legal practice.
Part of this guide includes a data audit we carried out with a high street firm to look at their data processing. Many high street firms will recognise the information gathered in the audit and can use it to evaluate their own data processes. You can find examples of a data protection policy and and a privacy notice at the bottom of the page.
This is the second edition following the initial publication in 2018.
Since this Guide was first drafted, the UK has left the EU. The GDPR was retained with substantively the same provisions as before. It is now referred to as the UK GDPR. At the time that this Guide was published, the Data Protection Act 2018 had just been finalised. This Guide therefore is to reflect these changes and additional developments in interpretation and guidance published since 2018. We have taken into account the changes that the pandemic and working from home have made which led to more technology being used by all organisations
Law firms have to comply with data protection laws, just like all other organisations that process personal data.
In many instances, it is left to each firm to determine how to comply depending on the nature and volume of work undertaken. On that basis, this guide is for information only; the tables and templates are
illustrative and should be amended to take account of your firm’s unique circumstances.
Responsibility for regulating Data Protection laws lies with the Information Commissioner’s Office (ICO), not the Law Society of Scotland.